etc/git/pre-push: Run guix git authenticate before check-channel-news

  • Open
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Vagrant Cascadian
Severity
normal
V
V
Vagrant Cascadian wrote on 9 Dec 21:25 +0100
(address . guix-patches@gnu.org)(address . vagrant@debian.org)
878qsovc1t.fsf@wireframe
Running check-channel-news before authenticating the repository could
result in running unauthenticated code; the attached patch switches the
order they are run in.

live well,
vagrant
From 42bd8ceceada3ad764a450c040bc2a9a1e3f7842 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Mon, 9 Dec 2024 12:21:30 -0800
Subject: [PATCH] etc: git: pre-push: Run guix git authenticate before
check-channel-news.

Running check-channel-news first could potentially be untrusted code, so
authenticate first.

* etc/git/pre-push: Run guix git authenticate before check-channel-news.
---
etc/git/pre-push | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (18 lines)
diff --git a/etc/git/pre-push b/etc/git/pre-push
index 325b23854b..752310d854 100755
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@@ -33,8 +33,8 @@ do
case "$2" in
*.gnu.org*)
set -e
- make check-channel-news
exec guix git authenticate
+ make check-channel-news
exit 127
;;
*)

base-commit: da3c8a963f83c044568d99921480259eaa26a923
--
2.39.5
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZ1dSPwAKCRDcUY/If5cW
qgyiAQCy7Qa8WrtiSZmrry3SIsRLARS2YCw/Fn18E9GvUlWP0QEA1h1o+QhF706H
A+HJSSHoiee0JGPuvjTJ8qyTZetwSws=
=yXMR
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote 19 hours ago
(name . Vagrant Cascadian)(address . vagrant@debian.org)(address . 74755@debbugs.gnu.org)
878qs55ejd.fsf@gnu.org
Hi,

Vagrant Cascadian <vagrant@debian.org> skribis:

Toggle quote (11 lines)
> From 42bd8ceceada3ad764a450c040bc2a9a1e3f7842 Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@debian.org>
> Date: Mon, 9 Dec 2024 12:21:30 -0800
> Subject: [PATCH] etc: git: pre-push: Run guix git authenticate before
> check-channel-news.
>
> Running check-channel-news first could potentially be untrusted code, so
> authenticate first.
>
> * etc/git/pre-push: Run guix git authenticate before check-channel-news.

LGTM, thanks!

Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74755@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74755
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch