Add the .git subdir as another safe.directory on Cygwin CI
#1916
Conversation
Using this older version is not in general secure, since the new version is a security update. It is sometimes acceptable to run software with security bugs in CI workflows, but the intent of this change is just to check if the version of the Cygwin `git` package is the cause of the failures. If so, they can probably be fixed or worked around in a better way than downgrading. (Furthermore, the lower version of the `git` package will not always be avaialable from Cygwin's repositories.)
This undoes the change of pinning Git to an earlier version (before the recent security update) on Cygwin, and instead adds the `.git` subdirectory of the `GitPython` directory as an additional value of the multi-valued `safe.directory` Git configuration variable.
There was a problem hiding this comment.
Thanks a lot!
Seeing the change to safe.directory made me wonder if this is indeed a change in how it works and if gitoxide is affected.
And indeed, 22 months ago I see no evidence of it.
This line tells us it will check the git-dir/repository-directory if there is no worktree, but it's certainly strange that a wt/.git is a clone that is bare, it's an unusual name.
Anyway, it's good this is fixed and I don't worry about it.
|
I'm still not totally clear what's going on here. Some of the changes in 2.45.1 were judged overzealous and undone in 2.45.2. But don't know if that has anything to do with this. Anyway, git 2.45.2 is not yet in the Cygwin repositories, and I'm not sure it will be since it's not a security fix (so it might be skipped over, with some future version being packaged next). |
That specific fragment is: struct safe_directory_data data = {
.path = worktree ? worktree : gitdir
};But that is only used for this: /*
* data.path is the "path" that identifies the repository and it is
* constant regardless of what failed above. data.is_safe should be
* initialized to false, and might be changed by the callback.
*/
git_protected_config(safe_directory_cb, &data);
return data.is_safe;However, that code is just for figuring out which path to look for as a value of the In between the two is the ownership check, which does not reference if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
(!gitfile || is_path_owned_by_current_user(gitfile, report)) &&
(!worktree || is_path_owned_by_current_user(worktree, report)) &&
(!gitdir || is_path_owned_by_current_user(gitdir, report)))
return 1;While none of this code has changed around the same time as the breakage that this PR fixed, nor recently, I do not know if the More likely relevant, I think, is that I am also unsure if any of the So while it seems like maybe the need to add the I am wondering if some GitPython tests run commands in the At least with current versions of Git, this requires that the That was on GNU/Linux, but it is not specific to it (nor to systems with the somewhat rare relaxed 0002 umask value I have set there). It is also not specific to passing the directory to operate on using That same experiment in Cygwin, where I create the repository with Cygwin git 2.45.1, then outside the Cygwin environment navigate to the working tree in Windows Explorer and recursively change its ownership to another user (which includes changing that of its Could this behavior have been what changed? Could the working tree have been sufficient before, even when operating directly in the |
|
Thanks for reviving this conversation. I am entirely unsure how all this relates to GitPython, but know that |
As far as I know, the only connection to GitPython is through its Cygwin CI workflow, which had to be changed to accommodate this. That is, I am not proposing that a bug in GitPython itself causes this or that anything in the
Thanks--this way of putting it clarifies a comment that puzzled me during something I'm working on in gitoxide! |
|
Thanks for clarifying - indeed I was trying to understand if there was something actionable for GitPython and had/have no memory on how this works here. In that regard I am happy that |
As shown in this run on my fork, the CI test job for Cygwin is failing now. This fixes that.
The first commit in this pull request just demonstrates that the failure is due to the upgrade of the Cygwin
gitpackage from 2.43.0-1 to 2.45.1-1. Although that commit makes test pass, I recommend against following that approach, mainly because the new version contains multiple security updates (coming in with the upstream 2.45.1 version, not with any downstream patches), but also because the older version will eventually be dropped from the Cygwin repositories.The better workaround is in the second commit here, which adds the
.gitsubdirectory of the clonedGitPythondirectory as a value of the multi-valuedsafe.directoryGit configuration variable. Its parent directory is already added, which was previously sufficient, but not anymore.I suspect that, rather than this being any bug in the downstream package, this is actually the correct behavior due to one of the several security fixes in the new version of Git, though I have not verified that. So maybe this is really not a workaround, but a permanent fix.
I believe the reason there is no need to modify any other workflow is that the other workflows don't need to add any
safe.directorypaths at all: they either clone the repository with the necessary ownership in the first place or, in the case of the Alpine Linux job, set the ownership withchown.