BUG: sendemail-validate hook is run too early

BUG: sendemail-validate hook is run too early

[Jani Nikula]

I'm trying to use the sendemail-validate hook to validate the recipients
of the patch email, among other things. Turns out the hook gets run
immediately on the input patches, *not* on the "e-mail to be sent" as
claimed by githooks(5).

This means the recipients added by git send-email automatically or on
the git send-email command-line, or any changes done by the user with
--annotate will not be validated.

This is easy to demonstrate in a git repo with e.g.

$ ln -s /bin/cat .git/hooks/sendemail-validate
$ git send-email --dry-run -1 --to bypass-validation@example.com

The file passed to the validate hook does not have the address.

If changing the location of the current validation hook seems too risky,
as apparently it's been like this for more than a decade, I suggest
adding another hook on the actual email to be sent.


BR,
Jani.

-- 
Jani Nikula, Intel Open Source Graphics Center

Re: BUG: sendemail-validate hook is run too early

[Junio C Hamano]

Jani Nikula <jani.nikula@intel.com> writes:

> I'm trying to use the sendemail-validate hook to validate the recipients
> of the patch email, among other things. Turns out the hook gets run
> immediately on the input patches, *not* on the "e-mail to be sent" as
> claimed by githooks(5).

I will make two suggestions, so please do not react before reading
both ;-)

The purpose of the validate hook, at least as it was originally
designed, was to vet the log message and patch contents, so what you
reported is not at all surprising.  After all, the sub that uses the
hook is called "validate_patch" ;-).

A low-hanging documentation fix (this is one suggestion) is to
phrase "e-mail to be sent" as "e-mail that has been submitted (to
git-send-email)" to avoid the confusion.

You do not want to use the sendemail-validate hook for checking for
the recipients, because the e-mail message is not a good source of
that information.

When a recipient is added, two things happen:

 * The recipient is added to the (internal) list of recipients on
   the underlying sendmail command line arguments.  This is the list
   of addresses that actually matter where the piece of email goes.

 * The recipient is added to the text of the message being sent, if
   s/he is being added to either To: or Cc: (this is purely for
   human consumption and does not affect where the piece of email
   goes).  A blind-carbon-copy recipient would not be added for
   obvious reasons.

If you truly want to validate where the message goes, you'd need to
vet the former list, not the latter one.  Otherwise, you'll miss BCC
recipients.

So the other suggestion is to have a separate hook to validate the
list of recipients.  This might be a bit more involved if we want to
execute cleanly, but should not be rocket science.  

The send_message() sub prepares @recipients list to form quite a bit
of processing at the beginning, and the uses the resulting list to
drive the sendmail by adding it to @sendmail_parameters().  The
contents of this @recipients list is what you want to vet before the
code talks to the sendmail program or daemon later in the function.

Re: BUG: sendemail-validate hook is run too early

[Jani Nikula]

On Thu, 02 Jan 2020, Junio C Hamano <gitster@pobox.com> wrote:
> Jani Nikula <jani.nikula@intel.com> writes:
>
>> I'm trying to use the sendemail-validate hook to validate the recipients
>> of the patch email, among other things. Turns out the hook gets run
>> immediately on the input patches, *not* on the "e-mail to be sent" as
>> claimed by githooks(5).
>
> I will make two suggestions, so please do not react before reading
> both ;-)
>
> The purpose of the validate hook, at least as it was originally
> designed, was to vet the log message and patch contents, so what you
> reported is not at all surprising.  After all, the sub that uses the
> hook is called "validate_patch" ;-).
>
> A low-hanging documentation fix (this is one suggestion) is to
> phrase "e-mail to be sent" as "e-mail that has been submitted (to
> git-send-email)" to avoid the confusion.

Agreed; I think this should be done no matter what.

> You do not want to use the sendemail-validate hook for checking for
> the recipients, because the e-mail message is not a good source of
> that information.
>
> When a recipient is added, two things happen:
>
>  * The recipient is added to the (internal) list of recipients on
>    the underlying sendmail command line arguments.  This is the list
>    of addresses that actually matter where the piece of email goes.
>
>  * The recipient is added to the text of the message being sent, if
>    s/he is being added to either To: or Cc: (this is purely for
>    human consumption and does not affect where the piece of email
>    goes).  A blind-carbon-copy recipient would not be added for
>    obvious reasons.
>
> If you truly want to validate where the message goes, you'd need to
> vet the former list, not the latter one.  Otherwise, you'll miss BCC
> recipients.

Understood.

> So the other suggestion is to have a separate hook to validate the
> list of recipients.  This might be a bit more involved if we want to
> execute cleanly, but should not be rocket science.
>
> The send_message() sub prepares @recipients list to form quite a bit
> of processing at the beginning, and the uses the resulting list to
> drive the sendmail by adding it to @sendmail_parameters().  The
> contents of this @recipients list is what you want to vet before the
> code talks to the sendmail program or daemon later in the function.

One key point here is using the patch as input to the recipient
validation. For example, requiring specific recipients when certain
files are changed (a bit like get_maintainers.pl in Linux kernel). To
make it easier for the hook writer, both the patch and the recipients
should be passed to the hook at the same time.

I think one possible alternative to adding a completely new hook would
be postponing the sendemail-validate hook, passing the same patch on the
command-line as before (to ensure current users are unchanged), and
additionally passing in the recipients. Perhaps write the recipient list
in a temp file, and pass the filename on the command-line or via the
environment to the hook.

Alas implementing this in perl *is* rocket science to me, so I'm pretty
much dependent on the git community's help here.

BR,
Jani.

-- 
Jani Nikula, Intel Open Source Graphics Center

Re: BUG: sendemail-validate hook is run too early

[Jani Nikula]

On Fri, 03 Jan 2020, Jani Nikula <jani.nikula@intel.com> wrote:
> I think one possible alternative to adding a completely new hook would
> be postponing the sendemail-validate hook, passing the same patch on the
> command-line as before (to ensure current users are unchanged), and
> additionally passing in the recipients.

I realize the validation is done on *all* patches in a series before any
further processing, so the suggestion to postpone the current validation
hook is a bad idea. We'd need a new hook. The other points about having
both the patch contents and the recipients available to the hook remain.

BR,
Jani.


-- 
Jani Nikula, Intel Open Source Graphics Center