Bug#1023803: marked as done (git-evtag: autopkgtest needs update for new version of git: transport 'file' not allowed)

[Debian Bug Tracking System]

Your message dated Sat, 12 Nov 2022 18:04:05 +0000
with message-id <e1oturn-001ing...@fasolo.debian.org>
and subject line Bug#1023803: fixed in git-evtag 2016.1+git20221112-1
has caused the Debian Bug report #1023803,
regarding git-evtag: autopkgtest needs update for new version of git: transport 
'file' not allowed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1023803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023803
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: git-evtag
Version: 2016.1-2
Severity: serious
X-Debbugs-CC: g...@packages.debian.org
Tags: sid bookworm
User: debian...@lists.debian.org
Usertags: needs-update
Control: affects -1 src:git

Dear maintainer(s),



                       pass            fail
git                    from testing    1:2.38.1-1
git-evtag              from testing    2016.1-2
all others             from testing    from testing

I copied some of the output at the bottom of this report. This is due to """
    * Addresses the security issue CVE-2022-39253: cloning an
      attacker-controlled local repository could store arbitrary files
      in the ".git" directory of the destination repository.
"""

This has a nice write up:
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html





More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[1] https://qa.debian.org/excuses.php?package=git

https://ci.debian.net/data/autopkgtest/testing/amd64/g/git-evtag/28079227/log.gz

Running test: git-evtag/test-basic.test
+ set -o pipefail
+ echo 1..6
1..6
++ dirname /usr/libexec/git-evtag/installed-tests/test-basic.sh
+ . /usr/libexec/git-evtag/installed-tests/libtest.sh
+++ dirname /usr/libexec/git-evtag/installed-tests/test-basic.sh
++ SRCDIR=/usr/libexec/git-evtag/installed-tests
+++ pwd
++ test_tmpdir=/tmp/test-tmp-git-evtag_test-basic.test-2FD4U1
++ export G_DEBUG=fatal-warnings
++ G_DEBUG=fatal-warnings
++ export TEST_GPG_KEYID_1=472CDAFA
++ TEST_GPG_KEYID_1=472CDAFA
++ export TEST_GPG_KEYID_2=CA950D41
++ TEST_GPG_KEYID_2=CA950D41
++ export TEST_GPG_KEYID_3=DF444D67
++ TEST_GPG_KEYID_3=DF444D67
++ export 'GIT_AUTHOR_NAME=Colin Walters'
++ GIT_AUTHOR_NAME='Colin Walters'
++ export GIT_AUTHOR_EMAIL=walt...@verbum.org
++ GIT_AUTHOR_EMAIL=walt...@verbum.org
++ export 'GIT_COMMITTER_NAME=Colin Walters'
++ GIT_COMMITTER_NAME='Colin Walters'
++ export GIT_COMMITTER_EMAIL=walt...@verbum.org
++ GIT_COMMITTER_EMAIL=walt...@verbum.org

++ chmod 0700 /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/gpghome
++ export GNUPGHOME=/tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/gpghome
++ GNUPGHOME=/tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/gpghome
++ test -n ''
+ setup_test_repository
++ pwd
+ oldpwd=/tmp/test-tmp-git-evtag_test-basic.test-2FD4U1
+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1
+ mkdir coolproject
+ cd coolproject
+ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>

+ gitcommit_reset_time
+ TSCOUNTER=1436222301
+ echo 'So cool!'
+ git add .
+ gitcommit_inctime -a -m 'Initial commit'
+ TSCOUNTER=1436222302
+ TSV='1436222302 +0000'

[master (root-commit) a83a4b8] Initial commit
 1 file changed, 1 insertion(+)
 create mode 100644 README.md
+ mkdir src
+ echo 'printf("hello world")'
+ git add .
+ gitcommit_inctime -a -m 'Add C source'
+ TSCOUNTER=1436222303
+ TSV='1436222303 +0000'

[master 91df757] Add C source
 1 file changed, 1 insertion(+)
 create mode 100644 src/cool.c
+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1
+ mkdir -p repos/coolproject
+ cd repos/coolproject
+ git init --bare

