From: Junio C Hamano <gitster@pobox.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: "W. Michael Petullo" <mike@flyn.org>, Jeff King <peff@peff.net>,
git@vger.kernel.org
Subject: Re: Git clone reads safe.directory differently?
Date: Tue, 30 Jul 2024 15:49:37 -0700 [thread overview]
Message-ID: <xmqqv80m8pha.fsf@gitster.g> (raw)
In-Reply-To: <Zqlo-i8uCb1Yr4Jm@tapette.crustytoothpaste.net> (brian m. carlson's message of "Tue, 30 Jul 2024 22:28:10 +0000")
"brian m. carlson" <sandals@crustytoothpaste.net> writes:
> I think if we're using --no-local (that is, if we're using upload-pack
> instead of creating symlinks), then we should not complain about the
> repository ownership. It's supposed to always be safe to clone or fetch
> from an untrusted repository, and we shouldn't complain about that.
The safety is promised by "git fetch" when you fetch from some other
machine because the only thing you will be seeing from that
untrusted source is a bytestream that is the packfile, plus the tips
of their histories---nothing runs as yourself in this exchange other
than what you control, i.e. "git fetch", locally defined hooks and
filters defined by your configuration.. They cannot affect your
configuration file and hooks that may name extra programs that may
run as you while fetching or cloning.
When you are using "--no-local" on the same machine, I do not think
there is any guarantee that "upload-pack" side is safe. And that is
where the safe.directory thing needs to kick in.
Stepping into an untrusted repository and running git operations
opens up the user the Git process runs as to attacks by the
untrusted repository, i.e. you may invoke hooks on the upload-pack
side, defined in the source repository that is controlled by others,
and that is where the safe.directory thing kicks in. You need to
declare that you trust that source repository.
next prev parent reply other threads:[~2024-07-30 22:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-27 16:14 Git clone reads safe.directory differently? W. Michael Petullo
2024-07-27 21:58 ` Jeff King
2024-07-28 15:27 ` W. Michael Petullo
2024-07-28 22:48 ` Jeff King
2024-07-30 11:37 ` W. Michael Petullo
2024-07-30 22:28 ` brian m. carlson
2024-07-30 22:49 ` Junio C Hamano [this message]
2024-07-30 22:55 ` Junio C Hamano
2024-07-30 23:05 ` brian m. carlson
2024-07-31 7:28 ` Jeff King
2024-07-31 16:23 ` Junio C Hamano
2024-07-31 22:08 ` Junio C Hamano
2024-08-01 6:14 ` Jeff King
2024-08-01 14:59 ` Junio C Hamano
2024-08-01 21:26 ` brian m. carlson
2024-08-01 21:52 ` Junio C Hamano
2024-08-05 9:47 ` Jeff King
2024-08-05 15:34 ` W. Michael Petullo
2024-08-05 15:49 ` Junio C Hamano
2024-08-01 6:08 ` Jeff King
2024-07-31 7:19 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqv80m8pha.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=mike@flyn.org \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).