1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
'\" t
.\" Title: git-upload-pack
.\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
.\" Date: 2025-05-15
.\" Manual: Git Manual
.\" Source: Git 2.49.0.608.gcb96e1697a
.\" Language: English
.\"
.TH "GIT\-UPLOAD\-PACK" "1" "2025-05-15" "Git 2\&.49\&.0\&.608\&.gcb96e1" "Git Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
git-upload-pack \- Send objects packed back to git\-fetch\-pack
.SH "SYNOPSIS"
.sp
.nf
\fIgit\-upload\-pack\fR [\-\-[no\-]strict] [\-\-timeout=<n>] [\-\-stateless\-rpc]
[\-\-advertise\-refs] <directory>
.fi
.SH "DESCRIPTION"
.sp
Invoked by \fIgit fetch\-pack\fR, learns what objects the other side is missing, and sends them after packing\&.
.sp
This command is usually not invoked directly by the end user\&. The UI for the protocol is on the \fIgit fetch\-pack\fR side, and the program pair is meant to be used to pull updates from a remote repository\&. For push operations, see \fIgit send\-pack\fR\&.
.SH "OPTIONS"
.PP
\-\-[no\-]strict
.RS 4
Do not try <directory>/\&.git/ if <directory> is not a Git directory\&.
.RE
.PP
\-\-timeout=<n>
.RS 4
Interrupt transfer after <n> seconds of inactivity\&.
.RE
.PP
\-\-stateless\-rpc
.RS 4
Perform only a single read\-write cycle with stdin and stdout\&. This fits with the HTTP POST request processing model where a program may read the request, write a response, and must exit\&.
.RE
.PP
\-\-http\-backend\-info\-refs
.RS 4
Used by
\fBgit-http-backend\fR(1)
to serve up
\fB$GIT_URL/info/refs\fR?service=git\-upload\-pack requests\&. See "Smart Clients" in
\fBgitprotocol-http\fR(5)
and "HTTP Transport" in the
\fBgitprotocol-v2\fR(5)
documentation\&. Also understood by
\fBgit-receive-pack\fR(1)\&.
.RE
.PP
<directory>
.RS 4
The repository to sync from\&.
.RE
.SH "ENVIRONMENT"
.PP
\fBGIT_PROTOCOL\fR
.RS 4
Internal variable used for handshaking the wire protocol\&. Server admins may need to configure some transports to allow this variable to be passed\&. See the discussion in
\fBgit\fR(1)\&.
.RE
.PP
\fBGIT_NO_LAZY_FETCH\fR
.RS 4
When cloning or fetching from a partial repository (i\&.e\&., one itself cloned with
\fB\-\-filter\fR), the server\-side
\fBupload\-pack\fR
may need to fetch extra objects from its upstream in order to complete the request\&. By default,
\fBupload\-pack\fR
will refuse to perform such a lazy fetch, because
\fBgit\fR
\fBfetch\fR
may run arbitrary commands specified in configuration and hooks of the source repository (and
\fBupload\-pack\fR
tries to be safe to run even in untrusted \&.\fBgit\fR
directories)\&.
.sp
This is implemented by having
\fBupload\-pack\fR
internally set the
\fBGIT_NO_LAZY_FETCH\fR
variable to
\fB1\fR\&. If you want to override it (because you are fetching from a partial clone, and you are sure you trust it), you can explicitly set
\fBGIT_NO_LAZY_FETCH\fR
to
\fB0\fR\&.
.RE
.SH "SECURITY"
.sp
Most Git commands should not be run in an untrusted \&.\fBgit\fR directory (see the section \fBSECURITY\fR in \fBgit\fR(1))\&. \fBupload\-pack\fR tries to avoid any dangerous configuration options or hooks from the repository it\(cqs serving, making it safe to clone an untrusted directory and run commands on the resulting clone\&.
.sp
For an extra level of safety, you may be able to run \fBupload\-pack\fR as an alternate user\&. The details will be platform dependent, but on many systems you can run:
.sp
.if n \{\
.RS 4
.\}
.nf
git clone \-\-no\-local \-\-upload\-pack=\*(Aqsudo \-u nobody git\-upload\-pack\*(Aq \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.sp
\fBgitnamespaces\fR(7)
.SH "GIT"
.sp
Part of the \fBgit\fR(1) suite
|
