Unable to use nix-prefetch-git on a private repository over HTTPS

[lavoiesl]

Describe the bug Depending on the configuration, git may be able to clone a private repository, but because nix sets HOME=/homeless-shelter, the configuration is lost.

To Reproduce I’m on macOS, using a credential helper which store the auth in the keychain:

1. git config --global credential.helper osxkeychain
2. git clone https://github.com/private/repo.git (May prompt credentials the first time, but otherwise records it)
3. nix-prefetch-git https://github.com/private/repo.git Will not used the stored credentials

Expected behavior I would expect nix-prefetch-git to honour my authentication configuration OR allow me to specify the configuration manually

Impact This is preventing bundix from being able to handle gems specified as private repos: https://github.com/nix-community/bundix/issues/69.

Additional context Caused by https://github.com/NixOS/nixpkgs/pull/5779, which overrides the HOME.

I understand from https://github.com/NixOS/nixpkgs/issues/5777 that the HOME is overridden to prevent git hooks from firing, but I wonder if it's not too big of a hammer.

Even if we were to somehow inject a .gitconfig to a fake HOME, changing HOME completely removes the ability of git to use the credential helper:

$ echo -e "host=github.com\nprotocol=https" | git credential fill
protocol=https
host=github.com
username=lavoiesl
password=...
$ echo -e "host=github.com\nprotocol=https" | HOME=/ git credential fill
Username for 'https://github.com': ^C

Needing credentials makes the build impure, but considering that everything is hashed, I don't think it's necessary to remove them from the equation. After all, it’s really unlikely that the clone would succeed, but with a different result because of different credentials.

Additional discussion regarding passing username/password to nix-prefetch-git: https://github.com/NixOS/nixpkgs/issues/2427. The suggested solution is to use SSH, but I’m talking about HTTPS

Idea An interesting alternative would be to whitelist or blacklist git configs.

By setting the GIT_CONFIG env var, we can override the file that git will load for its configuration.

We can also set GIT_CONFIG_NOSYSTEM, as mentioned at https://github.com/NixOS/nixpkgs/issues/63774, to further reduce the amount of config loaded.

For a whitelist, we could start by copying all configs from git config --get-regexp 'credential.*'.

For a blacklist, we could create a file that would include the user's gitconfig, but overwrite some configs, like the one that caused it to add hooks in https://github.com/NixOS/nixpkgs/issues/5777

Metadata

$ nix run nixpkgs.nix-info -c nix-info -m
 - system: `"x86_64-darwin"`
 - host os: `Darwin 19.0.0, macOS 10.15`
 - multi-user?: `no`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.3.1`
 - channels(seb): `"nixpkgs-20.03pre196811.7818f30cc4b"`
 - nixpkgs: `/Users/seb/.nix-defexpr/channels/nixpkgs`

Maintainer information:

attribute:
  - nix-prefetch-git
  - bundix
module:

[stale[bot]]

Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on irc.freenode.net.

[emptyflask]

This is still an important feature, currently I have to manually add a user:pass to the URL in Bundix's gemset.nix source.remotes to install a commercial gem.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[adrian-gierakowski]

I believe this should still be addressed

[stale[bot]]

I marked this as stale due to inactivity. → More info

[adrian-gierakowski]

Still important

[yohann-bacha]

Still important, and blocking for bundix.