From bb57dba547069e024875213dd088daa1b747946c Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Dec 2022 19:46:26 +0000 Subject: dgit-repos-policy-debian: package_questionable_head_msg: explain Signed-off-by: Ian Jackson --- infra/dgit-repos-policy-debian | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'infra') diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian index cb69211..0566285 100755 --- a/infra/dgit-repos-policy-debian +++ b/infra/dgit-repos-policy-debian @@ -313,6 +313,26 @@ sub getpushinfo () { sub deliberately ($) { return $deliberately{"--deliberately-$_[0]"}; } sub package_questionable_head_msg () { + # This lets us reuse some of the same code, and the same message, + # for checking during actual push, and for pre-push taint check. + # + # In principle it might be nicer to unify this code, with some + # kind of super realistic dry run push function. However, that + # dry run function would have to involve sending the client's git + # objects to the server. We wouldn't want to do that twice, so it + # would have to be cached somehow, but we don't want to allow + # un-signed things to lurk about on the server. (The super dry + # run mode would have to involve the server tolerating an unsigned + # tag, or something, but that would be OK in principle.) The dry + # run mode would have to be careful about what subsets of the + # actions it took. + # + # So instead we apply ad-hoc checks, with separate implementations + # for the push path, and the pre-push checks. The tainted-objects + # policy-client-query exists to support this: it allows the + # efficient reimplementation of the tainted objects check, without + # transferring the objects to the server. + return undef unless $pkg_exists; return undef unless $pkg_secret; # TODO: ideally this would be translated at the client end but -- cgit v1.2.3