Learn more about these different git repos.
Other Git URLs
Common typo to create a new branch that starts with "origin/". We can stop that at the ACL level.
This update-hook should allow this: {{{
refname="${1}" sha1_old="${2}" sha1_new="${3}"
echo "${refname}" | grep -q '^origin/' && exit 1 || exit 0 }}}
The above patch adds the update hook to ansible, and sets it up for dist-git.
After this is deployed, new git repos would use the hook and block pushes of {{{origin/*}}} branches.
However, existing git repos wouldn't.
How do we want to go about doing that? Run a one-time script that sets the hooks for older repos? Should that be part of the Ansible deployment of dist-git?
Discussed in todays meeting: https://meetbot.fedoraproject.org/fedora-meeting-1/2014-09-22/releng.2014-09-22-15.37.log.html
Rearrange some tasks 0002-Rearrange-some-tasks.patch
git/checks: Check for the update hooks 0003-git-checks-Check-for-the-update-hooks.patch
distgit: Schedule a weekly check of the update hooks 0004-distgit-Schedule-a-weekly-check-of-the-update-hooks.patch
Here are the new patches, based on the discussion in the last releng meeting.
First patch is the same as before: it implements the hook (now with a better regexp than before) and sets it to be deployed in '''newly created''' git repositories.
Second patch is just some reorganization of a role in Ansible, to make the existing git check script easier to reuse.
Third patch adds to the git check script a new test, to verify that the update hooks are properly set up, and optionally fix it if not. This is what we can use to go over all '''existing''' git repositories and add the new hook to them. The command to run would be:
{{{ $ git check-perms --check=update-hook [--fix] /srv/git/rpms }}}
Fourth patch is completely optional, but I figured I'd throw it out there, in case it is useful. It just schedules a weekly execution of the check script, to ensure that we don't have any repositories left that somehow don't have the right update hooks.
distgit: Block push of branches named 'origin/*' 0001-distgit-Block-push-of-branches-named-origin.patch
Dropping "meeting" as this has been reviewed, approved and now push to ansible so it'll be in pkgs01.stg and ready when we do the switch.
This has been deployed in production for a while now, we just forgot to close this ticket.
Metadata Update from @jkeating: - Issue assigned to bochecha
Login to comment on this ticket.