Source: ikiwiki-hosting Version: 0.20220716-2 Severity: serious Tags: upstream trixie sid Justification: https://release.debian.org/testing/rc_policy.txt ยง6a X-Debbugs-Cc: [email protected] User: [email protected] Usertags: needs-update
As reported (eventually) in <https://salsa.debian.org/debian/ikiwiki-hosting/-/merge_requests/4>, ikiwiki-hosting's autopkgtest is failing with git >= 2.45 as a result of new restrictions on reading other uids' git repositories. The root cause of this appears to be <https://bugs.debian.org/1076750>. ikiwiki-hosting-web runs an instance of git-daemon(1) as uid 'ikiwiki-anon' to serve user-generated content that is owned by other uids, and git-daemon(1) no longer allows this by default. This is a genuine regression in ikiwiki-hosting-web that was detected by its autopkgtest, and not just a test issue. I asked the git maintainers on #1076750 whether this was an intentional behaviour change for git-daemon(1), which I had expected might have been special-cased to be unaffected by this hardening because exporting git repositories that it doesn't own is its whole purpose. A crude solution would be for ikiwiki-hosting to write [safe] directory=* into /var/lib/ikiwiki-hosting-web/git/.gitconfig, which happens to be ~/.gitconfig for the ikiwiki-anon user. I'm hoping that git maintainers can suggest a better version of this, but unfortunately the first thing I tried, [safe] directory=/var/lib/ikiwiki-hosting-web/git/* does not work. I do not consider the workaround proposed in <https://salsa.debian.org/debian/ikiwiki-hosting/-/merge_requests/4> to be a valid solution to this issue. ikiwiki-hosting is a less important package than git, so I'm reporting this as a RC bug in ikiwiki-hosting so that it will eventually get autoremoved, hopefully allowing git to migrate. smcv
