On 11/25/2011 05:13 AM, Sitaram Chamarty wrote: > On Fri, Nov 25, 2011 at 8:46 AM, Sitaram Chamarty<sitaramc@xxxxxxxxx> wrote: >> (...and/or a post-upload hook) >> >> Has this ever come up? > > Sorry for the google-fu fail and for replying to my own post. > http://git.661346.n2.nabble.com/Removal-of-post-upload-hook-td4394312.html > is the longest thread I (later) found. > > The quick summary, in the words of Jeff (second post in that link) is: > "Because [upload]-pack runs as the user who is [fetching], not as the > repository owner. So by convincing you to [fetch from] my repository > in a multi-user environment, I convince you to run some arbitrary code > of mine." > > My contention (today) is: > > - you're already taking that risk for push > - so this would add a new risk only for people who fetch but don't push > - which, I submit, is a very small (if not almost empty) set of people > People who fetch but don't push is, by far, the vast majority of git users. Think of everyone fetching from any public software repository without having write access to it. If you think of git.git and linux.git alone I think it's safe to assume the number of "fetch-no-push" outnumber the "push-and-whatnot" group by some quarter million to one. > I may be wrong but I imagine shared environments are those where > almost everyone will push at least once in a while. It's a closed > group of people, probably all developers, etc etc etc... > Not really. We fetch from each other quite a lot at work, and from each others semi-public repositories on a shared server where we've all got accounts (ie, write access), but we very, very rarely push into each others repositories. The sharepoint is the "official" repo on the repo-server, which the buildbots gets its code from and where everything to be released, maintained or handled in some way in the future resides. Anyways. Shooting down the arguments *against* pre-upload hooks are quite silly if it's not combined with some fresh arguments *for* such a hook. So... What usecase do you envision where you'd need one? -- Andreas Ericsson andreas.ericsson@xxxxxx OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html