On Thu, May 12, 2022 at 6:20 PM Junio C Hamano <gitster@xxxxxxxxx> wrote: > > Heh. I am a bit surprised that double sudo would become a separate > prerequisite, It is because it goes away in the optional patch 4, since it won't be needed anymore after that. Also, it shared the same test with the other 2 workarounds which moved into their own (one as you suggested is more of a statement of policy that says, git trusts the developer and doesn't check if --git-dir or --worktree (or equivalent means to explicitly identify those parts of your repository) are used. and the other, was always "special" since it was documented as an indicator of what to do which could be considered a least privilege marker as well. without the optional patch that brings it back, root MUST indicate through its use of that (or other "workarounds") that he really meant to access a directory owned by root, and will instead defalt (when appropriate) to use the id of the user that invoked sudo, which has (normally) less privilege. > of a new part of SUDO prerequisite. After all > we expect from SUDO prerequisite quite a lot (e.g. most sane > installatios facing end-users will futz with $PATH, but we require > not to do so to satisfy the SUDO prereq) and it is already very > narrowly targetted to a throw-away CI environment whose sudo > basically lets us do anything. just because I didn't want this to become a bigger change that it was already indeed I'd been "cutting" it since the very beginning, by first dropping DOAS support and then avoiding moving things around so it could be easy to backport. I think I can provide a version of it that might be able to work with less restrictions that it currently has, but that would get us into the "test framework integration" that was specifically punted as well. Carlo
