Restricting access to a branch

Restricting access to a branch

[Stephen Hemminger]

Is there some standard way to freeze a branch and not allow anymore changes to
be pushed?

Yes, I know it is possible by playing with hook files, but that doesn't seem
very admin friendly.

Re: Restricting access to a branch

[Junio C Hamano]

Stephen Hemminger <shemminger@vyatta.com> writes:

> Is there some standard way to freeze a branch and not allow anymore changes to
> be pushed?
>
> Yes, I know it is possible by playing with hook files, but that doesn't seem
> very admin friendly.

If you do not want to use hooks, then the answer is no.  Sorry.

Re: Restricting access to a branch

[Linus Torvalds]

On Wed, 21 May 2008, Junio C Hamano wrote:

> Stephen Hemminger <shemminger@vyatta.com> writes:
> 
> > Is there some standard way to freeze a branch and not allow anymore changes to
> > be pushed?
> >
> > Yes, I know it is possible by playing with hook files, but that doesn't seem
> > very admin friendly.
> 
> If you do not want to use hooks, then the answer is no.  Sorry.

Hmm. I don't think that's strictly true.

What you *can* do is:

 - rename the branch to something that includes a slash (aka 
   subdirectory). Let's call it "frozen/mybranch" as an example.

 - do a 'git gc' to make sure that branch is in the packed refs file.

 - make the subdirectory of that branch is unwritable (ie just do 
   something like "chmod -w refs/heads/frozen")

and now the filesystem permissions should mean that you can't actually 
update that branch any more, even though you can read it.

Of course, if the person has full shell access, then they can still just 
undo those file permissions, but at least it should be protected from 
accidentally being overwritten.

This is all totally untested, of course.

		Linus

Re: Restricting access to a branch

[Junio C Hamano]

Linus Torvalds <torvalds@linux-foundation.org> writes:

> What you *can* do is:
>
>  - rename the branch to something that includes a slash (aka 
>    subdirectory). Let's call it "frozen/mybranch" as an example.
>
>  - do a 'git gc' to make sure that branch is in the packed refs file.
>
>  - make the subdirectory of that branch is unwritable (ie just do 
>    something like "chmod -w refs/heads/frozen")
>
> and now the filesystem permissions should mean that you can't actually 
> update that branch any more, even though you can read it.

Hmmmmm... and deleting of the branch would take the same lock used for
updating, which is under frozen/ directory, so that is also safe.

That's sneaky.

I'd however throw that into "happens to work, unsure if we would want to
promise supporting it as a _feature_ forever" category.

Re: Restricting access to a branch

[Jakub Narebski]

Junio C Hamano <gitster@pobox.com> writes:

> Linus Torvalds <torvalds@linux-foundation.org> writes:
> 
> > What you *can* do is:
> >
> >  - rename the branch to something that includes a slash (aka 
> >    subdirectory). Let's call it "frozen/mybranch" as an example.
> >
> >  - do a 'git gc' to make sure that branch is in the packed refs file.
> >
> >  - make the subdirectory of that branch is unwritable (ie just do 
> >    something like "chmod -w refs/heads/frozen")
> >
> > and now the filesystem permissions should mean that you can't actually 
> > update that branch any more, even though you can read it.
> 
> Hmmmmm... and deleting of the branch would take the same lock used for
> updating, which is under frozen/ directory, so that is also safe.
> 
> That's sneaky.
> 
> I'd however throw that into "happens to work, unsure if we would want to
> promise supporting it as a _feature_ forever" category.

Another solution would be to make it lightweight tag, i.e. change if
from refs/heads/somebranch to refs/tags/somebranch (by tagging, for
example).

-- 
Jakub Narebski
Poland
ShadeHawk on #git