如何防止gerrit修改其他提交?
How to prevent gerrit from modifying other commits?
考虑以下场景:
Alice 对 Bob 尚未提交给 master 的提交进行了 checkout/cherry-pick。
Bob 为这次提交推送了新的补丁集。爱丽丝对此一无所知。
Alice 根据 Bob 提交的过时版本推送她的新提交,gerrit 也根据 Change-ID 将新补丁集应用于 Bob 的提交,覆盖 Bob 的最新更改。
git/gerrit有什么方法可以防止这种情况发生吗?
您可以更改 "Forge Author" 默认权限:
Normally Gerrit requires the author and the committer identity lines
in a Git commit object (or tagger line in an annotated tag) to match
one of the registered email addresses of the uploading user. This
permission allows users to bypass parts of that validation, which may
be necessary when mirroring changes from an upstream project.
Permits the use of an unverified author line in commit objects. This can be useful when applying patches received by email from 3rd
parties, when cherry-picking changes written by others across
branches, or when amending someone else’s commit to fix up a minor
problem before submitting.
By default this is granted to Registered Users in all projects, but a site administrator may disable it if verified authorship is
required.
更多信息:https://gerrit.cpqd.com.br/Documentation/access-control.html#category_forge_author
我使用 git 预推挂钩实现了我需要的功能。
这是我的 .git/pre-push 文件的内容:
#!/bin/sh
# A hook script to verify what is about to be pushed. Called by "git
# push" after it has checked the remote status, but before anything has been
# pushed. If this script exits with a non-zero status nothing will be pushed.
#
# This hook is called with the following parameters:
#
# -- Name of the remote to which the push is being done
# -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
AUTHOR=$(git var GIT_AUTHOR_IDENT)
while read local_ref local_sha remote_ref remote_sha
do
commit_author=$(git log -1 --pretty=format:"%ae" $local_sha)
#echo $local_ref $local_sha $remote_ref $remote_sha $commit_author
found=`echo $AUTHOR | grep -c "$commit_author"`
if [ $found == 0 ]
then
echo
echo "REJECTED by local pre-push hook:"
echo "You are trying to push some other's commit: $local_sha $commit_author"
echo "Use --no-verify if you are sure this is not an error"
exit -1
fi
done
echo "Local pre-push verify passed ok"
exit 0
考虑以下场景:
Alice 对 Bob 尚未提交给 master 的提交进行了 checkout/cherry-pick。
Bob 为这次提交推送了新的补丁集。爱丽丝对此一无所知。
Alice 根据 Bob 提交的过时版本推送她的新提交,gerrit 也根据 Change-ID 将新补丁集应用于 Bob 的提交,覆盖 Bob 的最新更改。
git/gerrit有什么方法可以防止这种情况发生吗?
您可以更改 "Forge Author" 默认权限:
Normally Gerrit requires the author and the committer identity lines in a Git commit object (or tagger line in an annotated tag) to match one of the registered email addresses of the uploading user. This permission allows users to bypass parts of that validation, which may be necessary when mirroring changes from an upstream project.
Permits the use of an unverified author line in commit objects. This can be useful when applying patches received by email from 3rd parties, when cherry-picking changes written by others across branches, or when amending someone else’s commit to fix up a minor problem before submitting.
By default this is granted to Registered Users in all projects, but a site administrator may disable it if verified authorship is required.
更多信息:https://gerrit.cpqd.com.br/Documentation/access-control.html#category_forge_author
我使用 git 预推挂钩实现了我需要的功能。 这是我的 .git/pre-push 文件的内容:
#!/bin/sh
# A hook script to verify what is about to be pushed. Called by "git
# push" after it has checked the remote status, but before anything has been
# pushed. If this script exits with a non-zero status nothing will be pushed.
#
# This hook is called with the following parameters:
#
# -- Name of the remote to which the push is being done
# -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
AUTHOR=$(git var GIT_AUTHOR_IDENT)
while read local_ref local_sha remote_ref remote_sha
do
commit_author=$(git log -1 --pretty=format:"%ae" $local_sha)
#echo $local_ref $local_sha $remote_ref $remote_sha $commit_author
found=`echo $AUTHOR | grep -c "$commit_author"`
if [ $found == 0 ]
then
echo
echo "REJECTED by local pre-push hook:"
echo "You are trying to push some other's commit: $local_sha $commit_author"
echo "Use --no-verify if you are sure this is not an error"
exit -1
fi
done
echo "Local pre-push verify passed ok"
exit 0