Bug#1023801: marked as done (check-manifest: autopkgtest needs update for new version of git: transport 'file' not allowed)

[Debian Bug Tracking System]

Your message dated Tue, 20 Dec 2022 20:39:52 +0000
with message-id <e1p7joy-005zlz...@fasolo.debian.org>
and subject line Bug#1023801: fixed in check-manifest 0.49-1
has caused the Debian Bug report #1023801,
regarding check-manifest: autopkgtest needs update for new version of git: 
transport 'file' not allowed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1023801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023801
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: check-manifest
Version: 0.46-2
Severity: serious
X-Debbugs-CC: g...@packages.debian.org
Tags: sid bookworm
User: debian...@lists.debian.org
Usertags: needs-update
Control: affects -1 src:git

Dear maintainer(s),



                       pass            fail
git                    from testing    1:2.38.1-1
check-manifest         from testing    0.46-2
all others             from testing    from testing

I copied some of the output at the bottom of this report. This is due to """
    * Addresses the security issue CVE-2022-39253: cloning an
      attacker-controlled local repository could store arbitrary files
      in the ".git" directory of the destination repository.
"""

This has a nice write up:
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html





More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[1] https://qa.debian.org/excuses.php?package=git

https://ci.debian.net/data/autopkgtest/testing/amd64/c/check-manifest/28079226/log.gz





    def test_get_versioned_files_with_git_submodules(self):
        from check_manifest import get_vcs_files
        self._init_repo_with_files('repo1', ['file1', 'file2'])
        self._init_repo_with_files('repo2', ['file3'])
        self._init_repo_with_files('repo3', ['file4'])

With a recent upload of git the autopkgtest of check-manifest fails in testing when that autopkgtest is run with the binary packages of git from unstable. It passes when run with only packages from testing. In tabular form: Currently this regression is blocking the migration of git to testing [1]. Of course, git shouldn't just break your autopkgtest (or even worse, your package), but it seems to me that the change in git was intended and your package needs to update to the new situation. If this is a real problem in your package (and not only in your autopkgtest), the right binary package(s) from git should really add a versioned Breaks on the unfixed version of (one of your) package(s). Note: the Breaks is nice even if the issue is only in the autopkgtest as it helps the migration software to figure out the right versions to combine in the tests. =================================== FAILURES =================================== _____________ TestGit.test_get_versioned_files_with_git_submodules _____________ self = <tests.TestGit testMethod=test_get_versioned_files_with_git_submodules>

      self._add_submodule('repo2', 'sub3', '../repo3')

    self.vcs._run('git', 'submodule', 'add', subrepo, subdir)

self = <tests.GitHelper object at 0x7f8258761a20>
command = ('git', 'submodule', 'add', '../repo3', 'sub3')

stderr = None

    def _run(self, *command):

tests.py:1094: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ tests.py:1074: in _add_submodule _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ p = <Popen: returncode: 128 args: ('git', 'submodule', 'add', '../repo3', 'sub3')> stdout = b"Cloning into '/tmp/test-62xpxof5-check-manifest/repo2/sub3'...\nfatal: transport 'file' not allowed\nfatal: clone of '/tmp/test-62xpxof5-check-manifest/repo3' into submodule path '/tmp/test-62xpxof5-check-manifest/repo2/sub3' failed\n" # Windows doesn't like Unicode arguments to subprocess.Popen(), on Py2: # https://github.com/mgedmin/check-manifest/issues/23#issuecomment-33933031

        if str is bytes:

        print('$', ' '.join(command))
        p = subprocess.Popen(command, stdout=subprocess.PIPE,
                             stderr=subprocess.STDOUT)
        stdout, stderr = p.communicate()
        rc = p.wait()
        if stdout:
            print(
                stdout if isinstance(stdout, str) else
                stdout.decode('ascii', 'backslashreplace')
            )
        if rc:

command = [s.encode(locale.getpreferredencoding()) for s in command]

          raise subprocess.CalledProcessError(rc, command[0], output=stdout)

E subprocess.CalledProcessError: Command 'git' returned non-zero exit status 128.

tests.py:949: CalledProcessError

$ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>


$ git config user.name Unit Test
$ git config user.email t...@example.com
$ git add --force -- file1 file2
$ git commit -m Initial
[master (root-commit) bbd8b65] Initial
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file1
 create mode 100644 file2

$ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>


$ git config user.name Unit Test
$ git config user.email t...@example.com
$ git add --force -- file3
$ git commit -m Initial
[master (root-commit) 65cf975] Initial
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file3

$ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>


$ git config user.name Unit Test
$ git config user.email t...@example.com
$ git add --force -- file4
$ git commit -m Initial
[master (root-commit) 4b782fa] Initial
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file4

$ git submodule add ../repo3 sub3
Cloning into '/tmp/test-62xpxof5-check-manifest/repo2/sub3'...
fatal: transport 'file' not allowed







        with mock.patch.dict(os.environ, {"GIT_INDEX_FILE": ".git/index"}):

----------------------------- Captured stdout call ----------------------------- hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-62xpxof5-check-manifest/repo1/.git/ hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-62xpxof5-check-manifest/repo2/.git/ hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-62xpxof5-check-manifest/repo3/.git/ fatal: clone of '/tmp/test-62xpxof5-check-manifest/repo3' into submodule path '/tmp/test-62xpxof5-check-manifest/repo2/sub3' failed _ TestGit.test_get_versioned_files_with_git_submodules_with_git_index_file_set _ self = <tests.TestGit testMethod=test_get_versioned_files_with_git_submodules_with_git_index_file_set> def test_get_versioned_files_with_git_submodules_with_git_index_file_set(self):

          self.test_get_versioned_files_with_git_submodules()

    self._add_submodule('repo2', 'sub3', '../repo3')
tests.py:1074: in _add_submodule
    self.vcs._run('git', 'submodule', 'add', subrepo, subdir)

self = <tests.GitHelper object at 0x7f8258761a20>
command = ('git', 'submodule', 'add', '../repo3', 'sub3')

stderr = None

    def _run(self, *command):

tests.py:1115: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ tests.py:1094: in test_get_versioned_files_with_git_submodules _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ p = <Popen: returncode: 128 args: ('git', 'submodule', 'add', '../repo3', 'sub3')> stdout = b"Cloning into '/tmp/test-vgr4o291-check-manifest/repo2/sub3'...\nfatal: transport 'file' not allowed\nfatal: clone of '/tmp/test-vgr4o291-check-manifest/repo3' into submodule path '/tmp/test-vgr4o291-check-manifest/repo2/sub3' failed\n" # Windows doesn't like Unicode arguments to subprocess.Popen(), on Py2: # https://github.com/mgedmin/check-manifest/issues/23#issuecomment-33933031

        if str is bytes:

        print('$', ' '.join(command))
        p = subprocess.Popen(command, stdout=subprocess.PIPE,
                             stderr=subprocess.STDOUT)
        stdout, stderr = p.communicate()
        rc = p.wait()
        if stdout:
            print(
                stdout if isinstance(stdout, str) else
                stdout.decode('ascii', 'backslashreplace')
            )
        if rc:

command = [s.encode(locale.getpreferredencoding()) for s in command]

          raise subprocess.CalledProcessError(rc, command[0], output=stdout)

E subprocess.CalledProcessError: Command 'git' returned non-zero exit status 128.

tests.py:949: CalledProcessError

$ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>


$ git config user.name Unit Test
$ git config user.email t...@example.com
$ git add --force -- file1 file2
$ git commit -m Initial
[master (root-commit) bbd8b65] Initial
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file1
 create mode 100644 file2

$ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>


$ git config user.name Unit Test
$ git config user.email t...@example.com
$ git add --force -- file3
$ git commit -m Initial
[master (root-commit) 65cf975] Initial
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file3

$ git init

hint: of your new repositories, which will suppress this warning, call:
hint: hint:     git config --global init.defaultBranch <name>

hint: hint:     git branch -m <name>


$ git config user.name Unit Test
$ git config user.email t...@example.com
$ git add --force -- file4
$ git commit -m Initial
[master (root-commit) 4b782fa] Initial
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file4

$ git submodule add ../repo3 sub3
Cloning into '/tmp/test-vgr4o291-check-manifest/repo2/sub3'...
fatal: transport 'file' not allowed



autopkgtest [20:15:27]: test run-tests

----------------------------- Captured stdout call ----------------------------- hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-vgr4o291-check-manifest/repo1/.git/ hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-vgr4o291-check-manifest/repo2/.git/ hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: Initialized empty Git repository in /tmp/test-vgr4o291-check-manifest/repo3/.git/ fatal: clone of '/tmp/test-vgr4o291-check-manifest/repo3' into submodule path '/tmp/test-vgr4o291-check-manifest/repo2/sub3' failed =========================== short test summary info ============================ FAILED tests.py::TestGit::test_get_versioned_files_with_git_submodules - subp... FAILED tests.py::TestGit::test_get_versioned_files_with_git_submodules_with_git_index_file_set =========== 2 failed, 142 passed, 2 skipped, 2 deselected in 14.74s ============

OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Source: check-manifest
Source-Version: 0.49-1
Done: Sergio Durigan Junior <sergi...@debian.org>

We believe that the bug you reported is fixed in the latest version of
check-manifest, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergio Durigan Junior <sergi...@debian.org> (supplier of updated check-manifest 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Dec 2022 14:52:47 -0500
Source: check-manifest
Architecture: source
Version: 0.49-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Sergio Durigan Junior <sergi...@debian.org>
Closes: 1023801 1026518
Changes:
 check-manifest (0.49-1) unstable; urgency=medium
 .
   * New upstream version 0.49 (Closes: #1023801, #1026518)
   * d/control: Bump Standards-Version to 4.6.2; no changes needed.
   * d/copyright: Update year and email address.
Checksums-Sha1:
 0bbef6dfb76d7f7f99974a06645c3d5757d33c06 2385 check-manifest_0.49-1.dsc
 d3f7bd43728aa8e19341a8272e8ff22e6a2c57e0 40272 check-manifest_0.49.orig.tar.gz
 21abd0d39c3ce35e189b1476fa9bf7f31ec8f161 5260 
check-manifest_0.49-1.debian.tar.xz
 2980de26eba562db30191d9033ccc97db980e026 8508 
check-manifest_0.49-1_amd64.buildinfo
Checksums-Sha256:
 e380bcfa43e8abc3e97d37a5cdec77badc791018b2439b5d0a5eec79949dc2f4 2385 
check-manifest_0.49-1.dsc
 64a640445542cf226919657c7b78d02d9c1ca5b1c25d7e66e0e1ff325060f416 40272 
check-manifest_0.49.orig.tar.gz
 b10ab215b98ab030d73834fda702c2fcc23349e61c11dd289d672264fd763fa4 5260 
check-manifest_0.49-1.debian.tar.xz
 e55b187e226138cf55f81abd225afeb4e9ce141f31841fd67ade2aa8d5b5acb9 8508 
check-manifest_0.49-1_amd64.buildinfo
Files:
 1ccf9ed16d7c88e8c79ae7f743562daf 2385 utils optional check-manifest_0.49-1.dsc
 f17cb3065d801b0967cd6c934889ab58 40272 utils optional 
check-manifest_0.49.orig.tar.gz
 05bc3071874027502e513e6a8dfbebf9 5260 utils optional 
check-manifest_0.49-1.debian.tar.xz
 58abfc04ef011fd011664c9772465657 8508 utils optional 
check-manifest_0.49-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEI3pUsQKHKL8A7zH00Ot2KGX8XjYFAmOiEvAUHHNlcmdpb2Rq
QGRlYmlhbi5vcmcACgkQ0Ot2KGX8XjZdog/9G972qW4traZJ+IEpYlsdGoAHcxRx
kD+VLShXIbkEOa+CZq93bebtxHOkACtNceSNkK1A7w4uDuKETjit30rGQVyak2Yb
mDz2VlFQ5EvsvaXKVcpoLIA/Kipwgxqs/qk0bYAdeAyfQDzOHTrIn6e7qXomNv+J
jxuTVEufGiR2Z9yK29U2IZgGUCz54kOaua+KYx8CU4COA/I/cof0NvYFgX8zdFOE
bXEiIc07K6WRj7iZcksW5WfPQFN4tTb5vgxp9IEhvVcBk+Sdly7d6gpCYfUDRdX+
WdaEX8h6CY/LLyab33/4eWjlNgr2JUk4YQYCJNOc7nMQqJbHOgL/DgM81C6ZHb1T
bns90a+eVdY08mxXgONe64psfIznEpCaJkZcn/mBXD5HVc23OfejKBcqPrLFJB3R
Mtql2QlRzyO0Ff9lLniBR24D6og/e/3Mu1nc0ZMJi0tcY9bPBwAnQRo3CT+/SsfD
SpBhiMOzPszgLZ6W58n4X8bauDzNEotu5car4c8UrFdskYV9FPH7sJWSXZ5fW4bt
bibDyXlUoVphEYBpNqM+aGdY/VqNUcOyjJF4jhufxtPqzYyDLJicB8EdXYjMtjr8
7x6Vi2aZj1CudNBomP7NGADreyawiNZKUBwFOUJNkpD6PYNDnDJotwUKIKMUDv90
3j4W/NzkMxK9lTs=
=olD4
-----END PGP SIGNATURE-----

--- End Message ---