https://pantsbuild.org/ logo
#general
Title
# general
e

eager-dress-66405

04/13/2022, 8:41 PM
Anyone running into issues stemming from the new git security patch?
Still debugging, but what I'm seeing: My GHA workflow:
Copy code
# HACK to get around new git requirement that files be owned by $USER
      # <https://github.blog/2022-04-12-git-security-vulnerability-announced/>
      - run: git config --global --add safe.directory /__w/color/color

      - name: Checkout repo
        uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - run: |
          git --version
          ./pants --version
          ./pants --changed-since=master list
Output:
Copy code
git version 2.25.1
Bootstrapping Pants using /usr/local/bin/python3.8
Creating the virtualenv PEX.
Downloading the Pex PEX.
SHA256 fingerprint of <https://github.com/pantsbuild/pex/releases/download/v2.1.62/pex> verified.
Installing pantsbuild.pants==2.10.0 into a virtual environment at /github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38
New virtual environment successfully created at /github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38.
20:37:58.64 [INFO] Starting: Resolving plugins: toolchain.pants.plugin==0.17.0
20:38:05.36 [INFO] Completed: Resolving plugins: toolchain.pants.plugin==0.17.0
20:38:05.84 [INFO] [auth-plugin] Successfully loaded Toolchain token from env var 'TOOLCHAIN_AUTH_TOKEN', expiration: 2022-05-30T19:12:51+00:00.
20:38:05.92 [INFO] Initializing scheduler...
20:38:06.01 [INFO] Scheduler initialized.
20:38:06.08 [INFO] [rules] Successfully loaded Toolchain token from env var 'TOOLCHAIN_AUTH_TOKEN', expiration: 2022-05-30T19:12:51+00:00.
2.10.0
20:38:06.10 [INFO] No git repository at /__w/color/color: GitException("fatal: unsafe repository ('/__w/color/color' is owned by someone else)\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /__w/color/color\n")
20:38:06.10 [WARN] Can't get git scm info
20:38:06.14 [WARN] Can't get git scm info
Error: 7.42 [ERROR] The `--changed-*` options are only available if Git is used for the repository.
Traceback (most recent call last):
  File "/github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38/lib/python3.8/site-packages/pants/bin/daemon_pants_runner.py", line 131, in single_daemonized_run
    runner = LocalPantsRunner.create(
  File "/github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38/lib/python3.8/site-packages/pants/bin/local_pants_runner.py", line 156, in create
    specs = calculate_specs(
  File "/github/home/.cache/pants/setup/bootstrap-Linux-x86_64/2.10.0_py38/lib/python3.8/site-packages/pants/init/specs_calculator.py", line 57, in calculate_specs
    raise InvalidSpecConstraint(
pants.init.specs_calculator.InvalidSpecConstraint: The `--changed-*` options are only available if Git is used for the repository.

Use -ldebug for more logs. 
See <https://www.pantsbuild.org/v2.10/docs/troubleshooting> for common issues.
Consider reaching out for help: <https://www.pantsbuild.org/v2.10/docs/getting-help>

Error: Process completed with exit code 1.
@loud-laptop-17949 @sparse-lifeguard-95737
e

enough-analyst-54434

04/13/2022, 8:59 PM
git version 2.25.1
That's old. The patch is in 2.35.2: https://github.blog/2022-04-12-git-security-vulnerability-announced/
So I'm pretty sure the security patch to Git is a red herring here.
e

eager-dress-66405

04/13/2022, 9:02 PM
Yea. Somehow still related to the
git config --global --add safe.directory /__w/color/color
fix, but not clear exactly how/why. Will update once we iron it out.
Turns out it was actually a permission/file ownership issue. A chown made pants recognize the repo as a repo again 🤷
👀 1
e

enough-analyst-54434

04/14/2022, 11:00 PM
I thought that was the whole point of the CVE. Old Git code didn't care about perms as it walked up the dir chain looking for configs, new code does and stops the search? as soon as perms change in the walk.