On Wed, Sep 29, 2021 at 11:43:39AM -0700, Neeraj Singh wrote: > It seems to me that one problem is that the new "primary" objdir code doesn't > disable ref updates since the GIT_QUARANTINE_ENVIRONMENT setting isn't set. > If we fix that we should be forbidding ref updates. > > I've included a path that fixes my test case. This is on top of: > https://lore.kernel.org/git/CANQDOddqwVtWfC4eEP3fJB4sUiszGX8bLqoEVLcMf=v+jzx19g@xxxxxxxxxxxxxx/ Ah, right, I forgot we had that "forbid ref updates in quarantine" magic (despite being the one who added it). I do think this improves the safety, but things are still a bit more dangerous because we're handling it all in a single process, which sees both the quarantine and non-quarantine states. I wrote more details in this reply a few minutes ago: https://lore.kernel.org/git/YVVmssXlaFM6yD5W@xxxxxxxxxxxxxxxxxxxxxxx/ (sorry, it's long; search for the paragraph starting with "Whereas doing it in-process"). > When creating a subprocess with a temporary ODB, we set the > GIT_QUARANTINE_ENVIRONMENT env var to tell child Git processes not > to update refs, since the tmp-objdir may go away. > > Introduce a similar mechanism for in-process temporary ODBs when > we call tmp_objdir_replace_primary_odb. > > Peff's test case was invoking ref updates via the cachetextconv > setting. That particular code silently does nothing when a ref > update is forbidden Oh good. I was worried that it would generate ugly errors, rather than silently skipping the update. > @@ -2126,7 +2146,7 @@ int ref_transaction_prepare(struct ref_transaction *transaction, > break; > } > > - if (getenv(GIT_QUARANTINE_ENVIRONMENT)) { > + if (getenv(GIT_QUARANTINE_ENVIRONMENT) || !ref_updates_are_enabled()) { > strbuf_addstr(err, > _("ref updates forbidden inside quarantine environment")); > return -1; I think the overall goal of this patch makes sense, but this conditional, along with tmp-objdir reaching out to the refs code, feels funny. Should we perhaps have a single: int tmp_objdir_is_primary(struct repository *r) { if (the_tmp_objdir && !strcmp(the_tmp_objdir->path.buf, r->objects->odb->path)) return 1; /* our temporary is the primary */ if (getenv(GIT_QUARANTINE_PATH)) return 1; /* our caller put us in quarantine */ return 0; } Then it's all nicely abstracted and the ref code does not have to know the details of GIT_QUARANTINE_PATH in the first place. If you do got that route, the strcmp() might need to be a little more careful about whether r->objects can be NULL (I didn't check). Alternatively, I kind of wonder if "struct object_directory" should just have a flag that says "is_temporary". -Peff
