From: Jens Lehmann <Jens.Lehmann@web.de>
To: Jeff King <peff@peff.net>, Aschemann Gerd <gerd@aschemann.net>
Cc: Jonathan Nieder <jrnieder@gmail.com>,
Heiko Voigt <hvoigt@hvoigt.net>,
git@vger.kernel.org
Subject: Re: Bug? git submodule add SSL certificate problem: unable to get local issuer certificate
Date: Tue, 10 Mar 2015 21:56:42 +1300 [thread overview]
Message-ID: <54FEB1CA.7020204@web.de> (raw)
In-Reply-To: <20150309074339.GA31866@peff.net>
Am 09.03.2015 um 20:43 schrieb Jeff King:
> On Thu, Mar 05, 2015 at 04:20:10PM +0100, Aschemann Gerd wrote:
>
>> seems to be a bug: If adding a submodule from an https URL with a certificate issued by StartSSL (or even a private/self-signed one?) leads to the following error:
>>
>> $ git -c http.sslverify=false submodule add https://example.com/git/xxx.git
>> Cloning into 'xxx'...
>> fatal: unable to access 'https://example.com/git/xxx.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
>> Clone of 'https://example.com/git/xxx.git' into submodule path 'xxx' failed
>>
>> Performing a simple clone works well:
>>
>> $ git -c http.sslverify=false clone https://example.com/git/xxx.git
>> Cloning into 'xxx'...
>> Password for 'https://example.com':
>
> I think the problem is that the submodule code wipes all "local"
> environment variables before executing the submodule clone, and that
> includes the variable containing command-line config.
>
> Config like this is in a funny boat. We do not want it to cross
> transport boundaries, so that if we run:
>
> git -c foo=bar clone /some/local/path
>
> the process serving /some/local/path should not see the "foo" option[1].
> But for submodules in the same repository, keeping the shared config is
> probably more reasonable (I can imagine a config variable that you might
> want to behave differently between the submodule and the main project,
> but I could not think of any off-hand, and I expect it would be a rare
> exception).
>
> Submodule folks (cc'd) may have opinions.
I tend to rather not share configs. While I agree that for the example
which started this it would be correct to simply pass http.sslverify,
that doesn't always make sense (e.g. it never does for a setting like
core.worktree).
We already have two options for submodule add and update that are
passed to the clone command (--reference & --depth), maybe it is time
to add another one for passing config options to clone (which then get
set permanently in the submodule's config).
> -Peff
>
> [1] This behavior comes from 655e8d9 (do not pass "git -c foo=bar"
> params to transport helpers, 2010-08-24), and the original
> discussion is here:
>
> http://thread.gmane.org/gmane.comp.version-control.git/154241/focus=154255
>
> I am tempted to simply drop the transport-layer blocking of config
> options. It is not buying us anything security-wise, and it could
> actually be convenient to pass options to the "other side". But it's
> probably a bad idea, if only because it would not be consistently
> applied to repos on the other side of git://, http://, or ssh
> sessions.
>
> So the sanest fix, if we want submodules to inherit the command-line
> config, would be to drop GIT_CONFIG_PARAMETERS from local_repo_env,
> and have the transport code suppress it manually.
>
next prev parent reply other threads:[~2015-03-10 9:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <F24DBF8D-40EE-4C8D-AE9C-463E59C4AAD7@aschemann.net>
2015-03-05 15:20 ` Bug? git submodule add SSL certificate problem: unable to get local issuer certificate Aschemann Gerd
2015-03-09 7:43 ` Jeff King
2015-03-10 8:56 ` Jens Lehmann [this message]
2015-03-21 13:22 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FEB1CA.7020204@web.de \
--to=jens.lehmann@web.de \
--cc=gerd@aschemann.net \
--cc=git@vger.kernel.org \
--cc=hvoigt@hvoigt.net \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).