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>

+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/coolproject

+ git push --set-upstream origin master
To file:///tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/coolproject
 * [new branch]      master -> master
branch 'master' set up to track 'origin/master'.
+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1
+ mkdir subproject
+ cd subproject
+ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>

+ echo 'this is libsub.c'
+ echo 'An example submodule'
+ git add .
+ gitcommit_inctime -a -m init
+ TSCOUNTER=1436222304
+ TSV='1436222304 +0000'

[master (root-commit) 1139963] init
 2 files changed, 2 insertions(+)
 create mode 100644 README.md
 create mode 100644 libsub.c
+ mkdir src
+ mv libsub.c src
+ echo 'an update to libsub.c, now in src/'
+ gitcommit_inctime -a -m 'an update'
+ TSCOUNTER=1436222305
+ TSV='1436222305 +0000'

[master daa4f15] an update
 1 file changed, 1 deletion(-)
 delete mode 100644 libsub.c
+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1
+ mkdir -p repos/subproject
+ cd repos/subproject
+ git init --bare

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>

+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/subproject

+ git push --set-upstream origin master
To file:///tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/subproject
 * [new branch]      master -> master
branch 'master' set up to track 'origin/master'.
+ cd /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/coolproject
+ git submodule add ../subproject subproject

fatal: transport 'file' not allowed

FAIL: git-evtag/test-basic.test (Child process exited with code 128)

FAIL: git-evtag/test-basic.test (Child process exited with code 128)
autopkgtest [20:14:53]: test installed-tests

With a recent upload of git the autopkgtest of git-evtag fails in testing when that autopkgtest is run with the binary packages of git from unstable. It passes when run with only packages from testing. In tabular form: Currently this regression is blocking the migration of git to testing [1]. Of course, git shouldn't just break your autopkgtest (or even worse, your package), but it seems to me that the change in git was intended and your package needs to update to the new situation. If this is a real problem in your package (and not only in your autopkgtest), the right binary package(s) from git should really add a versioned Breaks on the unfixed version of (one of your) package(s). Note: the Breaks is nice even if the issue is only in the autopkgtest as it helps the migration software to figure out the right versions to combine in the tests. ++ cp -a /usr/libexec/git-evtag/installed-tests/gpghome /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1 hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/coolproject/.git/ + env 'GIT_AUTHOR_DATE=1436222302 +0000' 'GIT_COMMITTER_DATE=1436222302 +0000' git commit -a -m 'Initial commit' + env 'GIT_AUTHOR_DATE=1436222303 +0000' 'GIT_COMMITTER_DATE=1436222303 +0000' git commit -a -m 'Add C source' hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/coolproject/ + git remote add origin file:///tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/coolproject hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/subproject/.git/ + env 'GIT_AUTHOR_DATE=1436222304 +0000' 'GIT_COMMITTER_DATE=1436222304 +0000' git commit -a -m init + env 'GIT_AUTHOR_DATE=1436222305 +0000' 'GIT_COMMITTER_DATE=1436222305 +0000' git commit -a -m 'an update' hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/subproject/ + git remote add origin file:///tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/subproject Cloning into '/tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/coolproject/subproject'... fatal: clone of 'file:///tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/repos/subproject' into submodule path '/tmp/test-tmp-git-evtag_test-basic.test-2FD4U1/coolproject/subproject' failed SUMMARY: total=1; passed=0; skipped=0; failed=1; user=0.1s; system=0.1s; maxrss=6544

OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Source: git-evtag
Source-Version: 2016.1+git20221112-1
Done: Simon McVittie <s...@debian.org>

