Hi, Pierre-Yves Chibon wrote: > For a first step I went with a third approach: a small python service that > runs every 3 minutes (configurable): git fetch && git fsck (to ensure the git > is in a correct state). You could likely set transfer.fsckObjects¹ and skip the secondary git fsck call. The transfer.fsckObjects option will check objects as they are pulled in via fetch (or git-receive-pack). The option is available with git-1.8.3.1 in RHEL 7 that is currently installed on batcave. That could be set in the repo config or via git -c for just the invocation in your script. Here's the docs from the current git release: https://git-scm.com/docs/git-config#Documentation/git-config.txt-transferfsckObjects I don't know whether all of the later improvements to catch malicious objects are backported to the RHEL 7 version or not. Some aren't relevant due to the features which allow for the malicious behaviors not being available in that version of git. But the core of the check is still present and should handle the "fsck on fetch" portion. Details are in git-config(1). ¹ or fetch.transferObjects -- Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
