February 17, 2015

Improved Security and Git 2.2.1 Support in Git Fusion

Healthcare
Git at Scale

Git Fusion 2015.1 is now available. Below are some of the new features added in this release.

Background Push

Back in 2013 when we added HTTPS support, we had to jump through some process management hoops to make sure that a Git push, once started, ran to completion even if the Git client disconnected. The code that completed the push in a background process has been cleaned up and merged into both HTTPS and SSH.

Now every Git push, whether over HTTPS or SSH, goes through the same code: a quick preflight check, release the connection to the Git client, then a background process translates from Git to Perforce. Spend less time pushing and more time writing something worth pushing.

Upgrade to Git 2.2.1 and Enable CVE-2014-9390 Rejection

Git 2.2.1 fixes a security bug that affected Windows and Mac OS X workstations. Git Fusion runs on a Linux server, which makes Git Fusion immune to this exploit. But we are paranoid enough that we would rather Git Fusion never hosts a repo that carries such an exploit. So we updated Git Fusion's version of Git, and turned on Git's CVE-2014-9390 detection. Git Fusion servers now reject attempts to push any repo carrying this exploit.

Git's CVE-2014-9390 detection casts a wide net: it also catches and rejects old commits with oddly formed data. We see many repos rejected with "zero-padded file modes" due to odd tree objects, and one repo with a commit that had a nonsensical time zone offset. If your own repos are rejected, See John Williston's post on how to clean up your repo to pass the git fsck check.

Support for Git Copy/Rename Detection

We finally got to one of Git Fusion's oldest feature requests: translate git mv to p4 move.

Before everyone gets excited and runs off to try this new feature, know that this feature works exactly as well as Git's own copy/rename detection, and can produce some unexpected p4 integ or p4 move actions. Git does not store copy or move actions: it calculates actions later when you ask "what changed in this commit?". That calculation works great most of the time, but sometimes it infers an intent that the human author never intended. Not a problem for Git users, since humans can ignore goofy results. But Git Fusion copies those goofy results to Perforce, recording them to forever amuse Perforce users.

Get Git Fusion 2015.1 for the latest new features and fixes.