Bump Git version requirement to 2.7.3
Merge request reports
Activity
Added 85 commits:
-
7ae573c7...a80b49ba - 83 commits from branch
master - ecfa6cd7 - Merge branch 'master' into git-2-7-3
- cd683714 - Fix changelog
-
7ae573c7...a80b49ba - 83 commits from branch
mentioned in commit 5fd88cdd
mentioned in issue #14308 (closed)
mentioned in commit c7a3d759
Is there an issue with more information related to this bump available?
I'm asking since our installation is running on Debian Jessie and currently uses the Git package from the official repositories. If possible I would like avoid the installation from source so I'm wondering whether GitLab 8.6 depends on Git features introduced with newer releases. Since Debian reliably backports security related fixes it wouldn't make sense for us to upgrade Git if the version bump was done for security reasons only.
Related MRs: !3281 (merged), !3283 (merged), !3284 (merged), !3285 (merged), !3286 (merged)
@dgerhardt The bump was solely for the security fix.
Could the requirement be expressed in a manner that allows for git binaries that report a vulnerable
--versionbut which have the security fix backported?For example, naively it would appear that my git is vulnerable:
git@jadeite:~$ git --version git version 1.7.10.4But on closer inspection it can be seen that I'm using the git distributed by Debian:
git@jadeite:~$ command -v git /usr/bin/git git@jadeite:~$ dpkg -s git | grep '^Version:' | cut -d' ' -f2 1:1.7.10.4-1+wheezy31:1.7.10.4-1+wheezy2 and earlier is vulnerable, but 1:1.7.10.4-1+wheezy3 is OK.
Checking for widely-deployed patched versions could significantly ease the administrative burden of running GitLab on Debian (and perhaps other distributions).
Edited by username-removed-463581mentioned in issue #14758 (closed)
@rcsheets There's no way for us to reliably determine whether a git includes a backported fix, without managing a hardcoded list of good/bad versions. I don't think the benefits here outweigh the burden of maintaining that list.
Forcing Debian/Ubuntu users to compile git from source is not a good option:
- they know their packaged git version is not vulnerable
- (worse) this would prevent from getting future security fixes from the distro
Is there any way to bypass the version check?
Edited by username-removed-480519@faeschbacher GitLab should work fine even if the check fails, right?
@DouweM well in this case, that's indeed not an issue. Thanks for clarifying.
