* bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
@ 2016-07-24 22:09 Ludovic Courtès
2016-07-24 22:51 ` Bob Proulx
0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2016-07-24 22:09 UTC (permalink / raw)
To: Ludovic Courtès, 22883, savannah-help-public
URL:
<http://savannah.gnu.org/support/?109104>
Summary: Add Git 'update' hook for Guix repositories
Project: Savannah Administration
Submitted by: civodul
Submitted on: Mon 25 Jul 2016 12:09:45 AM CEST
Category: Source code repositories - developer access
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Assigned to: None
Originator Email: ludo@gnu.org
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Hello,
Could you add the attach file as an 'update' hook for all the Guix
repositories?
Thanks in advance,
Ludo'.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Mon 25 Jul 2016 12:09:45 AM CEST Name: assert-commit-signed Size: 764B
By: civodul
Git 'update' hook to reject unsigned commits
<http://savannah.gnu.org/support/download.php?file_id=38011>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
2016-07-24 22:09 bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories Ludovic Courtès
@ 2016-07-24 22:51 ` Bob Proulx
2016-07-24 22:57 ` Bob Proulx
0 siblings, 1 reply; 6+ messages in thread
From: Bob Proulx @ 2016-07-24 22:51 UTC (permalink / raw)
To: Bob Proulx, Ludovic Courtès, 22883, savannah-help-public
Update of sr #109104 (project administration):
Status: None => In Progress
Assigned to: None => rwp
_______________________________________________________
Follow-up Comment #1:
Sure thing. I will add it to this list.
guix.git
guix/dhcp.git
guix/gnunet.git
guix/guix-artwork.git
guix/maintenance.git
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
2016-07-24 22:51 ` Bob Proulx
@ 2016-07-24 22:57 ` Bob Proulx
2016-07-25 9:00 ` Ludovic Courtès
0 siblings, 1 reply; 6+ messages in thread
From: Bob Proulx @ 2016-07-24 22:57 UTC (permalink / raw)
To: Bob Proulx, Ludovic Courtès, 22883, savannah-help-public
Update of sr #109104 (project administration):
Status: In Progress => Done
Open/Closed: Open => Closed
_______________________________________________________
Follow-up Comment #2:
Done. Commits to those repositories will be required to be gpg signed now. Let
us know if you need anything else.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
2016-07-24 22:57 ` Bob Proulx
@ 2016-07-25 9:00 ` Ludovic Courtès
2016-08-07 5:53 ` Mike Gerwitz
0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2016-07-25 9:00 UTC (permalink / raw)
To: Bob Proulx, Ludovic Courtès, 22883, savannah-help-public
Follow-up Comment #3, sr #109104 (project administration):
That was fast, thanks a lot, Bob!
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
2016-07-25 9:00 ` Ludovic Courtès
@ 2016-08-07 5:53 ` Mike Gerwitz
2016-08-17 9:38 ` Ludovic Courtès
0 siblings, 1 reply; 6+ messages in thread
From: Mike Gerwitz @ 2016-08-07 5:53 UTC (permalink / raw)
To: Bob Proulx, Ludovic Courtès, 22883, savannah-help-public
Follow-up Comment #4, sr #109104 (project administration):
Unfortunately, this hook can be easily defeated. Here's some example output
from the current tip of master:
$ git cat-file -p HEAD
tree c65e675351fe76b2630df24eddcb2449774eb344
parent e87c7ec2de815f05d7a84e2792e2da700bb26a38
author Leo Famulari <leo@famulari.name> 1470169005 -0400
committer Leo Famulari <leo@famulari.name> 1470538536 -0400
gpgsig -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5
5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B
8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL
c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D
kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV
lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC
vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl
BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6
I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9
dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr
pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR
HGWK/43B5syf6FhZws8N
=h+H0
-----END PGP SIGNATURE-----
gnu: Add python-pythondialog.
* gnu/packages/python.scm (python-pythondialog): New variable.
(python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG.
Co-authored-by: Vincent Legoll <vincent.legoll@idgrilles.fr>
The hook currently greps for `^gpgsig '. It will indeed find a GPG signature
if it exists, but to circumvent it, an attacker need only put `gpgsig' in the
commit message at column 0---the commit messages aren't indented in the
output.
You can replace the entire loop in the hook with this:
git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \
| awk '/^ / {
e=1
print "error: missing signature:" $0 > "/dev/stderr"
}
END { exit e }'
If the commit is not signed, then `%GK` (GPG key id) will yield an empty
string.
Here's some example output (run with HEAD~15..):
error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm.
error: missing signature: 7977d76 Update NEWS.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
2016-08-07 5:53 ` Mike Gerwitz
@ 2016-08-17 9:38 ` Ludovic Courtès
0 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2016-08-17 9:38 UTC (permalink / raw)
To: Bob Proulx, Ludovic Courtès, 22883, savannah-help-public
Follow-up Comment #5, sr #109104 (project administration):
Hi Mike,
The hook is indeed super naive. The goal was just to avoid _accidental_
pushes of unsigned commits, under the assumption that those with commit access
are well-behaved. :-)
But yeah, the goal is to ultimately scan the Git history and ensure only
authorized keys are used:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#103 .
Thanks,
Ludo'.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-08-17 15:35 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-24 22:09 bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories Ludovic Courtès
2016-07-24 22:51 ` Bob Proulx
2016-07-24 22:57 ` Bob Proulx
2016-07-25 9:00 ` Ludovic Courtès
2016-08-07 5:53 ` Mike Gerwitz
2016-08-17 9:38 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).