Hi all, I'm the author of one of the articles linked in Glen's mail. Thank you Glen for summarising the problem beautifully and pushing this forward. Brian said: > As mentioned elsewhere, git status doesn't work without a working tree. This is correct. However, it is possible to embed a bare repo that has its own core.worktree which points to a directory within the containing repo, satisfying the requirement of having a working tree. This is covered in the article [1] and looks to be accounted for in Taylor's reproducer script which admittedly I haven't run. > Instead, I'd rather see us avoid executing any program from the config > or any hooks in a bare repository without a working tree (except for > pushes). I think that would avoid breaking things while still improving > security. Due to the fact that the embedded bare repo can be made to have a working tree, this won't be an effective fix. I'm not dismissing your examples of uses of Git which would break under Glen's suggestions. Thank you for describing these. [1] https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md#poc---regular-vs-bare-repos-and-adding-a-corefsmonitor-payload-to-a-bare-repo -- Justin
