bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories

From:	Mike Gerwitz
Subject:	bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
Date:	Sun, 7 Aug 2016 05:53:39 +0000 (UTC)
User-agent:	Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

Follow-up Comment #4, sr #109104 (project administration):

Unfortunately, this hook can be easily defeated.  Here's some example output
from the current tip of master:


$ git cat-file -p HEAD
tree c65e675351fe76b2630df24eddcb2449774eb344
parent e87c7ec2de815f05d7a84e2792e2da700bb26a38
author Leo Famulari <address@hidden> 1470169005 -0400
committer Leo Famulari <address@hidden> 1470538536 -0400
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5
 5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B
 8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL
 c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D
 kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV
 lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC
 vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl
 BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6
 I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9
 dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr
 pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR
 HGWK/43B5syf6FhZws8N
 =h+H0
 -----END PGP SIGNATURE-----

gnu: Add python-pythondialog.

* gnu/packages/python.scm (python-pythondialog): New variable.
(python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG.

Co-authored-by: Vincent Legoll <address@hidden>


The hook currently greps for `^gpgsig '.  It will indeed find a GPG signature
if it exists, but to circumvent it, an attacker need only put `gpgsig' in the
commit message at column 0---the commit messages aren't indented in the
output.

You can replace the entire loop in the hook with this:


git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \
  | awk '/^ / {
           e=1
           print "error: missing signature:" $0 > "/dev/stderr"
         }
         END { exit e }'


If the commit is not signed, then `%GK` (GPG key id) will yield an empty
string.

Here's some example output (run with HEAD~15..):


error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm.
error: missing signature: 7977d76 Update NEWS.


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories, Mike Gerwitz <=
- bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories, Ludovic Courtès, 2016/08/17

Prev by Date: bug#24168: Offloading builds does not honor --keep-failed
Next by Date: bug#24188: gnucash needs gtk+ in propagated-inputs
Previous by thread: bug#24168: Offloading builds does not honor --keep-failed
Next by thread: bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
Index(es):
- Date
- Thread