-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for safe.bareRepository explicit
Git config
#11855
Comments
Sounds reasonable, and shouldn't be too hard to switch from cwd to cwd + GIT_DIR env, which would also be BC for old git clients that may(?) not support the env var. |
@Seldaek Unfortunately on Windows this will not work, so we need to use the |
@swissspidy could you provide an example composer.json to reproduce this issue? I'm strugging to reproduce it myself. |
Sure! I think it requires a {
"name": "swissspidy/test",
"require": {
"swissspidy/media-experiments": "dev-main"
},
"repositories": [
{
"type": "vcs",
"url": "https://github.com/swissspidy/media-experiments",
"no-api": true
}
]
} |
@swissspidy Still could not recreate the issue, my git is up to date, my |
Hmm that's strange 🤔 I used that
From
When I run Details
|
I still could not reproduce, but I created a potential fix. If you can clone my fork, first run global |
Hmm so is the intention with tha fix to only set Plus, bare repos do not have a This works for me: if ($cwd && is_string($command) && is_int(stripos($command, 'git '))) {
$env = ['GIT_DIR' => $cwd];
} |
Yay! Finally managed to reproduce and fix it - my bad for not understanding the issue until now. The commit I sent you did not work, but I will create a PR with the fix. |
Awesome, great to hear! Thanks a lot ❤️ |
Context: https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md
Git introduced a
safe.bareRepository
configuration variable that allows users to forbid discovery of bare repositories by setting it to"explicit"
.This happens to be the case on my system, which means Composer can't update dependencies anymore because it does use bare repositories.
To support this more strict setting, all Git commands executed by Composer would need to be run with
--git-dir
or theGIT_DIR
environment variable. For example,git status
will become eitherGIT_DIR=/path/to/my/repo git status
orgit --git-dir=/path/to/my/repo status
Is this something you would consider improving in Composer itself so that people using more strict Git settings can continue using Composer?
A temporary workaround right now is for me to disable this
safe.bareRepository
setting, but the corp system administrators would be not happy about that :-)Here's an example error output of the update failing for me right now (from
composer update -vvv
):The text was updated successfully, but these errors were encountered: