Opened 12 years ago

Closed 12 years ago

#221 closed task (wontfix)

git.sugarlabs.org post-commit hook

Reported by: wadeb Owned by: bernie
Priority: normal Milestone:
Component: git.sugarlabs.org Version: Unspecified
Severity: Minor Keywords:
Cc: Distribution/OS: Unspecified
Bug Status: Unconfirmed

Description

I'd like to have a post-commit hook on git.sugarlabs.org which does the following when a specially formatted vXXX tag is pushed to an activity repository:

  • Generates .xo and .tar.bz2 bundles.
  • Copies these to appropriate directories on downloads.sugarlabs.org.

Currently, each activity committer who wants to make a release must have a shell account. This places a prohibitive dependency on the infrastructure team to get new activities posted.

There is a possible security issue here. A rogue activity developer could create a new activity repository and set the activity.info name to the same name as an existing activity. They would then be able to silently overwrite the other activity's releases on download.sugarlabs.org.

To solve this, the post-commit hook should maintain the path to the repository which first executed the post-commit hook, and disallow other repositories from executing the post-commit hook.

This can be as simple as writing a file containing the repository URL which first posts a bundle to:

downloads.sugarlabs.org/activities/Moon/.gitrepository

Then this file would be checked before allowing further bundle postings.

Change History (4)

comment:1 Changed 12 years ago by wadeb

Earlier discussion on this matter is found in ticket #199.

comment:2 Changed 12 years ago by bernie

  • Bug Status set to Unconfimed
  • Distribution/OS set to Unspecified
  • Severity set to Blocker

I had a look but it's non trivial: gitorious already uses the post-commit (post-receive, actually) for its own business and such script is written in ruby.

I don't see myself finding the time to work on it anytime soon...

comment:3 Changed 12 years ago by bernie

  • Severity changed from Blocker to Minor

Oh, and another solution would be fishing addons.sugarlabs.org.

comment:4 Changed 12 years ago by wadeb

  • Resolution set to wontfix
  • Status changed from new to closed

I'm closing this ticket since addons is now functional.

Note: See TracTickets for help on using tickets.