Bug#833143: git-buildpackage: allow postclone hook to be configured in the repository

[Guido Günther]

On Mon, Aug 01, 2016 at 12:50:27PM +0200, IOhannes m zmoelnig wrote:
> Package: git-buildpackage
> Version: 0.8.1
> Severity: normal
> 
> Dear Maintainer,
> 
> thanks for the new 'postclone' hook.
> 
> however, i wonder why it is impossible to configure the hook via the
> *repository's* debian/gbp.conf
> 
> I wanted to submit a fix for this:
> > diff --git a/gbp/scripts/clone.py b/gbp/scripts/clone.py
> > index 57752f2..6ef5266 100755
> > --- a/gbp/scripts/clone.py
> > +++ b/gbp/scripts/clone.py
> > @@ -103,8 +103,8 @@ def main(argv):
> >  
> >  # Reparse the config files of the cloned repository so we pick up 
> > the
> >  # branch information from there but don't overwrite hooks:
> > -postclone = options.postclone
> >  (options, args) = parse_args(argv)
> > +postclone = options.postclone
> >  
> >  # Track all branches:
> >  if options.all:
> 
> but reading the surrounding comments ("but don't overwrite hooks"), it seems
> that this is intentional.
> most likely this is due to security implications (cloning a repository 
> shouldn't
> be allowed to run any unknown script).

Indeed.

> 
> however, this is NOT documented.
> so please add a note to 'man 1 gbp-clone' (and the like) that any 'postclone'
> configuration in the repository itself will be ignored.

I've added docs for that. In case this is needed we could add a
"--untrusted-hooks" options that defaults to False.

> 
> while changing the documentation, you might also consider to change the
> option-name (in the documentation) from the invalid "--git-postclone" to
> "--postclone" (and similar for "--git-hooks" )

Updated. Thanks.
 -- Guido

Bug#833143: git-buildpackage: allow postclone hook to be configured in the repository

[IOhannes m zmoelnig]

Package: git-buildpackage
Version: 0.8.1
Severity: normal

Dear Maintainer,

thanks for the new 'postclone' hook.

however, i wonder why it is impossible to configure the hook via the
*repository's* debian/gbp.conf

I wanted to submit a fix for this:
> diff --git a/gbp/scripts/clone.py b/gbp/scripts/clone.py
> index 57752f2..6ef5266 100755
> --- a/gbp/scripts/clone.py
> +++ b/gbp/scripts/clone.py
> @@ -103,8 +103,8 @@ def main(argv):
>  
>  # Reparse the config files of the cloned repository so we pick up the
>  # branch information from there but don't overwrite hooks:
> -postclone = options.postclone
>  (options, args) = parse_args(argv)
> +postclone = options.postclone
>  
>  # Track all branches:
>  if options.all:

but reading the surrounding comments ("but don't overwrite hooks"), it seems
that this is intentional.
most likely this is due to security implications (cloning a repository shouldn't
be allowed to run any unknown script).

however, this is NOT documented.
so please add a note to 'man 1 gbp-clone' (and the like) that any 'postclone'
configuration in the repository itself will be ignored.

while changing the documentation, you might also consider to change the
option-name (in the documentation) from the invalid "--git-postclone" to
"--postclone" (and similar for "--git-hooks" )

thanks for your kind consideration.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages git-buildpackage depends on:
ii  devscripts2.16.6
ii  git   1:2.8.1-1
ii  man-db2.7.5-1
ii  python-dateutil   2.4.2-1
ii  python-pkg-resources  20.10.1-1.1
ii  python-six1.10.0-3
pn  python:any

Versions of packages git-buildpackage recommends:
ii  cowbuilder   0.80
ii  pbuilder 0.225.2
ii  pristine-tar 1.34
ii  python-requests  2.10.0-2

Versions of packages git-buildpackage suggests:
ii  python-notify  0.1.1-4
ii  sudo   1.8.17p1-2
ii  unzip  6.0-20

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/lib/python2.7/dist-packages/gbp/scripts/clone.py 
(from git-buildpackage package)