-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Setting $GIT_SSH_COMMAND
is a bad idea
#193
Comments
Opened a PR as an attempt to resolve this: #194 |
Based on the difficulty in tracking down the bug in #193, I think you can appreciate why npm is setting So while we can appreciate that this is an issue for folks who rely on custom ssh configs, any solution can not break the experience for the vast majority of npm users. Its addition was a hard earned lesson in user experience. Also, this commit was likely not the introduction of this issue. As you can see it was just shuffling around an existing implementation that still used that param. That PR was made to stop removing existing values that were not set by npm itself. This was introduced in when git references were defaulted to using ssh in npm 7. There is a longstanding issue here where folks in the comments have listed some workarounds iirc. The long and the short of it is that git references in npm have always had edge cases and problems. We don't even store checksums in lockfiles anymore because git links aren't idempotent: they can point to branches that may be different every time you install a package. They are discouraged from general use. |
@wraithgar --
|
@wraithgar This was a fair callout. I've modified my PR to now only overwrite if the git config is does not have |
npm will no longer manually set `GIT_ASKPASS` or `GIT_SSH_COMMAND` if it finds those values already defined in the user's git config. ## References npm/cli#2891 #193 #129 --------- Co-authored-by: pacotedev <i+pacotedev@izs.me>
This issue is now resolved in @wraithgar I think this can be closed now |
@dennishenry -- Thanks!! |
I originally ran into a very hard to trace issue that resulted from using a newer
npm
. After much head scratching, I figured out that the problem is thatnpm
is setting$GIT_SSH_COMMAND
in a way that kills the script. In my case, the culprit was using agit config
setting that sets the ssh command, but$GIT_SSH_COMMAND
will override that setting. It's essentially the same problem reported in this comment. This is of course related to #2891, but a different problem. There's more relevant pointers in those issues, and I'll add this commit as the specific one that lead to this problem. (Though it looks like there was always an intention to set it.)Having gone through a bunch of issues in this neighborhood, I see that this is not the first time that it bites someone. But more than that -- IMO it's actually bad to actually try to do the
StrictHostKeyChecking
tweaking that this thing is doing. Yes, it can be annoying to figure out thessh-keyscan
that is needed to pre-populate known hosts, but since this is potentially a security issue, I'd argue that disabling it is a BAD idea which should be left for people who want to do that. Even more so in a world where ephemeral runners are common, so you're constantly exposed to the risks that come with the disabling. (The original, plain usage of ssh makes it less dangerous, since you'd get the auto-trusted to happen on the first time you ssh to a new host, but then you'd have that persist. This is why disabling this and using it in an ephemeral runner is a bad idea.)I therefore think that this particular setting should be removed. Or at least do it based on some setting that is not the default, so it's easier to do the ssh tweaking for people who opt into it (and the docs for that option would be a good place to warn people that it works by setting that env var).
As for the problem of existing things breaking, it shouldn't be too difficult to look at stderr, and if there's a message about an unknown host error, then add some text about the new option (whose page should describe the risk and what could be done to avoid it).
The text was updated successfully, but these errors were encountered: