Hi Christoph! I'm the original author of safe.bareRepository. I didn't chime in earlier because I didn't have anything to add on top of Johannes' excellent answers :) Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> writes: > Hey Johannes. > > > On Tue, 2022-09-06 at 15:56 +0200, Johannes Schindelin wrote: >> But libgit2 and JGit, two separate Git implementations that are in >> wide >> use, too, probably do not have support for this. >> >> In other words, users of libgit2 & JGit will likely be unaffected by >> setting `safe.bareRepository` and sill still need to take manual >> precautions. > > >> If you are using applications based on those projects, you might be >> interested in porting support for `safe.bareRepository` to those >> projects >> and contribute the enhancement. > > Well I'm not really in any way experienced with git's code ... so I'm > rather just wearing a user hat. > > Wouldn't it make sense if someone really experienced within git > development to kinda follow that up for other projects, too? > Sure, it's other projects,... but still, the vulnerability seems rather > critical and many people using git also use such things like libgit2 > (potentially even without knowing). In a world where we had someone who headed all of the Git ecosystem making these decisions, that sounds like a great outcome. Unfortunately, I don't think such a person exists. Perhaps this sort of "really experienced person working with other projects" has happened before (I'm relatively new to the project), but it sounds very very difficult to do in practice. For example, you'd have to answer questions like how do we know which projects to engage with? e.g. we'd probaby need JGit and libgit2, but what about smaller implementations like gitoxide, editor plugins, and the long tail of other projects in the space? The technical fixes probably aren't hard, but communication and collaboration with so many projects sounds really difficult. > I can however open a ticket over at libgit2, if that helps you. It would help all users :) > Also, even with default settings, git, AFAIU, would be still vulnerable > for the majority of people (many of whom likely haven't even heard > about the issue). Yes. We've talked earlier about finding a safer default for safe.bareRepository; but it hasn't been highly prioritized. Feedback like yours is very valuable because it gives us a sense of how important this is and can definitely have an impact on prioritization. >> >> Yes, indeed, `.git` entries in Git's tree objects are forbidden. > > And I blindly assume that this is not only checked and forbidden when > trying to commit, but also when cloning/fetching/etc.?! Yes, the checks are quite extensive :) `.git` isn't allowed in the index, so you cannot checkout a `.git` anywhere. > > > Thanks for your answers :-) > Chris.
