update hook for Main git when handling push from weblate
This scripts is the security barrier into maingit. It is triggerd by the
bare git hook mechanism.
It is placed inside puppet-tails:
files/gitolite/hooks/tails-weblate-update.hook
Envrironment:
- the script is triggered for every push to tails.git
- a malicious users try to trick this script
- the translation-server may be compromised and the weblate user may pushes malicious commits.
-
GL_USER
is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing. - If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
- Any output to stdout/stderr is allowed but only displayed to the user.
Expected outcome:
- Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
- Weblate is ONLY to push po files nothing else in any case.
- Everything else is not allowed for weblate.
- For all other users the script should not do anything.
Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes
Attachments
Parent Task: #15082 (closed)
Related issues
- Related to #15185 (closed)
- Related to #15401 (closed)
- Related to #16760
- Related to #16761
- Blocks #16712
Original created by @u on 15402 (Redmine)