add /etc/gitconfig by default for better git security

```
[core]
	symlinks = false

[transfer]
	fsckobjects = true
	fsckobjects = true
[fetch]
	fsckobjects = true
	fsckobjects = true
[receive]
	fsckobjects = true
	fsckobjects = true
```

+ additional suggestions as comments

fixes https://github.com/Kicksecure/security-misc/issues/225
This commit is contained in:
Patrick Schleizer 2024-05-28 07:51:06 -04:00
parent bfca98ea89
commit 4efa293f3b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

41
etc/gitconfig Normal file
View File

@ -0,0 +1,41 @@
## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Lines starting with a hash symbol ('#') are comments.
## https://github.com/Kicksecure/security-misc/issues/225
[core]
## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
symlinks = false
## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066
[transfer]
fsckobjects = true
fsckobjects = true
[fetch]
fsckobjects = true
fsckobjects = true
[receive]
fsckobjects = true
fsckobjects = true
## Generally a good idea but too intrusive to enable by default.
## Listed here as suggestions what users should put into their ~/.gitconfig
## file.
## Not enabled by default because it requires essential knowledge about OpenPG
## and an already existing local signing key. Otherwise would prevent all new
## commits.
#[commit]
# gpgsign = true
## Not enabled by default because it would break the 'git merge' command for
## unsigned commits and require the '--no-verify-signature' command line
## option.
#[merge]
# verifySignatures = true
## Not enabled by default because it would break for users who are not having
## an account at the git server and having added a SSH public key.
#[url "ssh://git@github.com/"]
# insteadOf = https://github.com/