search

jonashaag / klaus

docker run klaus / pip install klaus — the first Git web viewer that Just Works™.
http://klausdemo.lophus.org
Other
685 stars 102 forks source link

No longer possible to serve shared repositories in klaus #322

Open arunisaac opened 1 year ago

arunisaac commented 1 year ago

My klaus setup involves klaus serving repositories that are owned by a different user. But, with git's new safe directory checks, it is no longer possible to use shared repositories without explicit safelisting. git's safe directory checks aren't quite relevant to klaus. It would be nice if we could avoid using the git CLI altogether and do everything with dulwich. That way, we can continue to support shared repositories while at the same time not exposing ourselves to git vulnerabilities and being immune from klaus breaking due to future changes in git.

Here's the git error message I get when trying to serve a shared repository with klaus.

2023-07-25 09:39:13 fatal: detected dubious ownership in repository at '/srv/git/repos/guix-forge'
2023-07-25 09:39:13 To add an exception for this directory, call:
2023-07-25 09:39:13 
2023-07-25 09:39:13     git config --global --add safe.directory /srv/git/repos/guix-forge
2023-07-25 09:39:13 [2023-07-25 09:39:13,228] ERROR in app: Exception on /guix-forge/ [GET]

Thank you!

jonashaag commented 1 year ago

Unfortunately Dulwich is still too slow for some operations.

Any other ideas how to improve this in Klaus?

arunisaac commented 1 year ago

We could maybe use pygit2 instead of dulwich. pygit2 depends on libgit2 and should be faster.

https://www.pygit2.org/

jonashaag commented 1 year ago

I'm open to merge that change but not interested in putting in the work right now.

arunisaac commented 1 year ago

No worries! I totally understand. I don't have much time for hacking myself. For now, I'll be running klaus with a patched git that has the safe directory check disabled.

trentbuck commented 8 months ago

In case it's not obvious, you can work around this issue by running git config --global --add safe.directory /srv/git/repos/guix-forge like the error message suggested. This is what I did at work, where repos are rarely added/removed. My /etc/gitconfig looks like this:

[safe]
directory = /srv/vcs/foo.git
directory = /srv/vcs/bar.git
directory = /srv/vcs/baz.git

I could not find any way to "batch" allow /srv/vcs/*.git.

arunisaac commented 8 months ago

Yes, that's possible. But, I would prefer to have a smoother user experience than that. I maintain a klaus service in guix-forge. https://guix-forge.systemreboot.net/ This klaus service automates away most of the deployment details. I would prefer to keep it that way and not tell users to invoke additional commands.

fin444 commented 7 months ago

duplicate of https://github.com/jonashaag/klaus/issues/300