Google Git
Sign in
gerrit / git-repo / 8a6d1724d9d9f4598d15338be9723542ba79467e
commit8a6d1724d9d9f4598d15338be9723542ba79467e[log] [tgz]
authorEmily Shaffer <nasamuffin@google.com>Fri Sep 15 13:26:38 2023 -0700
committerLUCI <gerrit-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Nov 09 22:13:17 2023 +0000
tree952ef4c542e5ef711bb675e6d9c8949efa30ae6f
parent3652b497bbbd6227b2cb84bb61a0fe8d21ba20d6 [diff]
git_superproject: tell git that superproject is bare

The superproject is initialized as a bare repo in Superproject:_Init().
That means that later operations must treat it as a bare repository,
specifying the gitdir and setting 'bare' appropriately when launching
GitCommand()s. It's also OK not to specify cwd here because GitCommand()
will drop cwd if bare == True anyways.

With this change, it's possible to run `repo init` and `repo sync` with the
Git config 'safe.bareRepository' set to 'explicit'. This config strengthens
Git's security posture against embedded bare repository attacks like
https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md.

Bug: b/227257481
Change-Id: I954a64c6883d2ca2af9c603e7076fd83b52584e9
Reviewed-on: https://gerrit-review.googlesource.com/c/git-repo/+/389794
Reviewed-by: Mike Frysinger <vapier@google.com>
Tested-by: Jason R. Coombs <jaraco@google.com>
Tested-by: Emily Shaffer <emilyshaffer@google.com>
Reviewed-by: Emily Shaffer <emilyshaffer@google.com>
Commit-Queue: Jason R. Coombs <jaraco@google.com>
1 file changed
tree: 952ef4c542e5ef711bb675e6d9c8949efa30ae6f
  1. .github/
  2. docs/
  3. hooks/
  4. man/
  5. release/
  6. subcmds/
  7. tests/
  8. .flake8
  9. .gitattributes
  10. .gitignore
  11. .gitreview
  12. .isort.cfg
  13. .mailmap
  14. .project
  15. .pydevproject
  16. color.py
  17. command.py
  18. completion.bash
  19. editor.py
  20. error.py
  21. event_log.py
  22. fetch.py
  23. git_command.py
  24. git_config.py
  25. git_refs.py
  26. git_ssh
  27. git_superproject.py
  28. git_trace2_event_log.py
  29. git_trace2_event_log_base.py
  30. hooks.py
  31. LICENSE
  32. main.py
  33. MANIFEST.in
  34. manifest_xml.py
  35. pager.py
  36. platform_utils.py
  37. platform_utils_win32.py
  38. progress.py
  39. project.py
  40. pyproject.toml
  41. README.md
  42. repo
  43. repo_logging.py
  44. repo_trace.py
  45. requirements.json
  46. run_tests
  47. run_tests.vpython3
  48. setup.py
  49. ssh.py
  50. SUBMITTING_PATCHES.md
  51. tox.ini
  52. wrapper.py
README.md

repo

Repo is a tool built on top of Git. Repo helps manage many Git repositories, does the uploads to revision control systems, and automates parts of the development workflow. Repo is not meant to replace Git, only to make it easier to work with Git. The repo command is an executable Python script that you can put anywhere in your path.

Contact

Please use the repo-discuss mailing list or issue tracker for questions.

You can file a new bug report under the “repo” component.

Please do not e-mail individual developers for support. They do not have the bandwidth for it, and often times questions have already been asked on repo-discuss or bugs posted to the issue tracker. So please search those sites first.

Install

Many distros include repo, so you might be able to install from there.

# Debian/Ubuntu.
$ sudo apt-get install repo

# Gentoo.
$ sudo emerge dev-vcs/repo

You can install it manually as well as it's a single script.

$ mkdir -p ~/.bin
$ PATH="${HOME}/.bin:${PATH}"
$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/.bin/repo
$ chmod a+rx ~/.bin/repo