On 2023-01-16 at 17:15:08, Ian Jackson wrote: > Package: git > Version: 1:2.20.1-2+deb10u6 > > I have a script which I use for privsep builds of Rust stuff. > Since a recent stable security update, I get this: > > fatal: detected dubious ownership in repository at > '/home/ian/Rustup/Arti/arti' > To add an exception for this directory, call: > git config --global --add safe.directory /home/ian/Rustup/Arti/arti > > I understand the reason for this. However, my tool deliberately > arranges to trust a repository owned by a different user: indeed, it > is about to execute code from that user's directory. The build user > trusts (must trust) the source code user, so this is fine. > > So I would like to pass > -c safe.directory=* > > However > > This config setting is only respected when specified in a system or > global config, not when it is specified in a repository config or > via the command line option -c > > This is preventing me from disabling this check. I don't understand > why we wouldn't trust the command line.
I agree this is annoying, and I've run into similar problems, also for good reasons. Fortunately, I believe we've fixed this upstream in 6061601d9f (safe.directory: use git_protected_config(), 2022-07-14), which was included in 2.38. If you can confirm that's the case, you may want to close the bug accordingly. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
signature.asc
Description: PGP signature
