update hook for Main git when handling push from weblate
Originally created by @Anonymous on #15402 (Redmine)
This scripts is the security barrier into maingit. It is triggerd by the
bare git hook mechanism.
It is placed inside puppet-tails:
files/gitolite/hooks/tails-weblate-update.hook
Envrironment:
- the script is triggered for every push to tails.git
- a malicious users try to trick this script
- the translation-server may be compromised and the weblate user may pushes malicious commits.
-
GL_USER
is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing. - If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
- Any output to stdout/stderr is allowed but only displayed to the user.
Expected outcome:
- Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
- Weblate is ONLY to push po files nothing else in any case.
- Everything else is not allowed for weblate.
- For all other users the script should not do anything.
Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes
Attachments
Parent Task: #15082 (closed)
Related issues
- Related to tails#15185 (closed)
- Related to #15401 (closed)
- Related to tails#16760 (closed)
- Related to tails#16761
- Blocks #16712 (closed)
Edited by Anonymous