opam 2.2+ and Git on Windows

[jonahbeckford]

(Follow-up issue from opam-dev conversation)

Deciding Which Git To Use

Context

Git has:

• a Credentials Manager (used for private repositories ... ie. GitHub forks)
• a set of trusted certificate authorities
• Git configuration

Implications

• We can't expose git.exe from Cygwin (or MSYS2) to a Windows user. Cygwin git has its own Credentials Manager (none of the Windows credentials will work), a different set of trusted certificate authorities (rarely important, except in a managed or corporate environment), and a different Git configuration (the different core.autocrlf configuration settings are quite important for interoperability, etc.).
• git is required for opam ... early in its initialization

Two suggestions given:

1. Ask user to install Git for Windows before installing opam
2. Have opam use Cygwin git for opam initialization, but after that use git from the system (ie. Git for Windows)

Git and PATH

Context

The canonical Git on Windows is:

• Git for Windows

However, many Windows power users (ie. average Windows developers) use Chocolatey and Scoop to install their packages.

The real problem is that adding git.exe to the PATH is often dangerous.

Here is Git for Windows which is safe except if user said "Add Git Bash to PATH" during installation.

REM Having this in the PATH is safe!

C:> dir "C:\Program Files\Git\cmd\"


    Directory: C:\Program Files\Git\cmd


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         10/7/2022  12:51 PM         136752 git-gui.exe
-a----         10/7/2022  12:51 PM          45616 git.exe
-a----         10/7/2022  12:51 PM         136752 gitk.exe
-a----         10/7/2022  12:51 PM          45616 scalar.exe
-a----         10/7/2022  12:51 PM           3022 start-ssh-agent.cmd
-a----         10/7/2022  12:51 PM           2723 start-ssh-pageant.cmd

REM Having Git Bash in the PATH is dangerous because the bash.exe will conflict (sometimes silently) with Cygwin bash!

C:> dir "C:\Program Files\Git\bin"


    Directory: C:\Program Files\Git\bin


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         10/7/2022  12:51 PM          46128 bash.exe
-a----         10/7/2022  12:51 PM          45616 git.exe
-a----         10/7/2022  12:51 PM          46128 sh.exe

Implications

• It is very easy for a Windows installation to have executables that are bad for opam to be in the same directory as git.exe. Hence adding dirname git to the PATH is often dangerous
• Git for Windows is safe but only if the default options are used
• Chocolatey and Scoop are not safe ... it is common for git.exe to be in the same directory as hundreds of other executables, including bash.exe. Here is one issue: Scoop bash.exe (etc.) conflicts with v1.2.0-prerel7 Installer diskuv/dkml-installer-ocaml#34

Suggestion:

1. Let user specify absolute path to git.exe, just like can be done for curl.exe and wget.exe.

[kit-ty-kate]

do you think this needs to have a solution before the final release of 2.2.0 ?

[jonahbeckford]

The "Deciding Which Git To Use" needs to be in opam 2.2.0.

The "Git and PATH" can be punted as long as there are cautions to the user to only use opam 2.2.0 with a "happy" setup (Git for Windows with default options; definitely no Chocolatey or Scoop).