Supporting `safe.bareRepository = explicit` in Swift Package Manager

Open issue: Git config setting `safe.bareRepository=explicit` can break dependency resolution · Issue #8068 · swiftlang/swift-package-manager · GitHub

Git added the configuration option safe.bareRepository = explicit as a security measure to prevent attacks where a cloned repository contains a bare repository and a Git command is run from within that directory.

This new option isn't the default behavior in Git yet. Git 3.0 will have breaking changes but I don't believe anything has been announced regarding this configuration option in general. However, many organizations default it to explicit for their users in their own Git installations as a security improvement. Unfortunately, this setting being enabled completely breaks dependency resolution for SwiftPM. Within Google, SwiftPM isn't our primary build system, but any of our teams building SDKs that we ship to open-source customers are impacted by this issue.

@Kyle-Ye had created a proof-of-concept implementation a while back but it would need expertise from someone on SwiftPM to review it and shepherd it through.

Is supporting this security feature something that the Build and Packaging Workgroup would be able to prioritize in an upcoming release?

cc @build-and-packaging-workgroup

I'm not very familiar with these parts of package resolution myself, but I've pinged a couple folks who might know more about this, and we can put it on the agenda to talk about at the next workgroup meeting (if anyone would like an invite to discuss, the next meeting announcement isn't posted yet but it will be on May 7 and you can DM @build-and-packaging-workgroup for an invite).

Just saw this thread and realized I missed it. I’d be happy to join the next meeting if possible.