GNU bug report logs - #56398
(guix git) fails to check out repos with nested submodules

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Tue, 5 Jul 2022 15:03:02 UTC

Severity: normal

View this message in rfc822 format

From: André Batista <nandre <at> riseup.net>
To: bokr <at> bokr.com
Cc: Ludovic Courtès <ludovic.courtes <at> inria.fr>, 56398 <at> debbugs.gnu.org
Subject: bug#56398: (guix git) fails to check out repos with nested submodules
Date: Thu, 4 Aug 2022 09:01:21 -0300

Hi Bengt!

sex 08 jul 2022 às 12:17:59 (1657293479), bokr <at> bokr.com enviou:
> Have you seen this[1] re nested git tricks? 
> 
> [1]:    <https://lwn.net/Articles/848935/>

No, I had missed that, thanks for pointing that out!

> i.e., are you sure not to be used by some such attack?

However I think this git issue is orthogonal to the current one.

First, inits, clones and checkouts are key git features, so it's
up to git to make sure its subcommands will not execute code by
mistake.

Second, to exploit it, the attacker would have to make themselves
very visible by maintaining a public malicious repo which would be
bound to be flagged.

And lastly, guile-git uses libgit2, which is a different beast that
actually auto initializes submodules when updating, contrary to my
mistaken assumption to which you've replied. I thought
initialization implied directory creation, but it actually doesn't.

Cheers!

This bug report was last modified 2 years and 241 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #56398 (guix git) fails to check out repos with nested submodules

GNU bug report logs - #56398
(guix git) fails to check out repos with nested submodules