We believe that the bug you reported is fixed in the latest version of
git-evtag, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated git-evtag package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 12 Nov 2022 17:23:24 +0000
Source: git-evtag
Architecture: source
Version: 2016.1+git20221112-1
Distribution: unstable
Urgency: medium
Maintainer: Simon McVittie <s...@debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 1023803
Changes:
 git-evtag (2016.1+git20221112-1) unstable; urgency=medium
 .
   * New upstream git snapshot
     - Fixes test failures with newer versions of git (Closes: #1023803)
   * Remove patches, applied upstream
   * d/copyright: Update
   * d/watch: Remove +git suffix if necessary
   * Standards-Version: 4.6.1 (no changes required)
Checksums-Sha1:
 9267346cac861061169ff4f7943be24d0e57f19b 2420 
git-evtag_2016.1+git20221112-1.dsc
 0487b33cf2ee101a2f4903f3f6d2c417a78ed514 53471 
git-evtag_2016.1+git20221112.orig.tar.gz
 68b41dedc89a6daa2aac63ffdfe61983360cb25b 3544 
git-evtag_2016.1+git20221112-1.debian.tar.xz
 5f899d4dea9607bac38ad3f6cdc6534bcf3ba35e 8471 
git-evtag_2016.1+git20221112-1_source.buildinfo
Checksums-Sha256:
 9d8540ce02f1f5cc0a358dfb7eecf61b4b5506947b157165b3e8af472174b0c8 2420 
git-evtag_2016.1+git20221112-1.dsc
 97f143ed53f250eb653659e25c296bd2590cd6fcb84d8a24a11888dd17ff7997 53471 
git-evtag_2016.1+git20221112.orig.tar.gz
 129eef9748be1ee236f1e2d6e5f4810b7675fee998ef8287d7d67573ecafffec 3544 
git-evtag_2016.1+git20221112-1.debian.tar.xz
 45c26aef2e3e1771cc123ac1bf543b6264cc798712742e8e22acc73e43158ccf 8471 
git-evtag_2016.1+git20221112-1_source.buildinfo
Files:
 251caf9e1b1f34638695ab5d1feebd04 2420 devel optional 
git-evtag_2016.1+git20221112-1.dsc
 6b3c2509687fb3affc3ab4e5d5d19bf3 53471 devel optional 
git-evtag_2016.1+git20221112.orig.tar.gz
 055d6436cea76e0a433c48a6d305cf02 3544 devel optional 
git-evtag_2016.1+git20221112-1.debian.tar.xz
 e6a1b5b4dcfcc54145c89bf5c2984cc6 8471 devel optional 
git-evtag_2016.1+git20221112-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmNv39gACgkQ4FrhR4+B
TE/O9xAAm8fAXTrlQmc9E9HEe6NLsf/qMqE7dXpzE5Cjoa7OIfelXH7CsoFN3/af
2Q1muQBqpITuZMkUQMq9TJB+Ob/anDpLuZbEvWEMY/OHosXCBWgAKu9iNMV0IcfM
Ryo+X7Cq76bE6rC3+IiqTtKNmfvYEMenWv9eaDHEn+uZWXwsJRRcStPE7BJGaTQz
Mp+eauaVtXBoDHCzoV0dRc2O059Z2bpy01Gg2LfA/3wwRChxK+8J+wNKWWz/so+0
RddQniQicAIfrBEGZUgkoCSDTWwBmnSV4h+uVZhLmoU7yIlLy4jz+FYw5ohgV9vu
mzETpGIUYD04STNRNFgX6mFJ5r0YWhLIGhSUhpc8/30Xp8TjMntnkCS9TQ4QxSOi
yPZrcz9QY7FwejM8pynyCvdKfTR64S2R32E/eV9wucWGOK9qbQW3jsABMXMFDHd4
7SFqe1WTyV54rdexCPkla0jTsYqrpe9GJ6RoOTdY+zEmkghxmcR27qpKCs7VA+m+
be4k4sLagmNi+ojx6MIgaP01a/7ZCwgF7ua9Nd4Nl0BJxOXjQvxES5FnmszQNfAF
P4qoCgekMOVf3QYgDOjSlrys61Y3njqjQric8S43uT25bJWbaEcBmhYyQe35lTAo
OXTXnwDQXWMzzllRMhmU1Rd9uh27qp8dwhXtCQzeBE77qmBYAQQ=
=sNUD
-----END PGP SIGNATURE-----

--- End Message ---