Git added the configuration option safe.bareRepository = explicit as a security measure to prevent attacks where a cloned repository contains a bare repository and a Git command is run from within that directory.
This new option isn't the default behavior in Git yet. Git 3.0 will have breaking changes but I don't believe anything has been announced regarding this configuration option in general. However, many organizations default it to explicit for their users in their own Git installations as a security improvement. Unfortunately, this setting being enabled completely breaks dependency resolution for SwiftPM. Within Google, SwiftPM isn't our primary build system, but any of our teams building SDKs that we ship to open-source customers are impacted by this issue.
@Kyle-Ye had created a proof-of-concept implementation a while back but it would need expertise from someone on SwiftPM to review it and shepherd it through.
Is supporting this security feature something that the Build and Packaging Workgroup would be able to prioritize in an upcoming release?
I'm not very familiar with these parts of package resolution myself, but I've pinged a couple folks who might know more about this, and we can put it on the agenda to talk about at the next workgroup meeting (if anyone would like an invite to discuss, the next meeting announcement isn't posted yet but it will be on May 7 and you can DM @build-and-packaging-workgroup for an invite).
For whatever reason, VSCode automatic package resolve started failing for me a few days ago, with that bareRepository error. The consequence is it would re-fetch the dependencies every single time instead of re-using the cached ones.
I could never find where the explicit was being injected so I patched it by adding the following to my VSCode settings:
There's a bug in the Copilot SDK (github/copilot-cli#3602) where it's adding GIT_CONFIG_KEY_n/GIT_CONFIG_VALUE_n environment variables to set safe.bareRepository to explicit for the whole NodeJS extension host environment in VS Code. This is causing SwiftPM to be unable to use its dependencies cache that relies on bare repositories. A workaround for now (if you don't use Copilot in VS Code) is to disable the AI features with the chat.disableAIFeatures setting and restart VS Code.
@plemarquand merged a temporary workaround in the Swift extension for VS Code yesterday (swiftlang/vscode-swift#2266). SwiftPM will still need to be fixed to properly support bare repositories, but this will at least unblock people using VS Code in the meantime. We're working on getting v2.16.6 published with the fix and are tracking the overall issue in swiftlang/vscode-swift#2263.
After working around this in VS Code Swift I started asking why we didn't support this in SwiftPM. I'm late to the discussion and was happy to see @Kyle-Ye's POC basically did most of the work. I picked it up and dusted it off, and I've put up:
This should be a transparent improvement to users; with the PR it no longer matters what safe.bareRepository is set to.