Is there any way to make hooks part of the repository?

Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

Hi all,

There are a couple of things that keep going wrong while we are
working on our code base. Some of them are very simple to check for in
a Git hook. However, I get the impression that it is not possible to
"include" the hooks with the Git repo itself (so that "git clone"
would automatically set them up). Normally, this would not be such a
big deal: I would simply add the hooks on the server. Unfortunately,
this is not an option (we use Unfuddle and they do not support that).

Is there any way to get (some of) the Git hooks to run for everyone
without everyone having to install them separately? If no, is this by
design or simply a feature nobody has asked for (yet)?

Cheers,
Hilco

Re: Is there any way to make hooks part of the repository?

[Junio C Hamano]

Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:

> Is there any way to get (some of) the Git hooks to run for everyone
> without everyone having to install them separately? If no, is this by
> design or simply a feature nobody has asked for (yet)?

By design.  Do you want me to include "rm -fr ~hilco" in some hook of
git.git repository?

Re: Is there any way to make hooks part of the repository?

[Randal L. Schwartz]

>>>>> "Junio" == Junio C Hamano <gitster@pobox.com> writes:

Junio> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
Junio> git.git repository?

This just came up yesterday at $PRIMARY_CLIENT.  One idea we kicked
around was having a convention for storing the hooks-to-be-populated in
".githooks" in the repository tree, and then having clone notice that
and offer to install them directly if from a trusted source, or at least
move them into a disabled state in .git/hooks otherwise.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.posterous.com/ for Smalltalk discussion

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 1 May 2012 13:33, Junio C Hamano <gitster@pobox.com> wrote:
> Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:
>
>> Is there any way to get (some of) the Git hooks to run for everyone
>> without everyone having to install them separately? If no, is this by
>> design or simply a feature nobody has asked for (yet)?
>
> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
> git.git repository?

Mmm, well, I might get quite famous if you did... ;-)

But if you wanted to be evil then you could easily find another place
(the build scripts, the code itself, et cetera). So I don't think this
is a good argument. Moreover, I do not work with people that would
ever consider such nastiness. You need to realize that this is all
closed source. Your argument would be more valid in an open source
environment (like git.git).

So let's just say that I'm stubborn or I like living on the edge. :-)
Is there any way to have the hooks run for everyone?

Re: Is there any way to make hooks part of the repository?

[Junio C Hamano]

merlyn@stonehenge.com (Randal L. Schwartz) writes:

>>>>>> "Junio" == Junio C Hamano <gitster@pobox.com> writes:
>
> Junio> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
> Junio> git.git repository?
>
> This just came up yesterday at $PRIMARY_CLIENT.  One idea we kicked
> around was having a convention for storing the hooks-to-be-populated in
> ".githooks" in the repository tree, and then having clone notice that
> and offer to install them directly if from a trusted source, or at least
> move them into a disabled state in .git/hooks otherwise.

We've talked about something like that a few times in the past, but as far
as I (am concerned / remember) the conclusion has always been that is not
worth "standardizing", i.e. nothing a ./setup script in-tree or a Makefile
target cannot offer the same convenience.

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 1 May 2012 13:57, Randal L. Schwartz <merlyn@stonehenge.com> wrote:
>>>>>> "Junio" == Junio C Hamano <gitster@pobox.com> writes:
>
> Junio> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
> Junio> git.git repository?
>
> This just came up yesterday at $PRIMARY_CLIENT.  One idea we kicked
> around was having a convention for storing the hooks-to-be-populated in
> ".githooks" in the repository tree, and then having clone notice that
> and offer to install them directly if from a trusted source, or at least
> move them into a disabled state in .git/hooks otherwise.

I guess it would have to be more than just clone. You are quite likely
to update/add hooks later on.

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 1 May 2012 14:03, Junio C Hamano <gitster@pobox.com> wrote:
> merlyn@stonehenge.com (Randal L. Schwartz) writes:
>
>>>>>>> "Junio" == Junio C Hamano <gitster@pobox.com> writes:
>>
>> Junio> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
>> Junio> git.git repository?
>>
>> This just came up yesterday at $PRIMARY_CLIENT.  One idea we kicked
>> around was having a convention for storing the hooks-to-be-populated in
>> ".githooks" in the repository tree, and then having clone notice that
>> and offer to install them directly if from a trusted source, or at least
>> move them into a disabled state in .git/hooks otherwise.
>
> We've talked about something like that a few times in the past, but as far
> as I (am concerned / remember) the conclusion has always been that is not
> worth "standardizing", i.e. nothing a ./setup script in-tree or a Makefile
> target cannot offer the same convenience.

