Bug#1023804: marked as done (git-remote-hg: autopkgtest needs update for new version of git: transport 'file' not allowed)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 08 Dec 2022 02:38:28 +0000
with message-id <E1p36ns-0045di-CO@fasolo.debian.org>
and subject line Bug#1023804: fixed in git-remote-hg 1.0.4~ds-1
has caused the Debian Bug report #1023804,
regarding git-remote-hg: autopkgtest needs update for new version of git: transport 'file' not allowed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1023804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023804
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: git-remote-hg: autopkgtest needs update for new version of git: transport 'file' not allowed
• From: Paul Gevers <elbrus@debian.org>
• Date: Thu, 10 Nov 2022 12:37:20 +0100
• Message-id: <cbdb7e6c-1f13-5610-5b15-e743c0cf73f6@debian.org>

Source: git-remote-hg
Version: 1.0.3.2~ds-2
Severity: serious
X-Debbugs-CC: git@packages.debian.org
Tags: sid bookworm
User: debian-ci@lists.debian.org
Usertags: needs-update
Control: affects -1 src:git

Dear maintainer(s),

With a recent upload of git the autopkgtest of git-remote-hg fails in testing when that autopkgtest is run with the binary packages of git from unstable. It passes when run with only packages from testing. In tabular form:

                       pass            fail
git                    from testing    1:2.38.1-1
git-remote-hg          from testing    1.0.3.2~ds-2
all others             from testing    from testing

I copied some of the output at the bottom of this report. This is due to """
    * Addresses the security issue CVE-2022-39253: cloning an
      attacker-controlled local repository could store arbitrary files
      in the ".git" directory of the destination repository.
"""

This has a nice write up:
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html

Currently this regression is blocking the migration of git to testing [1]. Of course, git shouldn't just break your autopkgtest (or even worse, your package), but it seems to me that the change in git was intended and your package needs to update to the new situation.

If this is a real problem in your package (and not only in your autopkgtest), the right binary package(s) from git should really add a versioned Breaks on the unfixed version of (one of your) package(s). Note: the Breaks is nice even if the issue is only in the autopkgtest as it helps the migration software to figure out the right versions to combine in the tests.

More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[1] https://qa.debian.org/excuses.php?package=git

https://ci.debian.net/data/autopkgtest/testing/amd64/g/git-remote-hg/28079228/log.gz

Initialized empty Git repository in /tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/sub/.git/

[master (root-commit) be983cd] init
 Author: A U Thor <author@example.com>
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 empty

Initialized empty Git repository in /tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/gitrepo/.git/ Cloning into '/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/gitrepo/sub'...

fatal: transport 'file' not allowed

fatal: clone of '/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/sub' into submodule path '/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash directory.main-push/tmp/gitrepo/sub' failed

not ok 52 - push with submodule

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: 1023804-close@bugs.debian.org
• Subject: Bug#1023804: fixed in git-remote-hg 1.0.4~ds-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Thu, 08 Dec 2022 02:38:28 +0000
• Message-id: <E1p36ns-0045di-CO@fasolo.debian.org>
• Reply-to: Paul Wise <pabs@debian.org>

Source: git-remote-hg
Source-Version: 1.0.4~ds-1
Done: Paul Wise <pabs@debian.org>

We believe that the bug you reported is fixed in the latest version of
git-remote-hg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Wise <pabs@debian.org> (supplier of updated git-remote-hg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Dec 2022 10:00:03 +0800
Source: git-remote-hg
Architecture: source
Version: 1.0.4~ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Paul Wise <pabs@debian.org>
Closes: 1023804
Changes:
 git-remote-hg (1.0.4~ds-1) unstable; urgency=medium
 .
   * QA upload.
   * New upstream release.
     - Drop patches merged upstream
     - Fixes test failure with git security update (Closes: #1023804)
   * Update standards version to 4.6.1, no changes needed.
Checksums-Sha1:
 2af2e9de1b4ef6a785fcff86011eb017f110be87 2099 git-remote-hg_1.0.4~ds-1.dsc
 b2493b665ba8831b2c3206213e179a0996c61ec2 51200 git-remote-hg_1.0.4~ds.orig.tar.xz
 c13dc3b40d3bd26bb97a51754236acfe5b86defc 5832 git-remote-hg_1.0.4~ds-1.debian.tar.xz
Checksums-Sha256:
 f01b60435e0b056525689a9e323db766ebb675cbdf72ba22264935bdf6d3fc97 2099 git-remote-hg_1.0.4~ds-1.dsc
 bd9b0941738a1fbb52c79d33acb64fd21007618c5897b8a46fb544b43b945be8 51200 git-remote-hg_1.0.4~ds.orig.tar.xz
 0f073b71b012814912c88e956beb5cde05a9a89d26ae4487d54648fc3750a018 5832 git-remote-hg_1.0.4~ds-1.debian.tar.xz
Files:
 e2984c01f04ea53eeb3d222a885d88a7 2099 vcs optional git-remote-hg_1.0.4~ds-1.dsc
 4ca99192234044a51150433e428f4b6a 51200 vcs optional git-remote-hg_1.0.4~ds.orig.tar.xz
 fed78c86ab45d7080ec516b9c38f073e 5832 vcs optional git-remote-hg_1.0.4~ds-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmORSUUACgkQMRa6Xp/6
aaNXvhAAqmDgEO5tZvNNOqYhTGU23b9iGpiktioGlBkpMxCRU72NWSU8MMJwSGGW
BadFlbdcaMgCFkN+9GKg58NUV0m7GQ8+KRz7+q0ktVwJN4fg5SjH9Mo9ayiN/Trm
VYWAKqrKSbhZLdw0JqF5+qLkiE3mMpUwo1uURzgbX/QZKiiL5iWA+rhFIT/yvts4
emRiXlx7/9uIRql18luvYXxchT4zKk96m/kla6U+TFUwCHb3nfGQJrcbkNSLC+JL
a8Hr1yr/HNcpEsM1EDp8Y1beAt/v9hPLTg/QACwlzb6wigKKZxUxZxBZ3mFNSdWS
Km8lMdnsSy3ftOZRxeydvgaDxUBhkE2KbrokzvfoHlzJV/ZnO6xSwT/14mFXMgez
JeE1BRh3A8TQTYV9o6Uryxtkc3aKUS8U/ShVfX9VAN0BILlKBzoxYGjkb70mMKnm
LUsfQJG4BYZyZJmxoaS4akuwW7HJv3OREW4aYknIaozjDdeuqQzNW93v0oOGGvie
c3/qQnouL/T+dUgkm3sT31mRWcj2D2q/MDjLxgKqAhuTBOspBWh1MrcX+DCbOcJb
Hjk4N4Ub+G5x8NdBh9uz4lN9qd/yd/3cs6l6TyOhzyOPQ9yIzrRdpU5ypXBHRaRW
ACohUcskZx1aQc8cje9HeMOA8q+UeyH+MeL4xHhzP+6ab6x1MPU=
=vqqC
-----END PGP SIGNATURE-----

--- End Message ---