On 2024-07-30 at 11:37:47, W. Michael Petullo wrote: > Perhaps a compromise would be to tie safe.directory to the type > of source directory given to clone. Would a remote URL be enough to > turn off the safe.directory checks on a clone, similar to the effect of > a remote URL on --local/--no-local? I think if we're using --no-local (that is, if we're using upload-pack instead of creating symlinks), then we should not complain about the repository ownership. It's supposed to always be safe to clone or fetch from an untrusted repository, and we shouldn't complain about that. Both of these commands should work correctly and do not, and that's a bug (assuming tr1 is owned by a different user): git clone --no-local --no-hardlinks $PWD/tr1 tr2 git clone --no-local --no-hardlinks ssh://localhost$PWD/tr1 tr2 git-upload-pack should not complain about safe.directory at all. If it's not secure to clone or fetch from an untrusted repository with git-upload-pack, then we have a bigger security problem that needs to be addressed. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature