Jakub Wilk writes ("Re: Bug#867699: fatal: transport 'ext' not allowed"):
> * Ian Jackson <ijack...@chiark.greenend.org.uk>, 2017-07-08, 18:30:
> >if this change was done for security reasons, why has it not been done
> >in stretch ?
>
> This change was introduced in this commit:
> https://github.com/git/git/commit/f1762d772e9b415a3163abf5f217fc3b71a3b40e
>
> The commit message doesn't mention any security implications. In fact,
> it doesn't even explicitly say that it changes the default behavior. :-/
>
> I suspect it was meant to be hardening, rather than a security fix.
Right. Do you think we should backport this to stretch ? I would be
inclined to say "no" because of the compatibility risk, but it seems
arguable to me.
IDK who else might be using ext:. As for dgit, which is where I
noticed this, the breakage is in the dgit _test suite_. dgit itself
does not use ext:. I have no idea whether that's usefully indicative
of other callers' situations.
> See #840014 for a bug that was mitigated thanks to this change.
> Other security bugs that could be exploited via git-remote-ext:
> https://github.com/sociomantic-tsunami/git-hub/issues/197
> https://github.com/seveas/git-spindle/issues/154
Right. This is why I'm not asking for this change to be reverted.
Thanks,
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
