git 2.35.5's safe.directory causes regression nixos-rebuild on git-based flakes

[Mic92]

Describe the bug

The issue comes if you are trying to build a flake with a different user than the repository owner:

sudo nixos-rebuild switch --flake /home/nicolas/dotfiles -v -L
$ nix --extra-experimental-features nix-command flakes build --out-link /tmp/nixos-rebuild.auwEsF/nixos-rebuild /home/nicolas/dotfiles#nixosConfigurations."mero".config.system.build.nixos-rebuild -v -L
fatal: unsafe repository ('/home/nicolas/dotfiles' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /home/nicolas/dotfiles
error: program 'git' failed with exit code 128
(use '--show-trace' to show detailed location information)

This was originally reported here: nix-community/nix-direnv#166

I wonder if nix could change the way it calls git on these kind of flakes in a way it both avoids the security issue that git is trying to fix and don't trigger the warning. The new behavior of git is described here: https://github.blog/2022-04-12-git-security-vulnerability-announced/
After all the question is, if those security measures actually make sense in the nix context. Nix will likely build and use those flakes, which means they need to be trusted anyway. In this case might be acceptable to just define a flake repository as a safe.directory by default.

[Artturin]

nixpkgs issue NixOS/nixpkgs#169193

[jessestricker]

Is there a known workaround?
I run my system using flakes and now I can't rebuild it.

Edit: Found it myself: NixOS/nixpkgs#169193 (comment)
Edit: Better workaround: NixOS/nixpkgs#169193 (comment) (thanks @TLATER)

[TLATER]

@jessestricker NixOS/nixpkgs#169193 (comment) (or NixOS/nixpkgs#169193 (comment) for the explicit version) is a better workaround, since you don't need to edit the root home imperatively, and works just as well with flakes.

[ncfavier]

I have no idea why the "fix" for that CVE applies when we're explicitly naming the git repository to use with git -C.

[thufschmitt]

Should be fixed by #6440 (but feel free to reopen if it doesn’t)

@ncfavier git -C specifies the working directory, but not the git directory (the upwards search heuristic still applies). so an explicit --git-dir is still needed

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-rebuild-switch-fails-under-flakes-and-doas-with-git-warning-about-dubious-ownership/46069/9