Hatch ignores global .gitignore, leaking private keys

[skorokithakis]

I built a package using hatch, which, unbeknownst to me, ignored my ~/.gitignore_global, including in the package my .envrc with secret keys.

This is a fairly major footgun, as I imagine quite a few packages like this will include files that their authors didn't intend (files which git ignores, so the authors don't realize will be included).

[ofek]

Hey there Stavros, good to see you again!

There is another similar issue open which I will fix by introducing an option to use the Git CLI. Something to keep in mind about why I choose files by default is because building from the source directory on your local machine or CI is not the only way projects are built and indeed it is the rarest situation. More often than not people build packages using a GitHub release archive or even more frequently the source distributions from PyPI. In these cases there is no Git checkout to speak of.

[skorokithakis]

Haha, hello! The internet is small.

I definitely agree, but it's usually a good idea to ignore all the files in all the .gitignore files by default, as they're usually build artifacts and the like. What do you mean when you say "the git CLI", would this not just be hatch parsing the ignore files in the same way git does?

[ofek]

Yes ignore files within the repo are used by default but Git takes into account locations other than the project directory which is the issue here.

[skorokithakis]

Agreed, but I mean, are you planning to call out to git somehow to get a list of files, or to reimplement its logic?

[ofek]

To call it directly when the new option is enabled.

[skorokithakis]

I see, thanks!

[ofek]

Happy to help! I will post the other issue here sometime tonight when I find it.

OT: this is still one of my favorite contributions skorokithakis/catt#92

[skorokithakis]

Hahah that was great, I loved it. Such a good PR.