Alpine docker does not support git 2.35.2

[DennisPlaydon]

Hi there,

We are pulling the latest alpine image and running git commands in CI. However we are running into a fatal: unsafe repository ('...' is owned by someone else). This seems to be a new error due to a security vulnerability in git.

The recommendation is to update to the latest version of git, version 2.35.2. Would it be possible to release a new version of alpine/git so it is possible to upgrade?

Thank you 😃

[ozbillwang]

yes, I saw the same error on version 2.34.1 only. that's the latest image generated, which was auto-generated yesterday. No problem on tag 2.32.x

For production usage, please don't use the latest as tag when you pull the image, always stick on a version which have been tested.

Let me trigger the pipeline to build a new image on v2.35.2

[ozbillwang]

Seems we have to wait for the new version available in Alpine. Let me explain.

This Dockerfile is to install git via apk add git directly, it will always install the latest version in Alpine.

But currently latest git version in alpine is v2.34.2

but the official git release has been v2.36.0 (https://github.com/git/git/tags)

I have to wait, otherwise, we need adjust our codes to compile and build the git from source codes, that would be totally different cases.

[ozbillwang]

unless we switch the base image from alpine to alpine:edge

But alpine:edge is not for production

ref: https://wiki.alpinelinux.org/wiki/Edge#:~:text=From%20Alpine%20Linux,updated%20on%20a%20regular%20basis.

"edge" is the name given to the current development tree of Alpine Linux. It consists of a APK repository called "edge" and contains the latest build of all available Alpine Linux packages. Those packages are updated on a regular basis.

Warning: "edge" is under constant development so be careful using it in production. It is possible that bugs in "edge" could cause data loss or could break your system.

[DennisPlaydon]

Would it be possible to release a -preview version which uses alpine edge? We are not using the alpine/git in production. It is used for local and CI automation. Once alpine has updated then you could deprecate the preview version and switch back to standard alpine.

I will say that this is not a blocking issue. We have a workaround that trusts the directory which resolves the issue at the moment.

For anyone that stumbles upon this. We are using git config --global --add safe.directory /dir to trust the directory that is throwing errors.

I'm interested to know your thoughts on what should happen next

[jaydrogers]

Thanks for organizing and maintaining this project!

Just adding a note for others who are attempting to run git config --global --add safe.directory /git:

• 👉 If you run this command before your git pull command in CI, then you may have to do an extra step

Solution:

• Mount a volume for /root in the container

Example:
Here is a snippet from my Gitlab deployment:

script:
  - docker run --rm --pull always -v /home/deploy-user/:/root -v /path/to/my/app:/git alpine/git config --global --add safe.directory /git"
  - docker run --rm --pull always -v /home/deploy-user/:/root -v /path/to/my/app:/git alpine/git pull origin my-branch"

[DennisPlaydon]

Hey @ozbillwang I see that alpine has released a new version. Could we update now?

[ozbillwang]

the free pipeline sets some limitation build time now. i changed the build frequency from daily to weekly. so it is possible to wait for one week to get the latest version

[ozbillwang]

The latest tag is v2.36.2 already.

Close this issu now.