пространства имен Git (Git namespaces)
Имя (Name)
gitnamespaces - Git namespaces
Синопсис (Synopsis)
GIT_NAMESPACE=<namespace> git upload-pack
GIT_NAMESPACE=<namespace> git receive-pack
Описание (Description)
Git supports dividing the refs of a single repository into
multiple namespaces, each of which has its own branches, tags,
and HEAD. Git can expose each namespace as an independent
repository to pull from and push to, while sharing the object
store, and exposing all the refs to operations such as git-gc(1).
Storing multiple repositories as namespaces of a single
repository avoids storing duplicate copies of the same objects,
such as when storing multiple branches of the same source. The
alternates mechanism provides similar support for avoiding
duplicates, but alternates do not prevent duplication between new
objects added to the repositories without ongoing maintenance,
while namespaces do.
To specify a namespace, set the GIT_NAMESPACE environment
variable to the namespace. For each ref namespace, Git stores the
corresponding refs in a directory under refs/namespaces/. For
example, GIT_NAMESPACE=foo will store refs under
refs/namespaces/foo/. You can also specify namespaces via the
--namespace option to git(1).
Note that namespaces which include a / will expand to a hierarchy
of namespaces; for example, GIT_NAMESPACE=foo/bar will store refs
under refs/namespaces/foo/refs/namespaces/bar/. This makes paths
in GIT_NAMESPACE behave hierarchically, so that cloning with
GIT_NAMESPACE=foo/bar produces the same result as cloning with
GIT_NAMESPACE=foo and cloning from that repo with
GIT_NAMESPACE=bar. It also avoids ambiguity with strange
namespace paths such as foo/refs/heads/, which could otherwise
generate directory/file conflicts within the refs directory.
git-upload-pack(1) and git-receive-pack(1) rewrite the names of
refs as specified by GIT_NAMESPACE. git-upload-pack and
git-receive-pack will ignore all references outside the specified
namespace.
The smart HTTP server, git-http-backend(1), will pass
GIT_NAMESPACE through to the backend programs; see
git-http-backend(1) for sample configuration to expose repository
namespaces as repositories.
For a simple local test, you can use git-remote-ext(1):
git clone ext::'git --namespace=foo %s /tmp/prefixed.git'
Безопасность (Security)
The fetch and push protocols are not designed to prevent one side
from stealing data from the other repository that was not
intended to be shared. If you have private data that you need to
protect from a malicious peer, your best option is to store it in
another repository. This applies to both clients and servers. In
particular, namespaces on a server are not effective for read
access control; you should only grant read access to a namespace
to clients that you would trust with read access to the entire
repository.
The known attack vectors are as follows:
1. The victim sends "have" lines advertising the IDs of objects
it has that are not explicitly intended to be shared but can
be used to optimize the transfer if the peer also has them.
The attacker chooses an object ID X to steal and sends a ref
to X, but isn't required to send the content of X because the
victim already has it. Now the victim believes that the
attacker has X, and it sends the content of X back to the
attacker later. (This attack is most straightforward for a
client to perform on a server, by creating a ref to X in the
namespace the client has access to and then fetching it. The
most likely way for a server to perform it on a client is to
"merge" X into a public branch and hope that the user does
additional work on this branch and pushes it back to the
server without noticing the merge.)
2. As in #1, the attacker chooses an object ID X to steal. The
victim sends an object Y that the attacker already has, and
the attacker falsely claims to have X and not Y, so the
victim sends Y as a delta against X. The delta reveals
regions of X that are similar to Y to the attacker.
