On Wed, Nov 02 2022, Jeff King wrote:
> On Tue, Nov 01, 2022 at 10:57:46PM +0100, Ævar Arnfjörð Bjarmason wrote:
>
>> >> Sure, we can do it with an environment variable, in the end that's all
>> >> git_config_push_parameter() is doing too. It's just setting things in
>> >> "GIT_CONFIG_PARAMETERS".
>> >>
>> >> And yes, we can set this in the low-level function instead of with
>> >> git_config_push_parameter() in builtin/*.c as I did. I was aiming for
>> >> something demonstrably narrow, at the cost of some verbosity.
>> >>
>> >> But I don't get how other things being equal you think sticking this in
>> >> "GIT_CHECKED_CREDENTIALS_IN_URL" instead of "GIT_CONFIG_PARAMETERS"
>> >> helps.
>> >
>> > I vaguely prefer calling this GIT_CHECKED_CREDENTIALS_IN_URL instead of
>> > stuffing it in the configuration.[...]
>>
>> To be clear, I'm asking if there's cases where we think one method or
>> the other produces different results, which I understood Jeff hinting
>> at.
>
> What I was hinting before was not that I knew of a particular bug in
> your patch, but that I think the technique of munging
> GIT_CONFIG_PARAMETERS is fragile in error-prone in the general case,
> because the sub-programs can't differentiate between the config the user
> asked for, and what was set by the suppression mechanism.
>
> For this variable, there's no need to differentiate between "the user
> asked us to be quiet" and "the calling program asked us to be quiet",
> but I could imagine cases where there are subtle distinctions. Imagine
> if there was a setting for "warn and rewrite the URL". We'd need to
> change that to "don't warn, but just rewrite the URL", which otherwise
> is a mode that doesn't need to exist.
>
> Keeping it in a separate variable keeps the concerns orthogonal. The
> code still gets to see what the user actually wants (via the config),
> but has extra information from the calling process about how noisy/quiet
> to be.
... (replied below) ...
> But you mentioned submodules in your other mail. And you're right that
> the patch I showed doesn't handle that (it would need to add the new
> variable to local_repo_env). It seems like yours should work because
> CONFIG_DATA_ENVIRONMENT as part of local_repo_env. But I don't think it
> actually does; in prepare_other_repo_env(), we retain the variables for
> config in the environment, so that:
>
> git -c foo.bar=whatever fetch
>
> will override variables in both the superproject and in submodules.
Replying to your main point below, just an aside on this:
To be clear I'm not saying it would handle it sensibly now, but just
that if we're using env vars to communicate to sub-processes then using
CONFIG_DATA_ENVIRONMENT seems better to me.
Because even if we're getting it wrong now, then surely that's something
we're probably getting wrong in more than one place.
So e.g. if we set an env var "for ourselves", i.e. "pull->fetch" then we
could detect that condition in run_command(), and if we then spot that
we're carrying an env variable we set earlier up the chain reset it
before we spawn a submodule.
Whereas if it's all custom env variables here & there we'll need to add
all that special-casing in.
> I didn't try it, but I suspect with your patch that a superproject with
> "warn" and a submodule with "die" (both in their on-disk config files)
> would misbehave. The superproject process will warn and say "yes, I've
> checked everything" by munging the in-environment config to "allow".
> Then the submodule process will see that config, and will override the
> on-disk setting (in the usual last-one-wins config way). I.e., the
> problem is that it cannot tell the difference between "the user asked to
> override this" and the suppression mechanism.
Yes, definitely, and now I see what you're saying. I.e. imagine a chain
like this (not actual process chains, but let's go with the example);
user config = warn
run: pull
our config = allow
# OK: doesn't "warn" now
run: fetch
# Not warning, but ....
run: pre-fetch hook
# BAD: ...oh oh, now a hook is fetching some
# entirely unrelated repo
run: git pull
# OK: Doesn't warn either
run: remote-curl (now not warning, otherwise would)
# BAD: our "warned already" has infected a
# submodule, and we downgrade "die" to "allow"
user config = die
run: git fetch <submodule>
...
But, and maybe I'm still not getting it, but the "use a different env
var" isn't actually the important part, i.e. these would behave the
same after the initial "warn":
-c transfer.credentialsInUrlWarnedAlready=true
And:
GIT_CHECKED_AND_WARNED_ALREADY=1
But not what I was suggesting:
# conflated with a later "die"
-c transfer.credentialsInUrl=allow
But that only goes for e.g. a "pull" where we "warn" followed by
submodule whose config is "die".
But all suggested variants of this (mine and yours) are going to get
e.g. the case where the submodule also wants "warn". I.e. it's not
enough that we're saying "warned already".
That gets us past conflating an existing "warn" with a "die", but now we
can't tell a submodule "warn" from a superproject "warn".
For that we'd basically need to do:
-c transfer.$(<make path to .git, or other "unique repo id>).credentialsInUrl=allow
Or another similar mechanism, of course the most sane one to be to not
be playing this game at all, but to just ferry this state e.g. with
"--do-not-warn-about-this-repo" to our own children, which we'd not add
to the command-lines when we know we're spawning a hook, or doing the
submodule "pull/fetch".
Does that all seem right?
