Skip building version file if git describe fails the new perm check

git had a CVE related to arbitrary code being run when you run git status and similar, and instead of doing something about those arbitrary code bits they decided to lock it down entirely.

So now git will refuse to do basically anything once it detects the .git directory is owned by someone else.

So, what we do is:

If `git describe` failed with a status of 128, we keep an already
built version file.

This is an awful hack, but should help with the normal `cmake; make; sudo
make install` cycle.

(the only *real* way around this seems to be to not attempt to rebuild
the version file at install time entirely, but I have no idea how to
do that)

Fixes #8973.
This commit is contained in:
Fabian Homborg 2022-05-26 09:28:49 +02:00
parent ec6fd088f2
commit 15f1b5f368

View file

@ -9,14 +9,26 @@ set -e
# Find the fish directory as two levels up from script directory.
FISH_BASE_DIR="$( cd "$( dirname "$( dirname "$0" )" )" && pwd )"
DEF_VER=unknown
git_permission_failed=0
# First see if there is a version file (included in release tarballs),
# then try git-describe, then default.
if test -f version
then
VN=$(cat version) || VN="$DEF_VER"
elif ! VN=$(git -C "$FISH_BASE_DIR" describe --always --dirty 2>/dev/null); then
VN="$DEF_VER"
else
if VN=$(git -C "$FISH_BASE_DIR" describe --always --dirty 2>/dev/null); then
:
else
if test $? = 128; then
# Current git versions return status 128
# when run in a repo owned by another user.
# Even for describe and everything.
# This occurs for `sudo make install`.
git_permission_failed=1
fi
VN="$DEF_VER"
fi
fi
# If the first param is --stdout, then output to stdout and exit.
@ -30,6 +42,15 @@ fi
test -n "$1" && OUTPUT_DIR=$1/ || OUTPUT_DIR=
FBVF="${OUTPUT_DIR}FISH-BUILD-VERSION-FILE"
if test "$VN" = unknown && test -r "$FBVF" && test "$git_permission_failed" = 1
then
# HACK: Git failed, so we keep the current version file.
# This helps in case you built fish as a normal user
# and then try to `sudo make install` it.
date +%s > ${OUTPUT_DIR}fish-build-version-witness.txt
exit 0
fi
if test -r "$FBVF"
then
VC=$(grep -v '^#' "$FBVF" | tr -d '"' | sed -e 's/^FISH_BUILD_VERSION=//')