Re: [RFC] Hook management via 'git hooks' command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2019-11-23 at 01:19:24, Emily Shaffer wrote:
> Ah, I think I see what you mean.
> 
> hook.update = security-heuristic-runner
> 
> where "security-heuristic-runner" is some compiled binary your employer
> purchased from some vendor and distributed directly to your `/bin/`.
> 
> No, I had imagined users would achieve that by writing:
> 
> hook.update = /bin/security-heuristic-runner

Yeah, that's what I'm looking for.  The problem is that, for example,
Debian does not guarantee where in PATH a file is.  Having a newer Git
on RHEL or CentOS systems often involves hacking PATH and
LD_LIBRARY_PATH.

> Hm. Do you mean:
> 
> hook.update = git grep "something"
> 
> Or do you mean:
> 
> hook.update = ~/grephook.sh
> 
> grephook.sh:
>   #!/bin/bash
> 
>   git grep "something" >output
>   ... do something with output ...

I had intended to include the latter case, but also allow valid hooks
with multiple argument support.  For example, you could invoke "git lfs
pre-push" directly in your hook, and that is a fully functioning
pre-push hook, and would require a suitable PATH lookup to find your Git
binary.  It accepts the additional arguments that pre-push hooks accept;
right now we basically do the following instead:

----
#!/bin/sh

exec git lfs pre-push "$@"
----

> I suppose I need to understand better how $PATH works with the latter
> scenario, but my gut says "if you didn't worry about where to find the
> Git binary from your script before, why are you going to start caring
> now".
> 
> This led me to wonder: "Should we allow someone to pass arguments via
> the hook config?" Or to put it another way, "Should we allow 'hook.update
> = grep -Rin blahblah >audit.log'?" I think the answer is no - some hooks
> do expect to be given arguments, for example
> sequencer.c:run_prepare_commit_msg_hook().

I think what we want to do in this case is just invoke things in the
shell with extra arguments, like we do with editors.  This means we
don't have to handle PATH or anything else; we just invoke the shell and
let it handle it.  That lets people provide multi-call binaries (like
git lfs) that include hooks inside them.

I do, however, think we should require folks to have a suitable hook
that accepts the right arguments.  So "git grep blahblah" isn't a valid
hook in most cases, because it doesn't take the right arguments and read
the right data from stdin if necessary.

> > I suppose if we continue to keep the existing behavior of changing the
> > directory and we pass the config options to the shell, then we could
> > just write "$(git config core.hooksPath || echo
> > .git/hooks)/pre-push.d/hook1" instead, which, while ugly, gets the job
> > done.  Then we wouldn't need such a command.
> 
> Yeah, I am wondering about when you want to run a hook generically (i.e.
> from a noninteractive script) but outside of the context of something in
> the Git binary invoking a hook. Are you thinking of Git commands
> implemented as scripts?

I'm just thinking about existing hook wrappers that invoke multiple
scripts at the moment, something like how
https://gist.github.com/mjackson/7e602a7aa357cfe37dadcc016710931b works
at the moment and how we'd replace that with a config-based model.

I think using the shell avoids the entire proposal, because it then
becomes trivial to script that in the command and port it over, since we
can use my ugly hack above.  I think I like that better than "git hook
execute" because it's a little more flexible.

> > One of the benefits to using numbered files in a .d directory is that
> > you can explicitly control ordering of operations.  For example, maybe I
> > have a per-repo pre-push hook that performs some checks and rejects a
> > push if something is off.  I also have a pre-push hook for Git LFS that
> > pushes the Git LFS objects to the remote server if Git LFS is in use.
> > 
> > In this case, I'd always want my sanity-check hook to run first, and so
> > I'd number it first.  This is fine if both are per-repo, but if the LFS
> > hook is global, then it's in the wrong order and my LFS objects are
> > pushed even though my sanity check failed.
> 
> Yeah, this is really compelling, and also removes the somewhat wonky ^
> proposed just below here. I like this idea quite a lot:
> 
> hook.pre-push = 001:/path/to/sanity-checker

I think a colon is actually better than my proposal for a space in this
regard, but I'm not picky: anything unambiguous is fine.

> I'll have to ponder on the UX of a 'git hook'-facilitated interactive
> edit of the hook numbering, though. UX is not my strong point :)

I also find I'm not great at UX, so I can't be of much help.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux