Todd Zullinger <tmz@xxxxxxxxx> writes: > (I also noticed the tests which use $GIT_PUSH_CERT, like t5534, use > 'cat-file blob ...' rather than 'cat-file -p ...'. I don't know if > that's much safer/better than letting cat-file guess the object type > in the hook. The '-p' option is meant for human consumption and we promise that the output from it _will_ change if it makes sense at the UI level. In a script like this, you do care about the exact byte sequence. So that is a more important reason why you should say "blob" not "-p". >> + # Verify that the ref update matches that in push certificate. >> + if [[ $push_cert == *$oval" "$nval" "$ref* ]]; then I am not sure what this expression is trying to do in the first place. The contents of the push certificate blob may contain these three values, but has a lot more than that. A post-receive is run after all the receive processing is done, so its failing cannot abort the transfer. I wonder how an almost simultaneous push to a same ref, that would not fail normally without this new hook script, would behave. One receive updates the tip from A to B and then starts running this script, while the other receive updates the tip from B to C and then starts running another copy of the script. They both wants to update the notes database but there can be only one winner in the race for its tip. What happens then? Don't we need to be running a script like this from a hook mechanism that runs under a lock or something?