Ticket #221 (closed task: wontfix)
git.sugarlabs.org post-commit hook
| Reported by: | wadeb | Owned by: | bernie |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | git.sugarlabs.org | Version: | Unspecified |
| Severity: | Minor | Keywords: | |
| Cc: | Distribution/OS: | Unspecified | |
| Bug Status: | Unconfirmed |
Description
I'd like to have a post-commit hook on git.sugarlabs.org which does the following when a specially formatted vXXX tag is pushed to an activity repository:
* Generates .xo and .tar.bz2 bundles.
* Copies these to appropriate directories on downloads.sugarlabs.org.
Currently, each activity committer who wants to make a release must have a shell account. This places a prohibitive dependency on the infrastructure team to get new activities posted.
There is a possible security issue here. A rogue activity developer could create a new activity repository and set the activity.info name to the same name as an existing activity. They would then be able to silently overwrite the other activity's releases on download.sugarlabs.org.
To solve this, the post-commit hook should maintain the path to the repository which first executed the post-commit hook, and disallow other repositories from executing the post-commit hook.
This can be as simple as writing a file containing the repository URL which first posts a bundle to:
downloads.sugarlabs.org/activities/Moon/.gitrepository
Then this file would be checked before allowing further bundle postings.