This would not keep things up-to-date, though, would it? It seems like
yet another thing developers need to remember and do. I would prefer
something more automatic.

Re: Is there any way to make hooks part of the repository?

[PJ Weisberg]

On Tue, May 1, 2012 at 2:09 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:

> On 1 May 2012 14:03, Junio C Hamano <gitster@pobox.com> wrote:
>
>> We've talked about something like that a few times in the past, but as far
>> as I (am concerned / remember) the conclusion has always been that is not
>> worth "standardizing", i.e. nothing a ./setup script in-tree or a Makefile
>> target cannot offer the same convenience.
>
> This would not keep things up-to-date, though, would it? It seems like
> yet another thing developers need to remember and do. I would prefer
> something more automatic.

Once your hooks are installed, couldn't your post-checkout and
post-merge hooks keep all the others up to date?


-PJ

Gehm's Corollary to Clark's Law: Any technology distinguishable from
magic is insufficiently advanced.

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 1 May 2012 14:59, PJ Weisberg <pj@irregularexpressions.net> wrote:
> On Tue, May 1, 2012 at 2:09 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
>
>> On 1 May 2012 14:03, Junio C Hamano <gitster@pobox.com> wrote:
>>
>>> We've talked about something like that a few times in the past, but as far
>>> as I (am concerned / remember) the conclusion has always been that is not
>>> worth "standardizing", i.e. nothing a ./setup script in-tree or a Makefile
>>> target cannot offer the same convenience.
>>
>> This would not keep things up-to-date, though, would it? It seems like
>> yet another thing developers need to remember and do. I would prefer
>> something more automatic.
>
> Once your hooks are installed, couldn't your post-checkout and
> post-merge hooks keep all the others up to date?

Excellent point. Yes, that would certainly work.

Re: Is there any way to make hooks part of the repository?

[Nathan Gray]

On Tue, May 1, 2012 at 3:21 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
> On 1 May 2012 14:59, PJ Weisberg <pj@irregularexpressions.net> wrote:
>> On Tue, May 1, 2012 at 2:09 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
>>
>>> On 1 May 2012 14:03, Junio C Hamano <gitster@pobox.com> wrote:
>>>
>>>> We've talked about something like that a few times in the past, but as far
>>>> as I (am concerned / remember) the conclusion has always been that is not
>>>> worth "standardizing", i.e. nothing a ./setup script in-tree or a Makefile
>>>> target cannot offer the same convenience.
>>>
>>> This would not keep things up-to-date, though, would it? It seems like
>>> yet another thing developers need to remember and do. I would prefer
>>> something more automatic.
>>
>> Once your hooks are installed, couldn't your post-checkout and
>> post-merge hooks keep all the others up to date?
>
> Excellent point. Yes, that would certainly work.

But beware, this has the effect of making your hooks
version-dependent.  Check out a different branch and you can
potentially end up with a different hook.

IMHO things like this belong in a separate "admin" repo -- policy may
change over time, but going back to an old version of your code
shouldn't take you back to a correspondingly old version of your
policy.

Cheers,
-n8

-- 
HexaLex: A New Angle on Crossword Games for iPhone and iPod Touch
http://hexalex.com
On The App Store: http://bit.ly/8Mj1CU
On Facebook: http://bit.ly/9MIJiV
On Twitter: http://twitter.com/hexalexgame
http://n8gray.org

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 1 May 2012 17:10, Nathan Gray <n8gray@n8gray.org> wrote:
> On Tue, May 1, 2012 at 3:21 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
>> On 1 May 2012 14:59, PJ Weisberg <pj@irregularexpressions.net> wrote:
>>> On Tue, May 1, 2012 at 2:09 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
>>>
>>>> On 1 May 2012 14:03, Junio C Hamano <gitster@pobox.com> wrote:
>>>>
>>>>> We've talked about something like that a few times in the past, but as far
>>>>> as I (am concerned / remember) the conclusion has always been that is not
>>>>> worth "standardizing", i.e. nothing a ./setup script in-tree or a Makefile
>>>>> target cannot offer the same convenience.
>>>>
>>>> This would not keep things up-to-date, though, would it? It seems like
>>>> yet another thing developers need to remember and do. I would prefer
>>>> something more automatic.
>>>
>>> Once your hooks are installed, couldn't your post-checkout and
>>> post-merge hooks keep all the others up to date?
>>
>> Excellent point. Yes, that would certainly work.
>
> But beware, this has the effect of making your hooks
> version-dependent.  Check out a different branch and you can
> potentially end up with a different hook.
>
> IMHO things like this belong in a separate "admin" repo -- policy may
> change over time, but going back to an old version of your code
> shouldn't take you back to a correspondingly old version of your
> policy.

