Update git2 requirement from 0.14 to 0.15

[dependabot]

Updates the requirements on git2 to permit the latest version.

Commits

• d703dd9 Update to 1.4.2 (#815)
• 8c6a26b Merge pull request #814 from weihanglo/git2-curl-0.15.0
• ce54dac Bump version of git2-curl
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

Merging #126 (d01b7f8) into master (759c352) will increase coverage by 0.39%.
The diff coverage is n/a.

❗ Current head d01b7f8 differs from pull request most recent head 5cca050. Consider uploading reports for the commit 5cca050 to get more accurate results

@@            Coverage Diff             @@
##           master     #126      +/-   ##
==========================================
+ Coverage   93.86%   94.25%   +0.39%     
==========================================
  Files          11       11              
  Lines        1189     1184       -5     
==========================================
  Hits         1116     1116              
+ Misses         73       68       -5     

Impacted Files	Coverage Δ
src/config.rs	92.56% <0.00%> (+2.96%)	⬆️
src/lib.rs	66.66% <0.00%> (+3.50%)	⬆️

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

[gorzell]

I ran into the issue that this upgraded causes with vergen because my project also uses libgit2. Here are some notes about what the issue is an one potential work around.

It looks like libgit2 picked up some security related changes that git implemented in ~April. It should only be happening in Docker if the repo directory is being mounted into the container via a volume mount. This is because the mounted directory might have a different owner than the parent. In my case /workspace was owned by UID 1000, and / is naturally owned by root or UID 1. I don't think that this will happen in a docker build because often everything is owned by root but I guess if you changed users it would still be possible.

For now we just added this line to our Docker execution:

git config --global --add safe.directory /workspace

There may be better solutions, but this seemed like an expedient way to get things working without having to downgrade to a less secure version of libgit2.

[CraZySacX]

I'll add a note to the docs and README about the docker solution and will bump back up the version of git2

[CraZySacX]

I'm going to have to think about this. @gorzell When you say "For now we just added this line to our Docker execution", do you mean you used docker exec on an already running container? I hit this issue using clux/muslrust to build a project I have that has a dependency on vergen. I don't control the image build, and I use docker run for one off builds. Not sure how I would apply that fix to my situation.

As a side note, I was going to add a feature "git2_latest" that allowed users to build with a version appropriate for their needs, but even though cargo allows renaming dependencies, the resolver would fail because they try to link out to different versions of libgit2-sys. Haven't figured out a way around this yet.

I may just release vergen with the 0.15 dependency and put a note to stick on version X if you need it for docker and don't control the build/execution.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[gorzell]

do you mean you used docker exec on an already running container?

@CraZySacX in this specific case yes, although you could also do it in a Dockerfile. If you have no control over the execution or creation of the Docker environment, it is probably a bit harder.

docker exec builder git config --global --add safe.directory /workspace

There are a number of ways that you could add this to your run command, but none of them are pretty, especially if you are relying on the default ENTRYPOINT or CMD. The easiest would be to actually preface the real command you want to run with git config --global --add safe.directory /workspace &&. A final option would be to mount a valid .gitconfig file with the proper entry for safe.directory into the container in $HOME/.gitconfig, i.e. docker run -v gitconfig:/root/.gitconfig:ro