summaryrefslogtreecommitdiff
path: root/infra/dgit-repos-policy-debian
diff options
context:
space:
mode:
authorIan Jackson <ijackson@chiark.greenend.org.uk>2022-12-27 19:46:26 +0000
committerIan Jackson <ijackson@chiark.greenend.org.uk>2022-12-28 12:07:44 +0000
commitbb57dba547069e024875213dd088daa1b747946c (patch)
treee4ae111e2b31a5b4cc01b1a0b3e0a55343f9af2b /infra/dgit-repos-policy-debian
parent1487f0e51156dedc0121f5e17d6d7cf6f3a19b2f (diff)
dgit-repos-policy-debian: package_questionable_head_msg: explain
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Diffstat (limited to 'infra/dgit-repos-policy-debian')
-rwxr-xr-xinfra/dgit-repos-policy-debian20
1 files changed, 20 insertions, 0 deletions
diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index cb69211..0566285 100755
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -313,6 +313,26 @@ sub getpushinfo () {
sub deliberately ($) { return $deliberately{"--deliberately-$_[0]"}; }
sub package_questionable_head_msg () {
+ # This lets us reuse some of the same code, and the same message,
+ # for checking during actual push, and for pre-push taint check.
+ #
+ # In principle it might be nicer to unify this code, with some
+ # kind of super realistic dry run push function. However, that
+ # dry run function would have to involve sending the client's git
+ # objects to the server. We wouldn't want to do that twice, so it
+ # would have to be cached somehow, but we don't want to allow
+ # un-signed things to lurk about on the server. (The super dry
+ # run mode would have to involve the server tolerating an unsigned
+ # tag, or something, but that would be OK in principle.) The dry
+ # run mode would have to be careful about what subsets of the
+ # actions it took.
+ #
+ # So instead we apply ad-hoc checks, with separate implementations
+ # for the push path, and the pre-push checks. The tainted-objects
+ # policy-client-query exists to support this: it allows the
+ # efficient reimplementation of the tainted objects check, without
+ # transferring the objects to the server.
+
return undef unless $pkg_exists;
return undef unless $pkg_secret;
# TODO: ideally this would be translated at the client end but