You have a point, of course, however, checking out an older version
(that does not comply with current policy) should not break (when
interacting with Git) just because of that. So I think there is at
least some justification to version the policy as well.

This is something we will simply have to experience to see what works best.

Re: Is there any way to make hooks part of the repository?

[Matthieu Moy]

Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:

> On 1 May 2012 13:33, Junio C Hamano <gitster@pobox.com> wrote:
>> Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:
>>
>>> Is there any way to get (some of) the Git hooks to run for everyone
>>> without everyone having to install them separately? If no, is this by
>>> design or simply a feature nobody has asked for (yet)?
>>
>> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
>> git.git repository?
>
> Mmm, well, I might get quite famous if you did... ;-)
>
> But if you wanted to be evil then you could easily find another place
> (the build scripts, the code itself, et cetera).

Yes, but at least, you have the opportunity to examine the other places
before they are ran. Hooks would be really, really nasty security-wise.
For example, "git clone" does a checkout, so should probably run the
checkout hooks.

> So I don't think this is a good argument. Moreover, I do not work with
> people that would ever consider such nastiness. You need to realize
> that this is all closed source. Your argument would be more valid in
> an open source environment (like git.git).

That may be acceptable for you, but you can't ask for such feature to be
included in Git itself. At best, a standardized way to setup hooks (but
something that would require a user-action to be set up) would be
acceptable.

-- 
Matthieu Moy
http://www-verimag.imag.fr/~moy/

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 1 May 2012 23:38, Matthieu Moy <Matthieu.Moy@grenoble-inp.fr> wrote:
> Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:
>
>> On 1 May 2012 13:33, Junio C Hamano <gitster@pobox.com> wrote:
>>> Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:
>>>
>>>> Is there any way to get (some of) the Git hooks to run for everyone
>>>> without everyone having to install them separately? If no, is this by
>>>> design or simply a feature nobody has asked for (yet)?
>>>
>>> By design.  Do you want me to include "rm -fr ~hilco" in some hook of
>>> git.git repository?
>>
>> Mmm, well, I might get quite famous if you did... ;-)
>>
>> But if you wanted to be evil then you could easily find another place
>> (the build scripts, the code itself, et cetera).
>
> Yes, but at least, you have the opportunity to examine the other places
> before they are ran. Hooks would be really, really nasty security-wise.
> For example, "git clone" does a checkout, so should probably run the
> checkout hooks.

There is (or, rather, should be) absolutely no difference between code
changes and hook changes. Both would go through the same review
process. If it's possible to put in nasty hooks then it's possible to
put in nasty code.

>> So I don't think this is a good argument. Moreover, I do not work with
>> people that would ever consider such nastiness. You need to realize
>> that this is all closed source. Your argument would be more valid in
>> an open source environment (like git.git).
>
> That may be acceptable for you, but you can't ask for such feature to be
> included in Git itself. At best, a standardized way to setup hooks (but
> something that would require a user-action to be set up) would be
> acceptable.

Given ${PROJECT}/.git, I would think that a simple config setting
(hooks.run-automatically-this-is-a-security-risk [defaulting to false,
of course]) and an extra directory like ${PROJECT}/.hooks (this should
probably be configurable as well: hooks.directory) would work
perfectly. Then it's up to the project to decide if they want to use
that feature. Moreover, you could then still have "personal" hooks in
${PROJECT}/.git/hooks.

Would such a setup be acceptable?

Re: Is there any way to make hooks part of the repository?

[Junio C Hamano]

Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:

> On 1 May 2012 23:38, Matthieu Moy <Matthieu.Moy@grenoble-inp.fr> wrote:
> ...
>> Yes, but at least, you have the opportunity to examine the other places
>> before they are ran. Hooks would be really, really nasty security-wise.
>> For example, "git clone" does a checkout, so should probably run the
>> checkout hooks.
>
> There is (or, rather, should be) absolutely no difference between code
> changes and hook changes. Both would go through the same review
> process.

