about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAlyssa Ross <hi@alyssa.is>2023-09-22 06:59:40 +0000
committerAlyssa Ross <hi@alyssa.is>2023-09-22 06:59:40 +0000
commit7d40fbbc04cded4adbbcd3e87546d43bdacf47e8 (patch)
tree6b9339163e4392ec6840acf69d5c112c87ade418
parentc9a667043fdd65c3511d9b61481240dd56c56f2d (diff)
downloadnixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.tar
nixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.tar.gz
nixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.tar.bz2
nixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.tar.lz
nixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.tar.xz
nixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.tar.zst
nixlib-7d40fbbc04cded4adbbcd3e87546d43bdacf47e8.zip
nix-prefetch-git: ignore global and user git config
nix-prefetch-git is either run as part of a build, usually sandboxed,
or outside a build, unsandboxed, to prefetch something that will later
be used in a build.  It's important that the latter use produces
hashes that can be reproduced by the former.

One way that they can differ is if the user's git config does
something that changes the result of git clone.  I ran into this,
because my global git config automatically enables git-lfs, whereas
nix-prefetch-git otherwise only uses git-lfs if specifically
requested.  This led to very confusing hash mismatches.
-rw-r--r--nixos/doc/manual/release-notes/rl-2311.section.md2
-rwxr-xr-xpkgs/build-support/fetchgit/nix-prefetch-git9
2 files changed, 8 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md
index 6cd59a95e63c..f5a7bf545067 100644
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@@ -124,6 +124,8 @@
 
 - `himalaya` has been updated to `0.8.0`, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the [release note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more details.
 
+- `nix-prefetch-git` now ignores global and user git config, to improve reproducibility.
+
 - The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option now defaults to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"`, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream.
 
 - The default priorities of [`services.nextcloud.phpOptions`](#opt-services.nextcloud.phpOptions) have changed. This means that e.g.
diff --git a/pkgs/build-support/fetchgit/nix-prefetch-git b/pkgs/build-support/fetchgit/nix-prefetch-git
index 2a53fd94e7f2..1194b39dafd7 100755
--- a/pkgs/build-support/fetchgit/nix-prefetch-git
+++ b/pkgs/build-support/fetchgit/nix-prefetch-git
@@ -293,9 +293,6 @@ clone_user_rev() {
     local rev="${3:-HEAD}"
 
     if [ -n "$fetchLFS" ]; then
-        tmpHomePath="$(mktemp -d "${TMPDIR:-/tmp}/nix-prefetch-git-tmp-home-XXXXXXXXXX")"
-        exit_handlers+=(remove_tmpHomePath)
-        HOME="$tmpHomePath"
         clean_git lfs install
     fi
 
@@ -417,6 +414,12 @@ if test -z "$branchName"; then
     branchName=fetchgit
 fi
 
+tmpHomePath="$(mktemp -d "${TMPDIR:-/tmp}/nix-prefetch-git-tmp-home-XXXXXXXXXX")"
+exit_handlers+=(remove_tmpHomePath)
+HOME="$tmpHomePath"
+unset XDG_CONFIG_HOME
+export GIT_CONFIG_NOSYSTEM=1
+
 if test -n "$builder"; then
     test -n "$out" -a -n "$url" -a -n "$rev" || usage
     mkdir -p "$out"