From 8519bfcf45056d8410ee456594ad804cbe22c388 Mon Sep 17 00:00:00 2001 From: Julian Goldstein Date: Mon, 22 Jun 2026 21:39:20 -0500 Subject: [PATCH] fix: pin git system config to /etc/gitconfig, not /root [bump:patch] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git's Makefile defaults `prefix` to $HOME. The build runs as root in Alpine, so /root got baked in and the static binary's compiled-in system config path became /root/etc/gitconfig. Wherever the relocatable binary actually runs that path is unreadable (and /root is mode-700), so every invocation aborted with "unable to access '/root/etc/gitconfig': Permission denied" before doing any work. Pin `prefix=/usr sysconfdir=/etc` so the system config resolves to the conventional /etc/gitconfig, which is absent-or-readable on a normal host. The existing in-container self-test ran as root, which is exactly why the bad path slipped through — root could read /root/.... Add a second `git init` probe as a non-root user, which reproduces the original failure mode and guards the regression. Co-Authored-By: Claude Opus 4.8 --- build/Dockerfile.git | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/build/Dockerfile.git b/build/Dockerfile.git index efe6d1f..57d1023 100644 --- a/build/Dockerfile.git +++ b/build/Dockerfile.git @@ -27,7 +27,13 @@ RUN curl -fSL -o git.tar.xz \ && rm git.tar.xz WORKDIR /src/git-${GIT_VERSION} +# git's Makefile defaults `prefix` to $HOME, which is /root in this build, so +# without these the system config path bakes in as /root/etc/gitconfig — a +# path that doesn't exist (and isn't readable) wherever the binary actually +# runs, so every invocation aborts reading it. Pin the conventional +# /etc/gitconfig instead, which is absent-or-readable on a normal host. RUN make -j"$(nproc)" \ + prefix=/usr sysconfdir=/etc \ NO_CURL=1 NO_OPENSSL=1 NO_TCLTK=1 NO_GETTEXT=1 NO_PYTHON=1 \ NO_INSTALL_HARDLINKS=1 NO_PERL=1 \ NO_REGEX=1 \ @@ -39,7 +45,13 @@ RUN make -j"$(nproc)" \ && cp git /git \ # Prove it can initialize a repo with no external helpers on PATH. && /git init -q /tmp/t && /git -C /tmp/t rev-parse --is-inside-work-tree >/dev/null \ - && echo "confirmed: git init works standalone" + && echo "confirmed: git init works standalone" \ + # Re-run as a non-root user: this is the case that caught the baked /root + # config path. If the system config still resolved under /root, a normal + # user couldn't read it and git would abort here. + && adduser -D tester \ + && su tester -c '/git init -q /tmp/t2 && /git -C /tmp/t2 rev-parse --is-inside-work-tree >/dev/null' \ + && echo "confirmed: git init works as non-root" FROM scratch AS export COPY --from=build /git /git