Matthieu is *not* talking about auditing nastiness going into the
project's repository; he is talking is about a chance to audit whatever
comes from the project's repository that *could* potentially contain some
nastiness before it causes harm to your working environment. In other
words, not *having* to trust what is in the project's repository, but
having a way to verify.

Read what he wrote again with that in mind, and you will understand his
point.

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 2 May 2012 12:27, Junio C Hamano <gitster@pobox.com> wrote:
> Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:
>
>> On 1 May 2012 23:38, Matthieu Moy <Matthieu.Moy@grenoble-inp.fr> wrote:
>> ...
>>> Yes, but at least, you have the opportunity to examine the other places
>>> before they are ran. Hooks would be really, really nasty security-wise.
>>> For example, "git clone" does a checkout, so should probably run the
>>> checkout hooks.
>>
>> There is (or, rather, should be) absolutely no difference between code
>> changes and hook changes. Both would go through the same review
>> process.
>
> Matthieu is *not* talking about auditing nastiness going into the
> project's repository; he is talking is about a chance to audit whatever
> comes from the project's repository that *could* potentially contain some
> nastiness before it causes harm to your working environment. In other
> words, not *having* to trust what is in the project's repository, but
> having a way to verify.
>
> Read what he wrote again with that in mind, and you will understand his
> point.

Yes, I understand.

Perhaps these automatic hooks should only be applicable for "outgoing"
changes like commit and push? That way you can review the hooks before
they run but you still have a chance to prevent developer errors from
getting to the server/other people (which is really all I care about,
I am looking for a way to protect developers from making silly
mistakes).

Re: Is there any way to make hooks part of the repository?

[Thomas Rast]

Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:

>> Matthieu is *not* talking about auditing nastiness going into the
>> project's repository; he is talking is about a chance to audit whatever
>> comes from the project's repository that *could* potentially contain some
>> nastiness before it causes harm to your working environment. In other
>> words, not *having* to trust what is in the project's repository, but
>> having a way to verify.
>
> Perhaps these automatic hooks should only be applicable for "outgoing"
> changes like commit and push? That way you can review the hooks before
> they run but you still have a chance to prevent developer errors from
> getting to the server/other people (which is really all I care about,
> I am looking for a way to protect developers from making silly
> mistakes).

Shouldn't those checks be made server-side with a pre-receive hook?

-- 
Thomas Rast
trast@{inf,student}.ethz.ch

Re: Is there any way to make hooks part of the repository?

[Hilco Wijbenga]

On 3 May 2012 02:00, Thomas Rast <trast@student.ethz.ch> wrote:
> Hilco Wijbenga <hilco.wijbenga@gmail.com> writes:
>
>>> Matthieu is *not* talking about auditing nastiness going into the
>>> project's repository; he is talking is about a chance to audit whatever
>>> comes from the project's repository that *could* potentially contain some
>>> nastiness before it causes harm to your working environment. In other
>>> words, not *having* to trust what is in the project's repository, but
>>> having a way to verify.
>>
>> Perhaps these automatic hooks should only be applicable for "outgoing"
>> changes like commit and push? That way you can review the hooks before
>> they run but you still have a chance to prevent developer errors from
>> getting to the server/other people (which is really all I care about,
>> I am looking for a way to protect developers from making silly
>> mistakes).
>
> Shouldn't those checks be made server-side with a pre-receive hook?

Firstly, see my original email: we have no such access to the server.
Secondly, (now that I've thought about it a bit more), it makes more
sense to do it on the "client" instead of having the server do all the
work for everybody. (Fail early, fail fast.)

Re: Is there any way to make hooks part of the repository?

[Johan Herland]

On Thu, May 3, 2012 at 7:05 PM, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
> On 3 May 2012 02:00, Thomas Rast <trast@student.ethz.ch> wrote:
>> Shouldn't those checks be made server-side with a pre-receive hook?
>
> Firstly, see my original email: we have no such access to the server.
> Secondly, (now that I've thought about it a bit more), it makes more
> sense to do it on the "client" instead of having the server do all the
> work for everybody. (Fail early, fail fast.)

No matter how you go about this, there is no way to _guarantee_ that a
given hook is run in all user repos (after all, the users have the
ultimate control over their own repos), so if you really _need_ the
hook to be run, then you have no other choice but to put it on the
server. Such is the nature of distributed version control.

If you still want a hook to run in user repos, you can only ask that
users enable the hook by including a script which copies the hook into
place, and then tell your users to run that script (e.g. in your
README).


...Johan

-- 
Johan Herland, <johan@herland.net>
www.herland.net