New git config safe.directory's default breaks support for source-repository-package

[ju1m]

Describe the bug

Git >= 2.35.2 (in nixos-24.05) introduced the safe.directory config, whose default does not include /nix/store which breaks the current way haskell.nix builds a plan from a cabal.project containing any source-repository-package.

Steps To Reproduce

cabal.project:

packages: ./
with-compiler: ghc-9.4.7

source-repository-package
    type: git
    location: https://github.com/fpco/safe-decimal
    tag: 50c037b8e76fa153cdfe642c280b444fcf72ac21

flake.nix:

{
  inputs = {
    haskell-nix.url = "github:input-output-hk/haskell.nix/8a3730d8ea6f051b5ff1cb74c68ebbab2f51fbd7";
    nixpkgs.url = "github:NixOS/nixpkgs/67a8b308bae9c26be660ccceff3e53a65e01afe1";
    haskell-nix.inputs.nixpkgs.follows = "nixpkgs";
    flake-utils.url = "github:numtide/flake-utils";
    safe-decimal = { url = "github:fpco/safe-decimal/50c037b8e76fa153cdfe642c280b444fcf72ac21"; flake = false; };
  };

  outputs = inputs:
    inputs.flake-utils.lib.eachSystem
      (with inputs.flake-utils.lib.system; [ x86_64-linux ])
      (system:
        let
          pkgs = import inputs.nixpkgs {
            inherit system;
            config = inputs.haskell-nix.config;
            overlays = [ inputs.haskell-nix.overlay ];
          };
          project = pkgs.haskell-nix.cabalProject' {
            name = "hello";
            src = ./.;
            inputMap = {
              "https://github.com/fpco/safe-decimal" = inputs.safe-decimal;
            };
            compiler-nix-name = "ghc947";
            compilerSelection = pkgs: pkgs.haskell.compiler;
            modules = [ { reinstallableLibGhc = false; } ];
          };
        in project.flake'
      );

  nixConfig = {
    allow-import-from-derivation = "true";
  };
}

$ nix -L develop
warning: Git tree '/home/julm/src/haskell/test' is dirty
hello-plan-to-nix-pkgs> Cloning into '/build/tmp.TxdNINpb2z/dist-newstyle/src/ha5dggbjg_-7741b382fc456db6'...
hello-plan-to-nix-pkgs> fatal: detected dubious ownership in repository at '/nix/store/ha5dggbjg5xpv7czx6z5mbbyfib2fzzr-source-repository-package/.git'
hello-plan-to-nix-pkgs> To add an exception for this directory, call:
hello-plan-to-nix-pkgs>         git config --global --add safe.directory /nix/store/ha5dggbjg5xpv7czx6z5mbbyfib2fzzr-source-repository-package/.git
hello-plan-to-nix-pkgs> fatal: Could not read from remote repository.
hello-plan-to-nix-pkgs> Please make sure you have the correct access rights
hello-plan-to-nix-pkgs> and the repository exists.
error:
       … while evaluating the attribute 'packages'

         at /nix/store/3zp53n4295fv7l09518szwhma2wsxan1-source/lib/default.nix:396:7:

          395|       inherit name;
          396|       value =
             |       ^
          397|         # This favours the first item (`a`) in the case of duplicates

       … in the left operand of the update (//) operator

         at /nix/store/3zp53n4295fv7l09518szwhma2wsxan1-source/lib/default.nix:403:29:

          402|         else
          403|           (b.${name} or {}) // (a.${name} or {});
             |                             ^
          404|     }) (__attrNames (a // b)));

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: builder for '/nix/store/15bh9y7wbwl5hz71xp34wxbqjgfssfyv-hello-plan-to-nix-pkgs.drv' failed with exit code 128;
       last 9 log lines:
       > Cloning into '/build/tmp.TxdNINpb2z/dist-newstyle/src/ha5dggbjg_-7741b382fc456db6'...
       > fatal: detected dubious ownership in repository at '/nix/store/ha5dggbjg5xpv7czx6z5mbbyfib2fzzr-source-repository-package/.git'
       > To add an exception for this directory, call:
       >
       >        git config --global --add safe.directory /nix/store/ha5dggbjg5xpv7czx6z5mbbyfib2fzzr-source-repository-package/.git
       > fatal: Could not read from remote repository.
       >
       > Please make sure you have the correct access rights
       > and the repository exists.
       For full logs, run 'nix log /nix/store/15bh9y7wbwl5hz71xp34wxbqjgfssfyv-hello-plan-to-nix-pkgs.drv'.

Bonus points if it is in a PR to add a test case.

Expected behavior

Plan builds as well as it did with git < 2.35.2 without globally adding the whole /nix/store as a safe.directory.

Additional context

[goertzenator]

Any work-arounds for this? git config --global --add safe.directory /nix/store didn't help.

[goertzenator]

Forcing an older version of git seems to do it. From my overlay that I used for my haskell.nix project:

    git = prev.git.overrideAttrs (oldAttrs: rec {
      version = "2.35.1";
      src = final.fetchurl {
        url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
        hash = "sha256-12hSjmRD9logMDYmbxylD50Se6iXUeMurTcRftkZEIA=";
      };
    });

[ju1m]

Any work-arounds for this? git config --global --add safe.directory /nix/store didn't help.

AFAICS with git >= 2.35.2, the main work-around is to disable the safe directory check entirely:

git config --global --add safe.directory '*'

With the drawback that it's no longer "safe" when sharing drives.
Note that * cannot currently be part of a path, so /nix/store/* would not work.

[hamishmack]

A fix based on @ju1m's suggestion was included in #2156