Git Hooks

Git Hooks

[daicoden]

Hi,

I have a git repo host at /home/git/blog.git.  I have a copy checked out at
/var/www/blog.  I have a script as follows:

cd /var/www/blog
thin -s 2 -C config.yml -R config.ru stop
git pull origin master
thin -s 2 -C config.yml -R config.ru start 

>From a local machine I can commit to the repo, push, and then run this
script and the server will update just fine.  I wanted to make this
automatic so I wrote the following post-receive hook.

if git log -n1 | grep -q "#publish" || git log -n1 | grep -q "#Publish"
then
        ~/bin/update-blog
fi

If #publish is in the commit message then it runs the first script.  I found
through trial and error that when you use the command git from within a git
hook it needs to be executed in a .git directory, so I changed the first
script to.

cd /var/www/blog
thin -s 2 -C config.yml -R config.ru stop
cd .git
git pull origin master
cd ..
thin -s 2 -C config.yml -R config.ru start 

Everything executes, I see the messages of the server stopping, the new info
being pulled, then the server starts again, but the server does not reflect
any changes.  If I then manually stop the server, use git reset --hard, and
then start the server again it works fine.

My only thought is that the cause of this has something to do with git
operating differently when you call it from within a hook.  Unfortunately, I
don't have any thoughts on how to fix it.
-- 
View this message in context: http://www.nabble.com/Git-Hooks-tp25482688p25482688.html
Sent from the git mailing list archive at Nabble.com.

Re: Git Hooks

[Junio C Hamano]

daicoden <daicoden@copypastel.com> writes:

> cd /var/www/blog
> thin -s 2 -C config.yml -R config.ru stop
> cd .git
> git pull origin master
> cd ..
> thin -s 2 -C config.yml -R config.ru start 

Unless you have a strange configuration in which you have work tree files
inside a .git directory of another repository, running "git pull" after
going into .git directory does not make any sense.

Perhaps add this

	unset GIT_DIR

at the very beginning of your original script would make it work better?

Git Hooks

[Satyakiran Duggina]

I see that `git init` creates a .git directory and hooks are to be
placed in that directory and these hooks are not tracked by version
control. To achieve tracked hooks, either each developer has to copy
the hooks or use tools like overcommit, pre-commit, husky etc.

I'm wondering why hooks are not made external like .gitignore. I guess
it would be better to have two git configuration directories in a
repo, one hosting all the metadata managed by git and the other with
user configured data (hooks, ignore/exclude, repo config etc).

Kindly let me know why the current design choice is made and if the
proposed change would introduce unseen issues.


Thanks,
Satya

Re: Git Hooks

[Bryan Turner]

On Fri, Dec 15, 2017 at 11:12 AM, Satyakiran Duggina
<satya0521@gmail.com> wrote:
> I see that `git init` creates a .git directory and hooks are to be
> placed in that directory and these hooks are not tracked by version
> control. To achieve tracked hooks, either each developer has to copy
> the hooks or use tools like overcommit, pre-commit, husky etc.
>
> I'm wondering why hooks are not made external like .gitignore. I guess
> it would be better to have two git configuration directories in a
> repo, one hosting all the metadata managed by git and the other with
> user configured data (hooks, ignore/exclude, repo config etc).

Hooks are not external because they're not trusted. It essentially
amounts to allowing someone to download an arbitrary script or program
onto your computer which you then execute. It's extremely unsafe, and
is intentionally not possible. To get hooks in your instance, you have
to _manually_ install them. This gives you a chance to _review_ them
before they start executing on your system. Any other approach and the
hooks become an attack vector.

>
> Kindly let me know why the current design choice is made and if the
> proposed change would introduce unseen issues.
>
>
> Thanks,
> Satya

Hope this helps!
Bryan Turner

Re: Git Hooks

[Satyakiran Duggina]

Thanks, Bryan.

To give the code pullers a chance to review, can we not have a
`trusted-hooks: default` and `trusted-SHA: <some sha>` field in .git/.
I'm assuming githooks/ are source tracked here.

When developer tries to execute `git commit`, git can ask developer to
change `trusted-hooks` field to true or false. Let's say developer
sets it to true, git can record the SHA. If any latest pull has the
hooks changed, git can revert the `trusted-hook` to default.

This way there is not much hassle for developers to manually copy
hooks all the time. And at the same time, they are not running scripts
that they haven't reviewed.

Will this work?



On Fri, Dec 15, 2017 at 11:23 AM, Bryan Turner <bturner@atlassian.com> wrote:
> On Fri, Dec 15, 2017 at 11:12 AM, Satyakiran Duggina
> <satya0521@gmail.com> wrote:
>> I see that `git init` creates a .git directory and hooks are to be
>> placed in that directory and these hooks are not tracked by version
>> control. To achieve tracked hooks, either each developer has to copy
>> the hooks or use tools like overcommit, pre-commit, husky etc.
>>
>> I'm wondering why hooks are not made external like .gitignore. I guess
>> it would be better to have two git configuration directories in a
>> repo, one hosting all the metadata managed by git and the other with
>> user configured data (hooks, ignore/exclude, repo config etc).
>
> Hooks are not external because they're not trusted. It essentially
> amounts to allowing someone to download an arbitrary script or program
> onto your computer which you then execute. It's extremely unsafe, and
> is intentionally not possible. To get hooks in your instance, you have
> to _manually_ install them. This gives you a chance to _review_ them
> before they start executing on your system. Any other approach and the
> hooks become an attack vector.
>
>>
>> Kindly let me know why the current design choice is made and if the
>> proposed change would introduce unseen issues.
>>
>>
>> Thanks,
>> Satya
>
> Hope this helps!
> Bryan Turner



-- 
Regards & Thanks
Satya Kiran Duggina

Re: Git Hooks

[Jeff King]

On Fri, Dec 15, 2017 at 12:48:07PM -0800, Satyakiran Duggina wrote:

> To give the code pullers a chance to review, can we not have a
> `trusted-hooks: default` and `trusted-SHA: <some sha>` field in .git/.
> I'm assuming githooks/ are source tracked here.
> 
> When developer tries to execute `git commit`, git can ask developer to
> change `trusted-hooks` field to true or false. Let's say developer
> sets it to true, git can record the SHA. If any latest pull has the
> hooks changed, git can revert the `trusted-hook` to default.
> 
> This way there is not much hassle for developers to manually copy
> hooks all the time. And at the same time, they are not running scripts
> that they haven't reviewed.

We've talked about doing something like this (though more for config
than for hooks). But what the discussion always come down to is that
carrying a script like "import-hooks.sh" in the repository ends up being
the exact same amount of work for the developer as any git-blessed "OK,
trust these hooks" command.

And it's a lot more flexible. The writer of that script can touch hooks,
config, etc. They can base decisions about what values to use based on
data that Git otherwise wouldn't care about (e.g., uname). And they only
have to handle cases that the project cares about, whereas anything Git
does has to work everywhere.

-Peff

Allowing remote git repos to set config & hook configuration

[Ævar Arnfjörð Bjarmason]

On Sat, Dec 16 2017, Jeff King jotted:

> On Fri, Dec 15, 2017 at 12:48:07PM -0800, Satyakiran Duggina wrote:
>
>> To give the code pullers a chance to review, can we not have a
>> `trusted-hooks: default` and `trusted-SHA: <some sha>` field in .git/.
>> I'm assuming githooks/ are source tracked here.
>>
>> When developer tries to execute `git commit`, git can ask developer to
>> change `trusted-hooks` field to true or false. Let's say developer
>> sets it to true, git can record the SHA. If any latest pull has the
>> hooks changed, git can revert the `trusted-hook` to default.
>>
>> This way there is not much hassle for developers to manually copy
>> hooks all the time. And at the same time, they are not running scripts
>> that they haven't reviewed.
>
> We've talked about doing something like this (though more for config
> than for hooks). But what the discussion always come down to is that
> carrying a script like "import-hooks.sh" in the repository ends up being
> the exact same amount of work for the developer as any git-blessed "OK,
> trust these hooks" command.
>
> And it's a lot more flexible. The writer of that script can touch hooks,
> config, etc. They can base decisions about what values to use based on
> data that Git otherwise wouldn't care about (e.g., uname). And they only
> have to handle cases that the project cares about, whereas anything Git
> does has to work everywhere.

I brought this up at the dev meeting we had in NYC (and you can see how
much I care since it's not implemented): It would be really neat to have
a system supported in git which would work the same way Emacs treats
safe file variables:
https://www.gnu.org/software/emacs/manual/html_node/emacs/Safe-File-Variables.html#Safe-File-Variables

I.e. git would recognize a .gitconfig and .githooks/* shipped in any
repo, but completely ignore those by default, but you could then set
config (in .git/config or ~/.gitconfig etc) which would whitelist
certain types of config brought in from the repo.

This is how Emacs does it and it strikes a really good balance between
security and convenience, e.g. I can say a file is allowed to tweak my
tab width settings, but can't alter my load path, or is allowed to
specify a syntax highlighting mode etc.

So you could for example say that any repo you clone is allowed to alter
the value of sendemail.to, or the value of tag.sort. It would work
really well with includeIf, e.g. I could clone all my work repos to a
"safe" area in ~/work which is allowed to set more options,
e.g. aliases.

Other values would either be ignored, or you could set them to "ask", so
for example, when we clone a bunch of config would be accepted because
you'd said it was OK for any repo, and then client would ask you if you
wanted to setup a hook the repo is suggesting.

This would be a much better user experience than every repo that needs
this suggesting in a README that you should run some local shellscript,
and would strike a good balance between security and convenience since
we'd ignore all of this by default, with the user needing to granularly
opt-in.