[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#56398: (guix git) fails to check out repos with nested submodules
|
From: |
André Batista |
|
Subject: |
bug#56398: (guix git) fails to check out repos with nested submodules |
|
Date: |
Thu, 4 Aug 2022 09:01:21 -0300 |
Hi Bengt!
sex 08 jul 2022 às 12:17:59 (1657293479), bokr@bokr.com enviou:
> Have you seen this[1] re nested git tricks?
>
> [1]: <https://lwn.net/Articles/848935/>
No, I had missed that, thanks for pointing that out!
> i.e., are you sure not to be used by some such attack?
However I think this git issue is orthogonal to the current one.
First, inits, clones and checkouts are key git features, so it's
up to git to make sure its subcommands will not execute code by
mistake.
Second, to exploit it, the attacker would have to make themselves
very visible by maintaining a public malicious repo which would be
bound to be flagged.
And lastly, guile-git uses libgit2, which is a different beast that
actually auto initializes submodules when updating, contrary to my
mistaken assumption to which you've replied. I thought
initialization implied directory creation, but it actually doesn't.
Cheers!