From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id EDHZISa462IQpwAAbAwnHQ (envelope-from ) for ; Thu, 04 Aug 2022 14:14:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id KMPAISa462LBTQEAauVa8A (envelope-from ) for ; Thu, 04 Aug 2022 14:14:30 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3AFB83B42D for ; Thu, 4 Aug 2022 14:14:30 +0200 (CEST) Received: from localhost ([::1]:40290 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oJZkC-0007vd-AU for larch@yhetil.org; Thu, 04 Aug 2022 08:14:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33178) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oJZZ9-0003V5-76 for bug-guix@gnu.org; Thu, 04 Aug 2022 08:03:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33505) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oJZZ8-0005fk-O4 for bug-guix@gnu.org; Thu, 04 Aug 2022 08:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oJZZ8-0007Pm-Hn for bug-guix@gnu.org; Thu, 04 Aug 2022 08:03:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#56398: (guix git) fails to check out repos with nested submodules Resent-From: =?UTF-8?Q?Andr=C3=A9?= Batista Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 04 Aug 2022 12:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56398 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: bokr@bokr.com Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 56398@debbugs.gnu.org Received: via spool by 56398-submit@debbugs.gnu.org id=B56398.165961453428428 (code B ref 56398); Thu, 04 Aug 2022 12:03:02 +0000 Received: (at 56398) by debbugs.gnu.org; 4 Aug 2022 12:02:14 +0000 Received: from localhost ([127.0.0.1]:51482 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oJZYM-0007OR-BG for submit@debbugs.gnu.org; Thu, 04 Aug 2022 08:02:14 -0400 Received: from mx1.riseup.net ([198.252.153.129]:59448) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oJZYJ-0007OC-9b for 56398@debbugs.gnu.org; Thu, 04 Aug 2022 08:02:12 -0400 Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.riseup.net", Issuer "R3" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4Lz6lx339YzDrhy; Thu, 4 Aug 2022 12:02:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1659614525; bh=S7tfGprI5rDtdAuYWg5keY30jhVZoKLcMaVqRcQTheY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=cWla+LzzHGasTsp9tXsXohN3utH+2HpZRaEYhAzcuYZ6o13wggd890+cDI0x9vS4+ QnzF34AsCslVddEVy0jrUBUBEe6T/afNS9HADPwaV90X1yuOck+gUKK5k7m6HshyjE Uwhz0QZd7X4ketRVNYdktwxyaqchm/T5USSPClgM= X-Riseup-User-ID: 6B40686D12ED805322046FA366C0FB1598EE06A75705642504641C8AC58F47AA Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4Lz6ls3MnDz1yWd; Thu, 4 Aug 2022 12:02:01 +0000 (UTC) Date: Thu, 4 Aug 2022 09:01:21 -0300 From: =?UTF-8?Q?Andr=C3=A9?= Batista Message-ID: References: <87sfnf4n7c.fsf@inria.fr> <20220708101759.GA6315@LionPure> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220708101759.GA6315@LionPure> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659615270; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=nuEivu9Se0+0SuTsD7n9pHqtXstoJvzita5PxTh5gf0=; b=DyE464Nwo++h4etaajET6RTWyM4wAUVbk2sASjJCGHgLU6/EQ91x7Is0U/ZncnvMNJq0J+ iNSJkl9OXsd6MQhTQl39mdDCx2QA7qCf+qvZYDgB3tm1r0PJ06rvvx3ySsIa1FSGYaBOjm CmQLIGSP6pbU2cF+QXGEVN0Pp+l5YEMyoa1qezw0DZahYoJ1Y7QMFJydRKN4ufXJECVEW5 aKoK6Q8xsYxCA4L9J62ZfXdHA8kK6ylC5h6BJHwbtkZjsS2r3Aihi+dVH2ft1LnukB+E6a f68jF7tuRcvusBDpvH9HyTdcLQFE38yO82HIJYSfLQfliOAnR3otBLX6xsntVQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659615270; a=rsa-sha256; cv=none; b=TFl8pUWLrz4X4GKlKKKWDmU+U+3yzpmFAPWHwqefSc7j02qe2FMRxdA7MbIVUfpl7s1Nsi YnSuW36kcpDs/2BTQccoMlSTeec324VASmI6Ju4qp4i47eQlgtO+WdMwJ5WVbq+F453tGU scAUACXs7gG3MTv7KZV8Kt0uj0rbECYAcV/0nq+dOPTinj6MPH7G6aft0hwIzLDFNddcbg Ki1457csXY3h1zQwFaJMLNCUpnQxKtlKvzWyGmyy3si3Di6xEcIG4ODnp/tbL1votd2S3b 6LtMdamYIIANzrkqlvzFSh9yviAet6P/XvUuiwml9yHGlaZv9EGD/syfYb+S6g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=cWla+Lzz; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 7.09 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=cWla+Lzz; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 3AFB83B42D X-Spam-Score: 7.09 X-Migadu-Scanner: scn0.migadu.com X-TUID: +k8RwarlQ8qX Hi Bengt! sex 08 jul 2022 ās 12:17:59 (1657293479), bokr@bokr.com enviou: > Have you seen this[1] re nested git tricks? > > [1]: No, I had missed that, thanks for pointing that out! > i.e., are you sure not to be used by some such attack? However I think this git issue is orthogonal to the current one. First, inits, clones and checkouts are key git features, so it's up to git to make sure its subcommands will not execute code by mistake. Second, to exploit it, the attacker would have to make themselves very visible by maintaining a public malicious repo which would be bound to be flagged. And lastly, guile-git uses libgit2, which is a different beast that actually auto initializes submodules when updating, contrary to my mistaken assumption to which you've replied. I thought initialization implied directory creation, but it actually doesn't. Cheers!