Junio C Hamano <gitster@xxxxxxxxx> writes: > "Glen Choo via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > >> * die()-ing is necessary if we're trying to flip the default value of >> discovery.bare. We'd expect many bare repo users to be broken, and it's >> more helpful to fail loudly than to silently ignore the bare repo. >> >> But in the long term, long after we've flipped the default and users know >> that they need to opt into bare repo discovery, would it be a better UX >> to just silently ignore the bare repo? > > Would a middle-ground of giving a warning() message help? Can it be > loud and annoying enough to knudge the users to adjust without > breaking the functionality? Personally, when my tool changes its behavior, I would strongly prefer it to die than to "change behavior + warn". I'd feel more comfortable knowing that the tool did nothing as opposed to doing the wrong thing and only being informed after the fact. Also, I sometimes ignore warnings ;) When we _do_ transition away from die(), ignore + warning() sounds like a good first step. But if any of this flies in the face of the project's conventions, let me know as such. >> + Add a config variable, `discovery.bare`, that tells Git whether or not >> + it should work with the bare repository it has discovered i.e. Git will >> + die() if it discovers a bare repository, but it is not allowed by > > Missing comma before "i.e." Thanks. >> +++ >> ++The currently supported values are `always` (Git always recognizes bare >> ++repositories) and `never` (Git never recognizes bare repositories). >> ++This defaults to `always`, but this default is likely to change. >> +++ >> ++If your workflow does not rely on bare repositories, it is recommended that >> ++you set this value to `never`. This makes repository discovery easier to >> ++reason about and prevents certain types of security and non-security >> ++problems, such as: > > Hopefully "git fetch" over ssh:// and file:/// would run the other > side with GIT_DIR explicitly set? Ah, I'll check this and get back to you. > I do not yet > find these "problems, such as..." so convincing. What would be a convincing rationale to you? I'll capture that here. I'm assuming that you already have such an rationale in mind when you say that the longer-term default is that "we respect bare repositories only if they are the cwd.". I'm also assuming that this rationale is something other than embedded bare repos, because "cwd-only" does not protect against that. Perhaps "never" sounds better to folks who don't ever expect bare repositories and want to lock down the environment. Randall (cc-ed) suggests one such use case in [1]. (To Randall: Oops, I actually meant to cc you earlier, since you were the first to suggest a practical use case for never allowing bare repos. It must've slipped my mind). [1] https://lore.kernel.org/git/005d01d84ad0$782e8fc0$688baf40$@nexbridge.com.
