Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

[Bug]: Armbian changes user's global git config; fails if it can't

Description

  1.  

    1.  

      1. What happened?

Running `./compile` fails if the user's global git config is a symlink to a read-only filesystem, as it usually is in NixOS. I imagine this holds true for other situations in which a user's git config is read-only to that user.

Log:
```Shell
λ ./compile.sh
error: could not lock config file /home/kjkent/.config/git/config: Read-only file system
[💥] Error 255 occurred in main shell [ at /home/kjkent/dev/armbian/lib/functions/logging/runners.sh:211
run_host_command_logged_raw() --> lib/functions/logging/runners.sh:211
regular_git() --> lib/functions/general/git.sh:44
git_ensure_safe_directory() --> lib/functions/general/git.sh:60
main() --> ./compile.sh:47
]
```
It seems unnecessary that a Dockerised build requires access to my kernel modules (see https://github.com/armbian/build/issues/7052) and also needs to change my git config without any prompt beforehand? I've never encountered this before and it feels like sketchy behaviour, even if it's for benign reasons. Here's the relevant code:

```Shell

  1.  

    1. lib/functions/general/git.sh:60

  2. workaround new limitations imposed by CVE-2022-24765 fix in git, otherwise "fatal: unsafe repository"
    function git_ensure_safe_directory() {
    if [[ -n "$(command -v git)" ]]; then
    local git_dir="$1"
    if [[ -e "$1/.git" ]]; then
    display_alert "git: Marking all directories as safe, which should include" "$git_dir" "debug"
    git config --global --get safe.directory "$1" > /dev/null || regular_git config --global --add safe.directory "$1"
    fi
    else
    display_alert "git not installed" "a true wonder how you got this far without git - it will be installed for you" "warn"
    fi
    }
    ```
    There is that call to `alert`, but, as seen in the output above, there's no console output other than the error.

I'm not knowledgeable about the build process enough to answer "why on earth is this function needed"; however, silently altering global git config in order to bypass a security feature that's there specifically to plug a CVE does pose the question of its appropriateness.

  1.  

    1.  

      1. How to reproduce?

1. Have global user git config (eg ~/.gitconfig) be a symlink to a file on a read-only filesystem.

2. Run `./compile` in repo directory.

  1.  

    1.  

      1. Branch

main (main development branch)

  1.  

    1.  

      1. On which host OS are you running the build script and observing this problem?

Ubuntu 24.04 Noble

  1.  

    1.  

      1. Are you building on Windows WSL2?

  • [ ] Yes, my Ubuntu/Debian/OtherOS is running on WSL2

  1.  

    1.  

      1. Relevant log URL

No response

  1.  

    1.  

      1. Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

Raised by: https://github.com/kjkent

https://github.com/armbian/build/issues/7907

Checklist

hide

Activity

Show:

Details

Assignee

Reporter

Priority

Created March 4, 2025 at 12:42 AM
Updated March 4, 2025 at 12:42 AM
Configure