Explicitly pass --git-dir as auto-discovery no longer works due to CVE-2022-24765

The lastest batch of git releases have broken using GitCondDB from CVMFS due to the CVE-2022-24765 mitigations.

$ cd /cvmfs/lhcb-condb.cern.ch/git-conddb/DDDB.git && git for-each-ref --python --sort=-creatordate '--format=(%(refname:short),%(taggername)" "%(taggeremail),%(taggerdate:iso8601),%(contents)),' 'refs/tags/'
fatal: unsafe repository ('/cvmfs/lhcb-condb.cern.ch/git-conddb/DDDB.git' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /cvmfs/lhcb-condb.cern.ch/git-conddb/DDDB.git

Explicitly passing --git-dir works around the issue:

$ git --git-dir /cvmfs/lhcb-condb.cern.ch/git-conddb/DDDB.git for-each-ref --python --sort=-creatordate '--format=(%(refname:short),%(taggername)" "%(taggeremail),%(taggerdate:iso8601),%(contents)),' 'refs/tags/' | head -n 5
\n---'),pes: [Upgrade]3','Sajan Easo'" "'<sajan.easo@cern.ch>','2022-03-23 15:26:24 +0100','---
\n---'),pes: [Upgrade]1','Sajan Easo'" "'<sajan.easo@cern.ch>','2022-01-11 16:45:05 +0100','---
\n---'),pes: [Upgrade]9','Sajan Easo'" "'<sajan.easo@cern.ch>','2021-11-29 17:47:37 +0100','---
\n---'),pes: [Upgrade]7','Sajan Easo'" "'<sajan.easo@cern.ch>','2021-10-17 18:16:53 +0200','---
\n---'),pes: [Upgrade]7','Sajan Easo'" "'<sajan.easo@cern.ch>','2021-06-17 08:58:50 +0000','---

added bug label

added RTA label

mentioned in merge request !3516 (merged)

Either this MR or !3516 (merged) apply cleanly to all *-patches branches.

@clemenci would you rather I open merge requests to the other 15 branches? or shall I just disable the branch protection after these two are approved and directly push the commits?

Once we merge this we can create cherry pick MRs to the other branches.

Hi @clemenci, is this ready for testing?

mentioned in issue Moore#421 (closed)

approved this merge request

Yes, ready for testing.

I've skimmed over the git docs and the CVE but can't find where --git-dir is mentioned as a "supported" workaround.

How did you discover it? Are we sure this workaround is not going to be obsoleted by a fix in the future?

/ci-test --platforms=x86_64_v2-centos7-gcc11-opt

assigned to @rmatev

This has been applied to all of the historic releases on CVMFS: https://lblogbook.cern.ch/Operations/35514

added ci-test-triggered label

• [2022-04-19 15:04] Validation started with lhcb-master-mr#4252

added Conditions enhancement labels and removed bug label

resolved all threads

approved this merge request

merged

mentioned in commit f4362a41

mentioned in commit 8fbd7c76

mentioned in issue Moore#426 (closed)