Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update git tests to not use local partial clones #12721

Merged
merged 1 commit into from
May 22, 2024
Merged

Update git tests to not use local partial clones #12721

merged 1 commit into from
May 22, 2024

Conversation

sbidoul
Copy link
Member

@sbidoul sbidoul commented May 22, 2024
edited

This works around a git restriction to fix CVE-2024-32004.

This change only modifies tests using local git repos to not use partial clones as source repos. Tests using remote git repos continue to work as before.

Users affected by the error remote: fatal: could not fetch ... from promisor remote should consider setting a GIT_NO_LAZY_FETCH=0 env var if they trust the source repo.

fixes #12719

@sbidoul
Update git tests to not use local partial clones
f866f32 
This works around a git restriction to fix CVE-2024-32004.
Users affected by the error `remote: fatal: could not fetch ... from promisor remote`
should consider setting the GIT_NO_LAZY_FETCH=0 if they trust the source repo.
@pfmoore
Copy link
Member

pfmoore commented May 22, 2024

Should we also add either a news entry or maybe even a comment in the docs explaining the recommendation for users that hit this?

@sbidoul
Copy link
Member Author

sbidoul commented May 22, 2024

Should we also add either a news entry or maybe even a comment in the docs explaining the recommendation for users that hit this?

Since my understanding of the issue is not deep enough, I'm not quite comfortable doing this right now. Perhaps should we wait until we have actual user reports that will help us contextualize the problem.

@pfmoore
Copy link
Member

pfmoore commented May 22, 2024

That's fair. And we can tell them to set the env variable, so it's not as if we're delaying a fix for them in any meaningful way.

@sbidoul sbidoul added skip news Does not need a NEWS file entry (eg: trivial changes) type: maintenance Related to Development and Maintenance Processes labels May 22, 2024
@sbidoul
Copy link
Member Author

sbidoul commented May 22, 2024

🍏

@sbidoul sbidoul added this to the 24.1 milestone May 22, 2024
@pradyunsg pradyunsg merged commit 038dc75 into pypa:main May 22, 2024
29 of 30 checks passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
skip news Does not need a NEWS file entry (eg: trivial changes) type: maintenance Related to Development and Maintenance Processes
Projects
None yet
Milestone
24.1
Development

Successfully merging this pull request may close these issues.

Ongoing CI issues on main
3 participants
@sbidoul @pfmoore @pradyunsg