Skip to content

update hook for Main git when handling push from weblate

Originally created by @Anonymous on #15402 (Redmine)

This scripts is the security barrier into maingit. It is triggerd by the bare git hook mechanism.
It is placed inside puppet-tails: files/gitolite/hooks/tails-weblate-update.hook

Envrironment:

  • the script is triggered for every push to tails.git
  • a malicious users try to trick this script
  • the translation-server may be compromised and the weblate user may pushes malicious commits.
  • GL_USER is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
  • If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
  • Any output to stdout/stderr is allowed but only displayed to the user.

Expected outcome:

  • Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
  • Weblate is ONLY to push po files nothing else in any case.
  • Everything else is not allowed for weblate.
  • For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

Attachments

Parent Task: #15082 (closed)

Related issues

Edited by Anonymous
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information