Hello, On Sun 12 Oct 2025 at 08:55pm +01, Ian Jackson wrote:
> Sean Whitton writes ("Re: Bug#1117924: git-debpush accessibility check can be
> defeated by insteadOf"):
>> On Sun 12 Oct 2025 at 03:26pm +01, Ian Jackson wrote:
>> > Open questions: (i) should this involve pushInsteadOf or insteadOf
>> > or both? (ii) is there a way to implement this by calling git,
>> > other than by reimplementing git's algorithm?
>>
>> My notes say:
>>
>> 'git remote get-url --push origin' will expand insteadOf and
>> pushInsteadOf for us.
>>
>> For a plain URL that is not a named remote, there is a way to expand
>> insteadOf, but not pushInsteadOf (or at least there wasn't in 2019).
>> But I don't think this limitation affects us as git-debpush is always
>> using named remotes.
>
> This is all very well, but my analysis demands that we do the
> resolution one step at a time so that we can spot intermediate values.
> I guess we could use this as a sanity check that we're not doing
> something utterly mad at the end...
I don't follow how an intermediate value could match
[email protected] but not the final value, because there's only one
way to SSH to salsa. What sort of case do you have in mind?
>> > Contrary to Sean's opinion, I think this is also a reasononable
>> > configuration. One reason to do this rather than pushInsteadOf is
>> > that it switches authentication for read-only accesses from the X.509
>> > TLS cabal, to ssh.
>>
>> Not contrary to my opinion -- I was suggesting pushInsteadOf as a quick
>> fix, and agree that using SSH all the time is reasonable.
>
> Oh, sorry for the misunderstanding.
Not at all.
--
Sean Whitton
signature.asc
Description: PGP signature
