Sandboxed Git: Provide a project Git config file

[tomschr]

Situation

Some time ago I had a problem with this script. It didn't behave like I wanted. It turned out that it my local Git config disturbed the script. I didn't expect that.

Especially the url."git@github.com:".instead keys made things worse. But I guess, depending on what the user has in its config everything can be dangerous.

This leads to unexpected and non-reproducible builds.

Use Case

A Git config that is only used for this project has some benefits:

• We can configure it the way we want
• We aren't dependent from the user's config
• We avoid unexpected and non-reproducible builds.

Possible Implementation

1. Create a Git config (maybe as src/docbuild/etc/git/gitconfig?)

2. Put git in a "sandbox" and nullify the configuration layers by using environment variables:

   GIT_CONFIG_SYSTEM=/dev/null GIT_CONFIG_GLOBAL=src/docbuild/etc/git/gitconfig git <command>
   

There is only one exception: the local config `.git/config``of the repo. This is always read. As we clone it, this shouldn't be dangerous and is okay.

1. Normal behavior:

   System (/etc) + Global (~/) + Local (.git/) = Final Config

2. The "Sandbox" Method:

   System (/dev/null) + Global (our file in src/docbuild/etc/git/gitconfig) + Local (.git/) = Final Config

Before running the actual command, verify the config with the following command:

GIT_CONFIG_SYSTEM=/dev/null GIT_CONFIG_GLOBAL=src/docbuild/etc/git/gitconfig git config --list --show-origin

You should only lines starting with file:.git/config (which is fine) and a few with file:src/docbuild/etc/git/gitconfig.