Provided by: git-man_2.17.1-1ubuntu0.18_all bug

NAME

       gitnamespaces - Git namespaces

SYNOPSIS

       GIT_NAMESPACE=<namespace> git upload-pack
       GIT_NAMESPACE=<namespace> git receive-pack

DESCRIPTION

       Git supports dividing the refs of a single repository into multiple namespaces, each of
       which has its own branches, tags, and HEAD. Git can expose each namespace as an
       independent repository to pull from and push to, while sharing the object store, and
       exposing all the refs to operations such as git-gc(1).

       Storing multiple repositories as namespaces of a single repository avoids storing
       duplicate copies of the same objects, such as when storing multiple branches of the same
       source. The alternates mechanism provides similar support for avoiding duplicates, but
       alternates do not prevent duplication between new objects added to the repositories
       without ongoing maintenance, while namespaces do.

       To specify a namespace, set the GIT_NAMESPACE environment variable to the namespace. For
       each ref namespace, Git stores the corresponding refs in a directory under
       refs/namespaces/. For example, GIT_NAMESPACE=foo will store refs under
       refs/namespaces/foo/. You can also specify namespaces via the --namespace option to
       git(1).

       Note that namespaces which include a / will expand to a hierarchy of namespaces; for
       example, GIT_NAMESPACE=foo/bar will store refs under
       refs/namespaces/foo/refs/namespaces/bar/. This makes paths in GIT_NAMESPACE behave
       hierarchically, so that cloning with GIT_NAMESPACE=foo/bar produces the same result as
       cloning with GIT_NAMESPACE=foo and cloning from that repo with GIT_NAMESPACE=bar. It also
       avoids ambiguity with strange namespace paths such as foo/refs/heads/, which could
       otherwise generate directory/file conflicts within the refs directory.

       git-upload-pack(1) and git-receive-pack(1) rewrite the names of refs as specified by
       GIT_NAMESPACE. git-upload-pack and git-receive-pack will ignore all references outside the
       specified namespace.

       The smart HTTP server, git-http-backend(1), will pass GIT_NAMESPACE through to the backend
       programs; see git-http-backend(1) for sample configuration to expose repository namespaces
       as repositories.

       For a simple local test, you can use git-remote-ext(1):

           git clone ext::'git --namespace=foo %s /tmp/prefixed.git'

SECURITY

       The fetch and push protocols are not designed to prevent one side from stealing data from
       the other repository that was not intended to be shared. If you have private data that you
       need to protect from a malicious peer, your best option is to store it in another
       repository. This applies to both clients and servers. In particular, namespaces on a
       server are not effective for read access control; you should only grant read access to a
       namespace to clients that you would trust with read access to the entire repository.

       The known attack vectors are as follows:

        1. The victim sends "have" lines advertising the IDs of objects it has that are not
           explicitly intended to be shared but can be used to optimize the transfer if the peer
           also has them. The attacker chooses an object ID X to steal and sends a ref to X, but
           isn’t required to send the content of X because the victim already has it. Now the
           victim believes that the attacker has X, and it sends the content of X back to the
           attacker later. (This attack is most straightforward for a client to perform on a
           server, by creating a ref to X in the namespace the client has access to and then
           fetching it. The most likely way for a server to perform it on a client is to "merge"
           X into a public branch and hope that the user does additional work on this branch and
           pushes it back to the server without noticing the merge.)

        2. As in #1, the attacker chooses an object ID X to steal. The victim sends an object Y
           that the attacker already has, and the attacker falsely claims to have X and not Y, so
           the victim sends Y as a delta against X. The delta reveals regions of X that are
           similar to Y to the attacker.