Re: [Tails-dev] Please test pre-commit hook for po files

Supprimer ce message

Répondre à ce message
Auteur: u
Date:  
À: tails-dev
Sujet: Re: [Tails-dev] Please test pre-commit hook for po files
Hi!

intrigeri:
> u:
>> intrigeri:
>>> u:
>>>> ln -s ../../wiki/src/contribute/l10n_tricks/pre-commit .
>>>
>>> This caught my eye before I could test this.
>>>
>>> I'd rather not ask all Tails contributors to run code, on every
>>> commit, that lives in a section of our website that's publicly
>>> writable. Please consider moving this script to bin/ :)
>
>> With a notion of 'public' that allows only some people to write here, right?


>  - I believe that the only thing that prevent ikiwiki.cgi from
>    allowing anyone with an Internet connection to edit arbitrary files
>    under wiki/src/ is our lockedit plugin configuration.
>    There's already been security issues in this part of the ikiwiki
>    code so I'd rather not rely on it when we can cheaply avoid it.


Oops. I was not aware of that.
> So yeah, in theory, assuming no software bugs, it's safe to put such
> code under wiki/src/; but it increases attack surface a fair bit, with
> no substantial benefit I can think of, so let's err on the safe side,
> as you did already, thanks!


If there's a place for such scripts, let's put them there :)

> Now, this hook runs wiki/src/contribute/l10n_tricks/check_po.sh so the
> problem I'm describing above is still there. This could not fixed in
> pre-commit hook by calling submodules/jenkins-tools/slaves/check_po
> directly instead of going through the symlink.


Agreed. I'll modify this, this will be transparent for the testers.

Cheers!
u.