git@vger.kernel.org mailing list mirror (one of many)
 help / Atom feed
From: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
To: Jeff King <peff@peff.net>
Cc: Satyakiran Duggina <satya0521@gmail.com>,
	Bryan Turner <bturner@atlassian.com>,
	Git Users <git@vger.kernel.org>,
	Junio C Hamano <gitster@pobox.com>
Subject: Allowing remote git repos to set config & hook configuration
Date: Tue, 19 Dec 2017 14:55:30 +0100
Message-ID: <87zi6eakkt.fsf@evledraar.gmail.com> (raw)
In-Reply-To: <20171216095357.GB32706@sigill.intra.peff.net>


On Sat, Dec 16 2017, Jeff King jotted:

> On Fri, Dec 15, 2017 at 12:48:07PM -0800, Satyakiran Duggina wrote:
>
>> To give the code pullers a chance to review, can we not have a
>> `trusted-hooks: default` and `trusted-SHA: <some sha>` field in .git/.
>> I'm assuming githooks/ are source tracked here.
>>
>> When developer tries to execute `git commit`, git can ask developer to
>> change `trusted-hooks` field to true or false. Let's say developer
>> sets it to true, git can record the SHA. If any latest pull has the
>> hooks changed, git can revert the `trusted-hook` to default.
>>
>> This way there is not much hassle for developers to manually copy
>> hooks all the time. And at the same time, they are not running scripts
>> that they haven't reviewed.
>
> We've talked about doing something like this (though more for config
> than for hooks). But what the discussion always come down to is that
> carrying a script like "import-hooks.sh" in the repository ends up being
> the exact same amount of work for the developer as any git-blessed "OK,
> trust these hooks" command.
>
> And it's a lot more flexible. The writer of that script can touch hooks,
> config, etc. They can base decisions about what values to use based on
> data that Git otherwise wouldn't care about (e.g., uname). And they only
> have to handle cases that the project cares about, whereas anything Git
> does has to work everywhere.

I brought this up at the dev meeting we had in NYC (and you can see how
much I care since it's not implemented): It would be really neat to have
a system supported in git which would work the same way Emacs treats
safe file variables:
https://www.gnu.org/software/emacs/manual/html_node/emacs/Safe-File-Variables.html#Safe-File-Variables

I.e. git would recognize a .gitconfig and .githooks/* shipped in any
repo, but completely ignore those by default, but you could then set
config (in .git/config or ~/.gitconfig etc) which would whitelist
certain types of config brought in from the repo.

This is how Emacs does it and it strikes a really good balance between
security and convenience, e.g. I can say a file is allowed to tweak my
tab width settings, but can't alter my load path, or is allowed to
specify a syntax highlighting mode etc.

So you could for example say that any repo you clone is allowed to alter
the value of sendemail.to, or the value of tag.sort. It would work
really well with includeIf, e.g. I could clone all my work repos to a
"safe" area in ~/work which is allowed to set more options,
e.g. aliases.

Other values would either be ignored, or you could set them to "ask", so
for example, when we clone a bunch of config would be accepted because
you'd said it was OK for any repo, and then client would ask you if you
wanted to setup a hook the repo is suggesting.

This would be a much better user experience than every repo that needs
this suggesting in a README that you should run some local shellscript,
and would strike a good balance between security and convenience since
we'd ignore all of this by default, with the user needing to granularly
opt-in.

      reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-15 19:12 Git Hooks Satyakiran Duggina
2017-12-15 19:23 ` Bryan Turner
2017-12-15 20:48   ` Satyakiran Duggina
2017-12-16  9:53     ` Jeff King
2017-12-19 13:55       ` Ævar Arnfjörð Bjarmason [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87zi6eakkt.fsf@evledraar.gmail.com \
    --to=avarab@gmail.com \
    --cc=bturner@atlassian.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    --cc=satya0521@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

git@vger.kernel.org mailing list mirror (one of many)

Archives are clonable:
	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.org/gmane.comp.version-control.git

 note: .onion URLs require Tor: https://www.torproject.org/
       or Tor2web: https://www.tor2web.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox