Hey Johannes. On Tue, 2022-09-06 at 15:56 +0200, Johannes Schindelin wrote: > But libgit2 and JGit, two separate Git implementations that are in > wide > use, too, probably do not have support for this. > > In other words, users of libgit2 & JGit will likely be unaffected by > setting `safe.bareRepository` and sill still need to take manual > precautions. > If you are using applications based on those projects, you might be > interested in porting support for `safe.bareRepository` to those > projects > and contribute the enhancement. Well I'm not really in any way experienced with git's code ... so I'm rather just wearing a user hat. Wouldn't it make sense if someone really experienced within git development to kinda follow that up for other projects, too? Sure, it's other projects,... but still, the vulnerability seems rather critical and many people using git also use such things like libgit2 (potentially even without knowing). I can however open a ticket over at libgit2, if that helps you. Also, even with default settings, git, AFAIU, would be still vulnerable for the majority of people (many of whom likely haven't even heard about the issue). > > Yes, indeed, `.git` entries in Git's tree objects are forbidden. And I blindly assume that this is not only checked and forbidden when trying to commit, but also when cloning/fetching/etc.?! Thanks for your answers :-) Chris.
