On Mon, Aug 01, 2016 at 12:50:27PM +0200, IOhannes m zmoelnig wrote:
> Package: git-buildpackage
> Version: 0.8.1
> Severity: normal
>
> Dear Maintainer,
>
> thanks for the new 'postclone' hook.
>
> however, i wonder why it is impossible to configure the hook via the
> *repository's* debian/gbp.conf
>
> I wanted to submit a fix for this:
> > diff --git a/gbp/scripts/clone.py b/gbp/scripts/clone.py
> > index 57752f2..6ef5266 100755
> > --- a/gbp/scripts/clone.py
> > +++ b/gbp/scripts/clone.py
> > @@ -103,8 +103,8 @@ def main(argv):
> >
> > # Reparse the config files of the cloned repository so we pick up
> > the
> > # branch information from there but don't overwrite hooks:
> > - postclone = options.postclone
> > (options, args) = parse_args(argv)
> > + postclone = options.postclone
> >
> > # Track all branches:
> > if options.all:
>
> but reading the surrounding comments ("but don't overwrite hooks"), it seems
> that this is intentional.
> most likely this is due to security implications (cloning a repository
> shouldn't
> be allowed to run any unknown script).
Indeed.
>
> however, this is NOT documented.
> so please add a note to 'man 1 gbp-clone' (and the like) that any 'postclone'
> configuration in the repository itself will be ignored.
I've added docs for that. In case this is needed we could add a
"--untrusted-hooks" options that defaults to False.
>
> while changing the documentation, you might also consider to change the
> option-name (in the documentation) from the invalid "--git-postclone" to
> "--postclone" (and similar for "--git-hooks" )
Updated. Thanks.
-- Guido
