Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Git config setting safe.bareRepository=explicit can break dependency resolution #8068

Open
1 task done
valentary opened this issue Oct 23, 2024 · 6 comments · May be fixed by #8106
Open
1 task done

Git config setting safe.bareRepository=explicit can break dependency resolution #8068

valentary opened this issue Oct 23, 2024 · 6 comments · May be fixed by #8106
Labels

Comments

@valentary
Copy link

Is it reproducible with SwiftPM command-line tools: swift build, swift test, swift package etc?

  • Confirmed reproduction steps with SwiftPM CLI. The description text must include reproduction steps with either of command-line SwiftPM commands, swift build, swift test, swift package etc.

Description

A recent software update from Sourcetree added or modified the safe.bareRepository=explicit configuration option to git.

This interfers with the package resolution, it seems to only involve our private packages on github.

The packages refuse to resolve and we get error like saying it cannot fetch revision (see below)

Expected behavior

% swift package resolve
Fetching [email protected]:<MyOrg>/<MyDependencyPackage>.git
Fetched [email protected]:<MyOrg>/<MyDependencyPackage>.git from cache (5.32s)
Creating working copy for [email protected]:<MyOrg>/<MyDependencyPackage>.git
Working copy of [email protected]:<MyOrg>/<MyDependencyPackage>.git resolved at <BranchName> (f96e2ec)

Actual behavior

% swift package resolve
Fetching [email protected]:<MyOrg>/<MyDependencyPackage>.git
Fetched [email protected]:<MyOrg>/<MyDependencyPackage>.git from cache (5.32s)
error: Couldn’t get revision ‘<A Commit Hash>^{commit}’:
    fatal: cannot use bare repository '/Users/<myuserdir>/Repos/Fixes/<MyPackage>/.build/repositories/<MyDependencyPackage>-ad20a496' (safe.bareRepository is 'explicit') in [email protected]:<MyOrg>/<MyDependencyPackage>.git

Steps to reproduce

A Package with a dependency to a private github repo
In the CLI

  1. git config --global --replace safe.bareRepository explicit
  2. swift package resolve

Swift Package Manager version/commit hash

Swift Package Manager - Swift 6.0.0-dev

Swift & OS version (output of swift --version ; uname -a)

swift-driver version: 1.115 Apple Swift version 6.0 (swiftlang-6.0.0.9.10 clang-1600.0.26.2)
Target: arm64-apple-macosx15.0
Darwin rlee-MacBook-Pro 24.0.0 Darwin Kernel Version 24.0.0: Tue Sep 24 23:37:36 PDT 2024; root:xnu-11215.1.12~1/RELEASE_ARM64_T6020 arm64
@valentary valentary added the bug label Oct 23, 2024
@valentary
Copy link
Author

It seems it was an update in sourcetree that caused the issue : https://jira.atlassian.com/browse/SRCTREEWIN-14483

@valentary
Copy link
Author

But it's also default behaviour now in git : git/git@e35f202

@paiv
Copy link

paiv commented Nov 3, 2024

safe.bareRepository=explicit is hardening Git security. SPM should follow Git's guideline "by specifying GIT_DIR or --git-dir".

Sourcetree was eager to deliver this update, but is not the cause of the issue.

@Kyle-Ye
Copy link
Contributor

Kyle-Ye commented Nov 7, 2024

safe.bareRepository=explicit is hardening Git security. SPM should follow Git's guideline "by specifying GIT_DIR or --git-dir".

Sourcetree was eager to deliver this update, but is not the cause of the issue.

+1.

  1. We should support the config in SwiftPM in a near future version of the toolchain.
  2. But also I believe Sourcetree should not globally add the config on the user's behalf.

@Kyle-Ye Kyle-Ye self-assigned this Nov 7, 2024
@valentary
Copy link
Author

  1. But also I believe Sourcetree should not globally add the config on the user's behalf.

That may be true, it was unexpected and it did cause quite some confusion for us to track down the cause. But it looks like this will roll out by default in future versions of git.

@Kyle-Ye
Copy link
Contributor

Kyle-Ye commented Nov 7, 2024

But it's also default behaviour now in git : git/git@e35f202

No. Git added safe.bareRepository=explicit as an opt-in feature since 2.38.0. But I have not seen any indiction that Git is going to make it as the default behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants