Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1029022: git should honour -c safe.directory
23 views
Skip to first unread message
Ian Jackson
Jan 16, 2023, 12:20:03 PM1/16/23
to
Package: git
Version: 1:2.20.1-2+deb10u6
I have a script which I use for privsep builds of Rust stuff.
Since a recent stable security update, I get this:
fatal: detected dubious ownership in repository at '/home/ian/Rustup/Arti/arti'
To add an exception for this directory, call:
git config --global --add safe.directory /home/ian/Rustup/Arti/arti
I understand the reason for this. However, my tool deliberately
arranges to trust a repository owned by a different user: indeed, it
is about to execute code from that user's directory. The build user
trusts (must trust) the source code user, so this is fine.
So I would like to pass
-c safe.directory=*
However
This config setting is only respected when specified in a system or
global config, not when it is specified in a repository config or
via the command line option -c
This is preventing me from disabling this check. I don't understand
why we wouldn't trust the command line.
Ian.
--
Ian Jackson <ijac...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Version: 1:2.20.1-2+deb10u6
I have a script which I use for privsep builds of Rust stuff.
Since a recent stable security update, I get this:
fatal: detected dubious ownership in repository at '/home/ian/Rustup/Arti/arti'
To add an exception for this directory, call:
git config --global --add safe.directory /home/ian/Rustup/Arti/arti
I understand the reason for this. However, my tool deliberately
arranges to trust a repository owned by a different user: indeed, it
is about to execute code from that user's directory. The build user
trusts (must trust) the source code user, so this is fine.
So I would like to pass
-c safe.directory=*
However
This config setting is only respected when specified in a system or
global config, not when it is specified in a repository config or
via the command line option -c
This is preventing me from disabling this check. I don't understand
why we wouldn't trust the command line.
Ian.
--
Ian Jackson <ijac...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
0 new messages