change lfs.allowincompletepush default from true to false #3109
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
larsxschneider
force-pushed
the
ls/check-push
branch
from
58a3a7b to
da501c3
Compare
ttaylorr
approved these changes
Jul 5, 2018
larsxschneider
changed the title
larsxschneider
force-pushed
the
ls/check-push
branch
2 times, most recently
from
e439315 to
4357f53
Compare
ttaylorr
reviewed
Jul 5, 2018
There was a problem hiding this comment.
@larsxschneider this looks great to me.
I am glad that you added a hint, since this will break pushes from users that did not have the objects that they were trying to push, and had not explicitly configured lfs.allowincompletepush to a true-like value.
That's a breaking change, but I'm OK with it provided that we retain this message as an easy way for a user to recover from a failed push.
I left one nit for your consideration.
commands/uploader.go
Outdated
| @@ -289,6 +289,8 @@ func (c *uploadContext) ReportErrors() { | |||
| } | |||
|
|
|||
| if !c.allowMissing { | |||
| Print("hint: Your push was rejected due to missing or corrupt local objects.\n" + | |||
There was a problem hiding this comment.
I like this message, and I think that it's good that we're only showing it once at the end of the attempted push, right before calling os.Exit.
If you don't mind, I think that we could extract this message out to a var and print it by referencing that instead of having a string constant in the code. We use this pattern in the clone and checkout commands, which have deprecation notices.
I was thinking something like:
var (
pushMissingHint = []string{...}
)
if !c.allowMissing {
Print(strings.Join(pushMissingHint, "\n"))
}
os.Exit(2)There was a problem hiding this comment.
Agreed and implemented 👍
larsxschneider
force-pushed
the
ls/check-push
branch
from
4357f53 to
d784e1d
Compare
`test-push-missing.sh` tested two error conditions (missing and corrupt) with one `git push` exit code check. Split the test into two tests to ensure both errors cause a `git push` error exit. `test-push.sh` contained tests similar to `test-push-missing.sh`. Group them all together in the new test file.
larsxschneider
force-pushed
the
ls/check-push
branch
from
d784e1d to
c33cf5a
Compare
terrorobe
reviewed
Jul 5, 2018
commands/uploader.go
Outdated
| @@ -289,6 +289,11 @@ func (c *uploadContext) ReportErrors() { | |||
| } | |||
|
|
|||
| if !c.allowMissing { | |||
| pushMissingHint := []string{ | |||
| "hint: Your push was rejected due to missing or corrupt local objects.", | |||
| "hint: Overwrite the reject with `git config lfs.allowincompletepush true`.", | |||
There was a problem hiding this comment.
Wording nit: Maybe something along the lines of
hint: You can disable this check using...
There was a problem hiding this comment.
Fixed 👍
Following:
git-lfs/commands/lockverifier.go
Line 66 in f5f5731
larsxschneider
force-pushed
the
ls/check-push
branch
from
c33cf5a to
a6f21ec
Compare
Incomplete pushes can corrupt a repository. Therefore we should not allow them and fail hard by default. If the situation occurs, then print a hint to the user and explain how to overwrite the hard failure using the `lfs.allowincompletepush` config.
larsxschneider
force-pushed
the
ls/check-push
branch
from
a6f21ec to
f5f5731
Compare
ttaylorr
approved these changes
Jul 5, 2018
ttaylorr
added a commit
that referenced
this pull request
Jul 6, 2018
In config/git_fetcher.go, we have special rules to mark certain Git
configuration keys as safe or unsafe.
Particularly, we apply these rules strictly to all values fetched from
the repository-local .lfsconfig, since it is distributed to all fetchers
of a repository and provides a widely available attack-vector.
Therefore, we only allow a tiny subset of all keys via the keyIsUnsafe
function and safeKeys slice.
The 'lfs.allowincompletepush' configuration determines whether or not a
user should be allowed to push a repository that has missing LFS objects
to a remote.
Previously, it was ignored with the following message:
$ git push repo_clone repo_orig_master
WARNING: These unsafe lfsconfig keys were ignored:
lfs.allowincompletepush
In [1], Lars changed the default from 'true' to 'false'. In order to
allow users or repository maintainers to retain the prior behavior,
let's let them distribute this configuration from the repository's
.lfsconfig and thusly mark it as safe.
[1]: #3109
dhiwakarK
pushed a commit
to dhiwakarK/expert-octo-doodle
that referenced
this pull request
Nov 3, 2022
In config/git_fetcher.go, we have special rules to mark certain Git
configuration keys as safe or unsafe.
Particularly, we apply these rules strictly to all values fetched from
the repository-local .lfsconfig, since it is distributed to all fetchers
of a repository and provides a widely available attack-vector.
Therefore, we only allow a tiny subset of all keys via the keyIsUnsafe
function and safeKeys slice.
The 'lfs.allowincompletepush' configuration determines whether or not a
user should be allowed to push a repository that has missing LFS objects
to a remote.
Previously, it was ignored with the following message:
$ git push repo_clone repo_orig_master
WARNING: These unsafe lfsconfig keys were ignored:
lfs.allowincompletepush
In [1], Lars changed the default from 'true' to 'false'. In order to
allow users or repository maintainers to retain the prior behavior,
let's let them distribute this configuration from the repository's
.lfsconfig and thusly mark it as safe.
[1]: git-lfs/git-lfs#3109
Former-commit-id: d3564823abf16517a1b40a905c8f0e968a9ed410
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Incomplete pushes can corrupt a repository. Therefore we should not allow them and fail hard by default.
See #3105