Anyone running into issues stemming from the new g...
# generale
eager-dress-66405
04/13/2022, 8:41 PMAnyone running into issues stemming from the new git security patch?
eager-dress-66405
04/13/2022, 8:42 PMStill debugging, but what I'm seeing:
My GHA workflow:
Copy code
# HACK to get around new git requirement that files be owned by $USER
# <https://github.blog/2022-04-12-git-security-vulnerability-announced/>
- run: git config --global --add safe.directory /__w/color/color
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 1
- run: |
git --version
./pants --version
./pants --changed-since=master list Copy code
git version 2.25.1
Bootstrapping Pants using /usr/local/bin/python3.8
Creating the virtualenv PEX.
Downloading the Pex PEX.
SHA256 fingerprint of <https://github.com/pantsbuild/pex/releases/download/v2.1.62/pex> verified.
Installing pantsbuild.pants==2.10.0 into a virtual environment at /github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38
New virtual environment successfully created at /github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38.
20:37:58.64 [INFO] Starting: Resolving plugins: toolchain.pants.plugin==0.17.0
20:38:05.36 [INFO] Completed: Resolving plugins: toolchain.pants.plugin==0.17.0
20:38:05.84 [INFO] [auth-plugin] Successfully loaded Toolchain token from env var 'TOOLCHAIN_AUTH_TOKEN', expiration: 2022-05-30T19:12:51+00:00.
20:38:05.92 [INFO] Initializing scheduler...
20:38:06.01 [INFO] Scheduler initialized.
20:38:06.08 [INFO] [rules] Successfully loaded Toolchain token from env var 'TOOLCHAIN_AUTH_TOKEN', expiration: 2022-05-30T19:12:51+00:00.
2.10.0
20:38:06.10 [INFO] No git repository at /__w/color/color: GitException("fatal: unsafe repository ('/__w/color/color' is owned by someone else)\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /__w/color/color\n")
20:38:06.10 [WARN] Can't get git scm info
20:38:06.14 [WARN] Can't get git scm info
Error: 7.42 [ERROR] The `--changed-*` options are only available if Git is used for the repository.
Traceback (most recent call last):
File "/github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38/lib/python3.8/site-packages/pants/bin/daemon_pants_runner.py", line 131, in single_daemonized_run
runner = LocalPantsRunner.create(
File "/github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38/lib/python3.8/site-packages/pants/bin/local_pants_runner.py", line 156, in create
specs = calculate_specs(
File "/github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38/lib/python3.8/site-packages/pants/init/specs_calculator.py", line 57, in calculate_specs
raise InvalidSpecConstraint(
pants.init.specs_calculator.InvalidSpecConstraint: The `--changed-*` options are only available if Git is used for the repository.
Use -ldebug for more logs.
See <https://www.pantsbuild.org/v2.10/docs/troubleshooting> for common issues.
Consider reaching out for help: <https://www.pantsbuild.org/v2.10/docs/getting-help>
Error: Process completed with exit code 1.eager-dress-66405
04/13/2022, 8:42 PM@loud-laptop-17949 @sparse-lifeguard-95737
e
enough-analyst-54434
04/13/2022, 8:59 PMgit version 2.25.1That's old. The patch is in 2.35.2: https://github.blog/2022-04-12-git-security-vulnerability-announced/
enough-analyst-54434
04/13/2022, 9:00 PMSo I'm pretty sure the security patch to Git is a red herring here.
e
eager-dress-66405
04/13/2022, 9:02 PMYea. Somehow still related to the
git config --global --add safe.directory /__w/color/coloreager-dress-66405
04/14/2022, 10:01 PMTurns out it was actually a permission/file ownership issue. A chown made pants recognize the repo as a repo again 🤷
👀 1
e
enough-analyst-54434
04/14/2022, 11:00 PMI thought that was the whole point of the CVE. Old Git code didn't care about perms as it walked up the dir chain looking for configs, new code does and stops the search? as soon as perms change in the walk.