(address . guix-patches@gnu.org)(address . vagrant@debian.org)
Running check-channel-news before authenticating the repository could
result in running unauthenticated code; the attached patch switches the
order they are run in.
live well,
vagrant
From 42bd8ceceada3ad764a450c040bc2a9a1e3f7842 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Mon, 9 Dec 2024 12:21:30 -0800
Subject: [PATCH] etc: git: pre-push: Run guix git authenticate before
check-channel-news.
Running check-channel-news first could potentially be untrusted code, so
authenticate first.
* etc/git/pre-push: Run guix git authenticate before check-channel-news.
---
etc/git/pre-push | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Toggle diff (18 lines)
diff --git a/etc/git/pre-push b/etc/git/pre-push
index 325b23854b..752310d854 100755
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@@ -33,8 +33,8 @@ do
case "$2" in
*.gnu.org*)
set -e
- make check-channel-news
exec guix git authenticate
+ make check-channel-news
exit 127
;;
*)
base-commit: da3c8a963f83c044568d99921480259eaa26a923
--
2.39.5
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZ1dSPwAKCRDcUY/If5cW
qgyiAQCy7Qa8WrtiSZmrry3SIsRLARS2YCw/Fn18E9GvUlWP0QEA1h1o+QhF706H
A+HJSSHoiee0JGPuvjTJ8qyTZetwSws=
=yXMR
-----END PGP SIGNATURE-----