GITNAMESPACES(7) Git Manual GITNAMESPACES(7)
NAME
gitnamespaces - Git namespaces
SYNOPSIS
GIT_NAMESPACE=<namespace>
git upload-pack GIT_NAMESPACE=<namespace>
git receive-packDESCRIPTION
Git supports dividing the refs of a single repository into multiple
namespaces, each of which has its own branches, tags, and HEAD. Git
can expose each namespace as an independent repository to pull from
and push to, while sharing the object store, and exposing all the
refs to operations such as
git-gc(1).
Storing multiple repositories as namespaces of a single repository
avoids storing duplicate copies of the same objects, such as when
storing multiple branches of the same source. The alternates
mechanism provides similar support for avoiding duplicates, but
alternates do not prevent duplication between new objects added to
the repositories without ongoing maintenance, while namespaces do.
To specify a namespace, set the
GIT_NAMESPACE environment variable to
the namespace. For each ref namespace, Git stores the corresponding
refs in a directory under
refs/namespaces/. For example,
GIT_NAMESPACE=foo will store refs under
refs/namespaces/foo/. You can
also specify namespaces via the
--namespace option to
git(1).
Note that namespaces which include a
/ will expand to a hierarchy of
namespaces; for example,
GIT_NAMESPACE=foo/bar will store refs under
refs/namespaces/foo/refs/namespaces/bar/. This makes paths in
GIT_NAMESPACE behave hierarchically, so that cloning with
GIT_NAMESPACE=foo/bar produces the same result as cloning with
GIT_NAMESPACE=foo and cloning from that repo with
GIT_NAMESPACE=bar.
It also avoids ambiguity with strange namespace paths such as
foo/refs/heads/, which could otherwise generate directory/file
conflicts within the
refs directory.
git-upload-pack(1) and
git-receive-pack(1) rewrite the names of refs
as specified by
GIT_NAMESPACE. git-upload-pack and git-receive-pack
will ignore all references outside the specified namespace.
The smart HTTP server,
git-http-backend(1), will pass GIT_NAMESPACE
through to the backend programs; see
git-http-backend(1) for sample
configuration to expose repository namespaces as repositories.
For a simple local test, you can use
git-remote-ext(1):
git clone ext::'git --namespace=foo %s /tmp/prefixed.git'
SECURITY
The fetch and push protocols are not designed to prevent one side
from stealing data from the other repository that was not intended to
be shared. If you have private data that you need to protect from a
malicious peer, your best option is to store it in another
repository. This applies to both clients and servers. In particular,
namespaces on a server are not effective for read access control; you
should only grant read access to a namespace to clients that you
would trust with read access to the entire repository.
The known attack vectors are as follows:
1. The victim sends "have" lines advertising the IDs of objects it
has that are not explicitly intended to be shared but can be used
to optimize the transfer if the peer also has them. The attacker
chooses an object ID X to steal and sends a ref to X, but isn't
required to send the content of X because the victim already has
it. Now the victim believes that the attacker has X, and it sends
the content of X back to the attacker later. (This attack is most
straightforward for a client to perform on a server, by creating
a ref to X in the namespace the client has access to and then
fetching it. The most likely way for a server to perform it on a
client is to "merge" X into a public branch and hope that the
user does additional work on this branch and pushes it back to
the server without noticing the merge.)
2. As in #1, the attacker chooses an object ID X to steal. The
victim sends an object Y that the attacker already has, and the
attacker falsely claims to have X and not Y, so the victim sends
Y as a delta against X. The delta reveals regions of X that are
similar to Y to the attacker.
GIT
Part of the
git(1) suite
Git 2.48.1 2025-01-13 GITNAMESPACES(7)
