Bug#1023800: fdroidserver: autopkgtest needs update for new version of git: transport 'file' not allowed

Thu, 10 Nov 2022 03:27:18 -0800 

Source: fdroidserver
Version: 2.1.1-2
Severity: serious
X-Debbugs-CC: g...@packages.debian.org
Tags: sid bookworm
User: debian...@lists.debian.org
Usertags: needs-update
Control: affects -1 src:git

Dear maintainer(s),
With a recent upload of git the autopkgtest of fdroidserver fails in testing when that autopkgtest is run with the binary packages of git from unstable. It passes when run with only packages from testing. In tabular form: 

                       pass            fail
git                    from testing    1:2.38.1-1
fdroidserver           from testing    2.1.1-2
all others             from testing    from testing

I copied some of the output at the bottom of this report. This is due to """
    * Addresses the security issue CVE-2022-39253: cloning an
      attacker-controlled local repository could store arbitrary files
      in the ".git" directory of the destination repository.
"""

This has a nice write up:
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html
Currently this regression is blocking the migration of git to testing [1]. Of course, git shouldn't just break your autopkgtest (or even worse, your package), but it seems to me that the change in git was intended and your package needs to update to the new situation.
If this is a real problem in your package (and not only in your autopkgtest), the right binary package(s) from git should really add a versioned Breaks on the unfixed version of (one of your) package(s). Note: the Breaks is nice even if the issue is only in the autopkgtest as it helps the migration software to figure out the right versions to combine in the tests. 

More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul
[0] You can see what packages were added from the second line of the log file quoted below. The migration software adds source package from unstable to the list if they are needed to install packages from git/1:2.38.1-1. I.e. due to versioned dependencies or breaks/conflicts. 
[1] https://qa.debian.org/excuses.php?package=git

https://ci.debian.net/data/autopkgtest/testing/amd64/f/fdroidserver/28075853/log.gz

==============================================================================
Test recovering from from broken git submodules
++ create_test_dir
++ test -e /tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles
++ mktemp -d /tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.XXXX + ROOT=/tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB + cd /tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB 
+ mkdir foo bar
+ cd foo
+ env HOME= 'GIT_AUTHOR_NAME='\''Test'\''' 'GIT_AUTHOR_EMAIL='\''no@mail'\''' 'GIT_COMMITTER_NAME='\''Test'\''' 'GIT_COMMITTER_EMAIL='\''no@mail'\''' git init hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all 
hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>
hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: 
hint: hint:     git branch -m <name>
Initialized empty Git repository in /tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB/foo/.git/ 
+ echo a
+ env HOME= 'GIT_AUTHOR_NAME='\''Test'\''' 'GIT_AUTHOR_EMAIL='\''no@mail'\''' 'GIT_COMMITTER_NAME='\''Test'\''' 'GIT_COMMITTER_EMAIL='\''no@mail'\''' git add a + env HOME= 'GIT_AUTHOR_NAME='\''Test'\''' 'GIT_AUTHOR_EMAIL='\''no@mail'\''' 'GIT_COMMITTER_NAME='\''Test'\''' 'GIT_COMMITTER_EMAIL='\''no@mail'\''' git commit -m a 
[master (root-commit) a0c70da] a
 1 file changed, 1 insertion(+)
 create mode 100644 a
+ cd ../bar
+ env HOME= 'GIT_AUTHOR_NAME='\''Test'\''' 'GIT_AUTHOR_EMAIL='\''no@mail'\''' 'GIT_COMMITTER_NAME='\''Test'\''' 'GIT_COMMITTER_EMAIL='\''no@mail'\''' git init hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all 
hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>
hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: 
hint: hint:     git branch -m <name>
Initialized empty Git repository in /tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB/bar/.git/ 
++ pwd
+ env HOME= 'GIT_AUTHOR_NAME='\''Test'\''' 'GIT_AUTHOR_EMAIL='\''no@mail'\''' 'GIT_COMMITTER_NAME='\''Test'\''' 'GIT_COMMITTER_EMAIL='\''no@mail'\''' git submodule add file:///tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB/bar/../foo baz Cloning into '/tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB/bar/baz'... 
fatal: transport 'file' not allowed
fatal: clone of 'file:///tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB/bar/../foo' into submodule path '/tmp/autopkgtest-lxc.7wnh4imd/downtmp/build.qNQ/src/.testfiles/run-tests.FZCB/bar/baz' failed 
autopkgtest [14:23:46]: test command1

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to