add /etc/gitconfig by default for better git security

``` [core] symlinks = false [transfer] fsckobjects = true fsckobjects = true [fetch] fsckobjects = true fsckobjects = true [receive] fsckobjects = true fsckobjects = true ``` + additional suggestions as comments fixes #225
Kicksecure · May 28, 2024 · 4efa293 · 4efa293
1 parent bfca98e
commit 4efa293
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/etc/gitconfig b/etc/gitconfig
@@ -0,0 +1,41 @@
+## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP <[email protected]>
+## See the file COPYING for copying conditions.
+
+## Lines starting with a hash symbol ('#') are comments.
+## https://github.com/Kicksecure/security-misc/issues/225
+
+[core]
+## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
+	symlinks = false
+
+## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066
+[transfer]
+	fsckobjects = true
+	fsckobjects = true
+[fetch]
+	fsckobjects = true
+	fsckobjects = true
+[receive]
+	fsckobjects = true
+	fsckobjects = true
+
+## Generally a good idea but too intrusive to enable by default.
+## Listed here as suggestions what users should put into their ~/.gitconfig
+## file.
+
+## Not enabled by default because it requires essential knowledge about OpenPG
+## and an already existing local signing key. Otherwise would prevent all new
+## commits.
+#[commit]
+#	gpgsign = true
+
+## Not enabled by default because it would break the 'git merge' command for
+## unsigned commits and require the '--no-verify-signature' command line
+## option.
+#[merge]
+#	verifySignatures = true
+
+## Not enabled by default because it would break for users who are not having
+## an account at the git server and having added a SSH public key.
+#[url "ssh://[email protected]/"]
+#	insteadOf = https://github.com/