No longer possible to serve shared repositories in klaus

[arunisaac]

My klaus setup involves klaus serving repositories that are owned by a different user. But, with git's new safe directory checks, it is no longer possible to use shared repositories without explicit safelisting. git's safe directory checks aren't quite relevant to klaus. It would be nice if we could avoid using the git CLI altogether and do everything with dulwich. That way, we can continue to support shared repositories while at the same time not exposing ourselves to git vulnerabilities and being immune from klaus breaking due to future changes in git.

Here's the git error message I get when trying to serve a shared repository with klaus.

2023-07-25 09:39:13 fatal: detected dubious ownership in repository at '/srv/git/repos/guix-forge'
2023-07-25 09:39:13 To add an exception for this directory, call:
2023-07-25 09:39:13 
2023-07-25 09:39:13     git config --global --add safe.directory /srv/git/repos/guix-forge
2023-07-25 09:39:13 [2023-07-25 09:39:13,228] ERROR in app: Exception on /guix-forge/ [GET]

Thank you!

[jonashaag]

Unfortunately Dulwich is still too slow for some operations.

Any other ideas how to improve this in Klaus?

[arunisaac]

We could maybe use pygit2 instead of dulwich. pygit2 depends on libgit2 and should be faster. https://www.pygit2.org/

[jonashaag]

I'm open to merge that change but not interested in putting in the work right now.

[arunisaac]

No worries! I totally understand. I don't have much time for hacking myself. For now, I'll be running klaus with a patched git that has the safe directory check disabled.

[trentbuck]

In case it's not obvious, you can work around this issue by running git config --global --add safe.directory /srv/git/repos/guix-forge like the error message suggested. This is what I did at work, where repos are rarely added/removed.
My /etc/gitconfig looks like this:

[safe]
directory = /srv/vcs/foo.git
directory = /srv/vcs/bar.git
directory = /srv/vcs/baz.git

I could not find any way to "batch" allow /srv/vcs/*.git.

[arunisaac]

Yes, that's possible. But, I would prefer to have a smoother user experience than that. I maintain a klaus service in guix-forge. https://guix-forge.systemreboot.net/ This klaus service automates away most of the deployment details. I would prefer to keep it that way and not tell users to invoke additional commands.

[fin444]

duplicate of #300