Jailing git commands makes bwrap complain about GNUPG related path parameters

[Hs-Yeah]

When I ran rua install command after upgraded to 0.19.8, this error popped up:

$ rua install rua
thread 'main' panicked at 'Command git fetch -q upstream failed with exit code Some(1)
Stderr: bwrap: Can't find source path /dev/null/.gnupg/pubring.kbx: Not a directory

Stdout: ', src/git_utils.rs:68:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

I think this is introduced by commit eaa5910 where $HOME is set to /dev/null at line 84 of git_utils.rs.

After downgrading to 0.19.7, the error disappeared.

P.S. In my system, $GNUPGHOME is not set:

$ echo $GNUPGHOME

OS: Arch Linux x86_64 Kernel: 6.5.5-arch1-1 Shell: bash 5.1.16

[vn971]

@Hs-Yeah Hi, thanks for raising the issue! My bad (insufficient testing).

I need to understand how to fix it. I'm not 100% sure that the override you're referring is the culprit (reason of the failure). I think it has been working for a while already (setting $HOME to /dev/null as recommended in man git), but I could be wrong. Need to investigate and test properly.

If you've built rua from source and can confirm that removing this line (or the referenced commit) fixes the issue, do tell. Otherwise I'm running similar tests now.

[Hs-Yeah]

I can build rua from source, I'll test removing this line and report back later.

[vn971]

@Hs-Yeah From my current understanding, the conflict is because the commit you reference https://github.com/vn971/rua/commit/eaa59104966aa3ddf09ec42a886a501989781b54 introduces jailing for all git invocations, and the jailing script is this one: https://github.com/vn971/rua/blob/master/res/wrapper/security-wrapper.sh This jail, however, uses the $HOME variable.

[Hs-Yeah]

@Hs-Yeah From my current understanding, the conflict is because the commit you reference eaa5910 introduces jailing for all git invocations, and the jailing script is this one: https://github.com/vn971/rua/blob/master/res/wrapper/security-wrapper.sh This jail, however, uses the $HOME variable.

Yes, and as my $GNUPGHOME not set, $HOME is used, which set to /dev/null

[vn971]

On the other hand, the line 84 (that sets $HOME to /dev/null) is needed exclusively to avoid messing up with people's local git configurations (or rather, avoid being messed up by people's local git configurations). If, however, git is being put into a jail, then the $HOME directory is cleaned anyway. So line 84 can be removed now, which I suspect will fix the issue as well.

Will test it now.

[vn971]

Just for a background info if anyone might be interested. I've decided to start jailing git operations to avoid packages being able to execute what they want when reviewing them via rua. It is extremely unlikely that this would happen, but just to keep things clean, it's better to keep the jail constraints even in presence of .gitattributes file.

TL&DR; Might be an overkill, but cleaner this way.

[vn971]

This should fix the issue: https://github.com/vn971/rua/pull/217 Releasing in a moment

[Hs-Yeah]

If you've built rua from source and can confirm that removing this line (or the referenced commit) fixes the issue, do tell. Otherwise I'm running similar tests now.

Can confirm that removing this line fixes this issue. I'll try 0.19.9 and report back.

[vn971]

@Hs-Yeah Thanks! And thanks again for reporting!

[Hs-Yeah]

If you've built rua from source and can confirm that removing this line (or the referenced commit) fixes the issue, do tell. Otherwise I'm running similar tests now.

Can confirm that removing this line fixes this issue. I'll try 0.19.9 and report back.

Oh, sorry for the false reporting, I ran the wrong command (rua upgrade and did not entered o to install packages, rather than rua install directly).

With the aforementioned line removed, a new error shows up:

$ rua install rua
thread 'main' panicked at 'Command git fetch -q upstream failed with exit code Some(128)
Stderr: fatal: Not a git repository (or any parent up to mount parent /home/kozi)
Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).

Stdout: ', src/git_utils.rs:68:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[vn971]

@Hs-Yeah yes, that's why the full PR https://github.com/vn971/rua/pull/217 is needed I think. Try the PR (or simply 0.19.9), it should work smoothly

[Hs-Yeah]

@Hs-Yeah yes, that's why the full PR #217 is needed I think. Try the PR (or simply 0.19.9), it should work smoothly

I am building 0.19.9 now, will report back soon. :)

[Hs-Yeah]

Can confirm 0.19.9 fix this issue. @vn971 Thank you for the quick response and quick fix!