Re: what are the chances of a 'pre-upload' hook?

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andreas Ericsson <ae@op5.se>
To: Sitaram Chamarty <sitaramc@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>
Subject: Re: what are the chances of a 'pre-upload' hook?
Date: Fri, 25 Nov 2011 14:09:49 +0100	[thread overview]
Message-ID: <4ECF939D.8020706@op5.se> (raw)
In-Reply-To: <CAMK1S_gh_CsWc-DnbOuUwn+H1i3skm99xzDbWe-wxsKKS0Qw-w@mail.gmail.com>

On 11/25/2011 05:13 AM, Sitaram Chamarty wrote:
> On Fri, Nov 25, 2011 at 8:46 AM, Sitaram Chamarty<sitaramc@gmail.com>  wrote:
>> (...and/or a post-upload hook)
>>
>> Has this ever come up?
> 
> Sorry for the google-fu fail and for replying to my own post.
> http://git.661346.n2.nabble.com/Removal-of-post-upload-hook-td4394312.html
> is the longest thread I (later) found.
> 
> The quick summary, in the words of Jeff (second post in that link) is:
> "Because [upload]-pack runs as the user who is [fetching], not as the
> repository owner. So by convincing you to [fetch from] my repository
> in a multi-user environment, I convince you to run some arbitrary code
> of mine."
> 
> My contention (today) is:
> 
>    - you're already taking that risk for push
>    - so this would add a new risk only for people who fetch but don't push
>    - which, I submit, is a very small (if not almost empty) set of people
> 

People who fetch but don't push is, by far, the vast majority of git users.
Think of everyone fetching from any public software repository without
having write access to it. If you think of git.git and linux.git alone
I think it's safe to assume the number of "fetch-no-push" outnumber the
"push-and-whatnot" group by some quarter million to one.

> I may be wrong but I imagine shared environments are those where
> almost everyone will push at least once in a while.  It's a closed
> group of people, probably all developers, etc etc etc...
> 

Not really. We fetch from each other quite a lot at work, and from
each others semi-public repositories on a shared server where we've
all got accounts (ie, write access), but we very, very rarely push
into each others repositories. The sharepoint is the "official" repo
on the repo-server, which the buildbots gets its code from and where
everything to be released, maintained or handled in some way in the
future resides.

Anyways. Shooting down the arguments *against* pre-upload hooks are
quite silly if it's not combined with some fresh arguments *for* such
a hook.

So... What usecase do you envision where you'd need one?

-- 
Andreas Ericsson                   andreas.ericsson@op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

next prev parent reply	other threads:[~2011-11-25 13:10 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-25  3:16 what are the chances of a 'pre-upload' hook? Sitaram Chamarty
2011-11-25  3:18 ` Martin Fick
2011-11-25  3:22   ` Martin Fick
2011-11-25  4:13 ` Sitaram Chamarty
2011-11-25 13:09   ` Andreas Ericsson [this message]
2011-11-25 16:18     ` Sitaram Chamarty
2011-11-25 14:40   ` Jeff King
2011-11-26 22:34     ` Junio C Hamano
2011-11-26 22:55       ` Jeff King
2011-11-26 23:13         ` Junio C Hamano
2011-11-26 23:31           ` Jeff King
     [not found]             ` <CAPc5daXY_4aimugj8Z4BFE8YvBSM1K+evPU69rLGH5ETo6PO=Q@mail.gmail.com>
2011-11-26 23:51               ` Jeff King
     [not found]                 ` <CAPc5daUodry_=6pZxA=QOpuRUj9C2ed9Gzp6E1_G93iGfOOvOA@mail.gmail.com>
2011-11-27  0:06                   ` Jeff King
2011-11-27  8:56                     ` Junio C Hamano
2011-11-27 13:16                       ` Sitaram Chamarty
2011-11-28  6:41                         ` Junio C Hamano
2011-11-28  8:01                           ` Jeff King
2011-11-28  9:21                             ` Sitaram Chamarty
2011-11-28  8:17                           ` Sitaram Chamarty
2011-11-28  8:27                             ` Jeff King
2011-11-27  7:51             ` Junio C Hamano
2011-11-28  7:51               ` Jeff King
2011-11-28  8:17                 ` Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4ECF939D.8020706@op5.se \
    --to=ae@op5.se \
    --cc=git@vger.kernel.org \
    --cc=sitaramc@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).