Re: git archive setting user and group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2021-01-22 at 21:39:54, Konstantin Ryabitsev wrote:
> On Fri, Jan 22, 2021 at 10:00:04PM +0100, René Scharfe wrote:
> > Adding support for using a custom user and group should be easy.  Is
> > this just a cosmetic thing?  Regular users would ignore the user info in
> > the archive, and root should not be used for extracting, and on systems
> > that don't have a logwatch user this wouldn't make a difference anyway,
> > right?
> 
> Right now, "git archive" operations are bit-for-bit identical across all
> versions going back at least 8+ years. In fact, we've been relying on this to
> support bundling tarball signatures with git tags themselves (via git notes).
> E.g. you can see this in action here:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v5.10.9
> 
> If you click on "(sig)", you will download a signature that can be used to
> verify the tarball generated using "git archive".

Please do not rely on this behavior.  I want to state in the strongest
possible terms that this is not guaranteed behavior and it may change at
any time.  We have explicitly said so on the list multiple times.  If
you need reproducible archives, you need to add a tool to canonicalize
them in a suitable format and not rely on Git to never change things.

If you are relying on this behavior right now, I urge you to change that
at your earliest possible convenience.  I don't want to break
kernel.org's infrastructure again, but I'm also not going to tiptoe
around sending patches in fear of that, nor feel bad if it happens again
for this reason.

> I would argue that adding user/group support to "git archive" operation is
> not really solving any problems other than "it's different from when I run it
> as a regular user" -- and can introduce potential compatibility problems if
> implemented.

I agree that this feature isn't really something we want.  Git produces
tar archives for software interchange, in which case producing an
intentionally anonymous tarball is the desired behavior.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux