Bug#1076751: ikiwiki-hosting: autopkgtest regression with git 2.45.2: dubious ownership in repository at '/var/lib/ikiwiki-hosting-web/git/foo.example.com.git'
Source: ikiwiki-hosting
Version: 0.20220716-2
Severity: serious
Tags: upstream trixie sid
Justification: https://release.debian.org/testing/rc_policy.txt §6a
X-Debbugs-Cc: debian-ci@lists.debian.org
User: debian-ci@lists.debian.org
Usertags: needs-update
As reported (eventually) in
<https://salsa.debian.org/debian/ikiwiki-hosting/-/merge_requests/4>,
ikiwiki-hosting's autopkgtest is failing with git >= 2.45 as a result
of new restrictions on reading other uids' git repositories.
The root cause of this appears to be <https://bugs.debian.org/1076750>.
ikiwiki-hosting-web runs an instance of git-daemon(1) as uid 'ikiwiki-anon'
to serve user-generated content that is owned by other uids, and
git-daemon(1) no longer allows this by default. This is a genuine
regression in ikiwiki-hosting-web that was detected by its autopkgtest,
and not just a test issue.
I asked the git maintainers on #1076750 whether this was an intentional
behaviour change for git-daemon(1), which I had expected might have been
special-cased to be unaffected by this hardening because exporting git
repositories that it doesn't own is its whole purpose.
A crude solution would be for ikiwiki-hosting to write
[safe]
directory=*
into /var/lib/ikiwiki-hosting-web/git/.gitconfig, which happens to be
~/.gitconfig for the ikiwiki-anon user. I'm hoping that git maintainers
can suggest a better version of this, but unfortunately the first thing
I tried,
[safe]
directory=/var/lib/ikiwiki-hosting-web/git/*
does not work.
I do not consider the workaround proposed in
<https://salsa.debian.org/debian/ikiwiki-hosting/-/merge_requests/4>
to be a valid solution to this issue.
ikiwiki-hosting is a less important package than git, so I'm reporting this
as a RC bug in ikiwiki-hosting so that it will eventually get autoremoved,
hopefully allowing git to migrate.
smcv
Reply to: