On Tue, Mar 04, 2025 at 08:39:50AM +0100, Patrick Steinhardt wrote: > > Some examples, assuming we just suppress reading Git config: > > > > - Without an explicit ident, we fall back to constructing one from > > system info. So if a unit test ever creates a commit, it will work > > fine for most people, but not for somebody with a blank GECOS field > > in /etc/passwd. (We do look at that field for reflogs, which current > > unit tests already do, but we are more forgiving there since we > > don't pass IDENT_STRICT). > > > > - Other programs we call (e.g., imagine gpg or ssh for commit signing > > or verification) may read their own config based on $HOME, > > $XDG_CONFIG_HOME, etc. I don't know if Patrick was including that in > > "sanitizing the environment" or not. > > Oh, yes. I didn't mean to say we shouldn't sanitize at all, I rather > meant to say we should sanitize to values that simply cause us to do a > no-op in the relevant parts. That means we'd: > > - Unset a bunch of environment variables where we know that they > impact Git. > > - Set config-related environment variables to read configuration > from "/dev/null". > > This is in contrast to the more involved fix here, which would be to > populate a temporary home directory with gitconfig files and whatnot. OK. I still think you'd want to set GIT_COMMITTER_NAME (to avoid gecos dependencies). And I'm assuming your "a bunch of environment variables where we know that they impact Git" includes $HOME, since we are inheriting dependencies from sub-programs. It doesn't necessarily have to point somewhere useful, though I wouldn't be surprised if some programs complain if they can't write to it. -Peff
