Re: [RFC PATCH 0/2] Allow adding .git files and directories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 19 Aug 2020 15:16:19 -0400
"Randall S. Becker" <rsbecker@xxxxxxxxxxxxx> wrote:

> On August 19, 2020 2:48 PM, Lukas Straub wrote:
> > To: Junio C Hamano <gitster@xxxxxxxxx>
> > Cc: git <git@xxxxxxxxxxxxxxx>; Elijah Newren <newren@xxxxxxxxx>;
> > Brandon Williams <bwilliams.eng@xxxxxxxxx>; Johannes Schindelin
> > <Johannes.Schindelin@xxxxxx>; Jeff King <peff@xxxxxxxx>
> > Subject: Re: [RFC PATCH 0/2] Allow adding .git files and directories
> > 
> > On Wed, 19 Aug 2020 11:03:30 -0700
> > Junio C Hamano <gitster@xxxxxxxxx> wrote:
> >   
> > > Lukas Straub <lukasstraub2@xxxxxx> writes:
> > >  
> > > > These patches allow this and work well in a quick test. Of course
> > > > some tests fail because with this the handling of nested git repos  
> > changed.  
> > >
> > > In other words, this breaks the workflow existing users rely on,
> > > right?  I do not know if such a behaviour ever needs to exist even as
> > > an opt-in feature, but it definitely feels wrong to make the behaviour
> > > these patches introduce the default.  
> > 
> > Well, the current behavior is that nested repos (that are not submodules)  
> are
> > completely ignored and none of the files within can be added. So the old
> > behavior can be restored with .gitignore. The same goes for files/dirs  
> named
> > .git.
> > 
> > Of course I don't know what the current policy for behavioral changes in  
> git
> > is, but I see that there have been such changes in the past.  
> 
> I honestly am concerned about a repeat of things like
> https://nvd.nist.gov/vuln/detail/CVE-2019-19604 (the submodule update
> problem). This change in behaviour is of serious concern from a risk
> standpoint. To be blunt, I don't think users on my platform will move to a
> version of git that supports this by default.

As discussed I will make it opt-in via git-config. I hope this resolves your concerns.

Regards,
Lukas Straub

> Sincerely,
> Randall
>
> -- Brief whoami:
>  NonStop developer since approximately 211288444200000000
>  UNIX developer since approximately 421664400
> -- In my real life, I talk too much.
> 
> 
>

Attachment: pgpxYvexxlEZs.pgp
Description: OpenPGP digital signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux