问题
I have a git related question (git pull fails on my webserver) and to further describe my problem I thought it could be a good idea to offer also my .git directory so that git geeks could look inside and figure out what could be the problem.
Is it a good idea to make public a .git folder OR what to look out for when doing so OR what kind of dump message from git should be offered for debugging git errors?
回答1:
Security
Making public the .git directory is just like make public your repo. If there's no sensitive information in your repo (keys written to hooks or remote-paths what contains secrets, files with plain-text passwords) then it is ok to share.
Debugging
answer taken from @kenorb at How can I debug git/git-shell related problems?
Git has a fairly complete set of traces embedded which you can use to debug your git problems.
To turn them on, you can define the following variables:
GIT_TRACEfor general traces,GIT_TRACE_PACK_ACCESSfor tracing of packfile access,GIT_TRACE_PACKETfor packet-level tracing for network operations,GIT_TRACE_PERFORMANCEfor logging the performance data,GIT_TRACE_SETUPfor information about discovering the repository and environment it’s interacting with,GIT_MERGE_VERBOSITYfor debugging recursive merge strategy (values: 0-5),GIT_CURL_VERBOSEfor logging all curl messages (equivalent tocurl -v),GIT_TRACE_SHALLOWfor debugging fetching/cloning of shallow repositories.
Possible values can include:
true,1or2to write to stderr,- an absolute path starting with
/to trace output to the specified file.
For more details, see: Git Internals - Environment Variables
SSH
For SSH issues, try the following commands:
echo 'ssh -vvv $*' > ssh && chmod +x ssh
GIT_SSH="$PWD/ssh" git pull origin master
or use ssh to validate your credentials, e.g.
ssh -vvvT git@github.com
or over HTTPS port:
ssh -vvvT -p 443 git@ssh.github.com
Note: Reduce number of -v to reduce the verbosity level.
Examples
$ GIT_TRACE=1 git status
20:11:39.565701 git.c:350 trace: built-in: git 'status'
$ GIT_TRACE_PERFORMANCE=$PWD/gc.log git gc
Counting objects: 143760, done.
...
$ head gc.log
20:12:37.214410 trace.c:420 performance: 0.090286000 s: git command: 'git' 'pack-refs' '--all' '--prune'
20:12:37.378101 trace.c:420 performance: 0.156971000 s: git command: 'git' 'reflog' 'expire' '--all'
...
$ GIT_TRACE_PACKET=true git pull origin master
20:16:53.062183 pkt-line.c:80 packet: fetch< 93eb028c6b2f8b1d694d1173a4ddf32b48e371ce HEAD\0multi_ack thin-pack side-band side-band-64k ofs-delta shallow no-progress include-tag multi_ack_detailed symref=HEAD:refs/heads/master agent=git/2:2.6.5~update-ref-initial-update-1494-g76b680d
...
回答2:
if you never had sensitive information in your repository, then yes, otherwise no. (assuming you never did exotic things, like writing keys into a hook, or having a remote-path that contains a secret).
If you never modified your .git folder directly, then will only contain the secrets, that were in your repo all along.
Note: you ssl-certificates are not stored in the .git folder; those are handled by your system.
回答3:
There isn't problem to make the .git public. Sharing this file is in fact sharing your repository and it may be a good idea for an expert give you a hand.
The only personal information that could be leaked would be your email address. Everything related to SSH keys or passwords goes separately.
Of course, all those files that you have included in the different versions will be published, as well as the messages of the commits. It's the only thing that should be watched.
来源:https://stackoverflow.com/questions/52313545/is-it-secure-to-publish-my-git-directory-for-debugging