On Thu, Apr 23, 2020 at 11:18:15AM -0400, Todd Zullinger wrote:
Hi,
Pierre-Yves Chibon wrote:
> For a first step I went with a third approach: a small python service that
> runs every 3 minutes (configurable): git fetch && git fsck (to ensure the
git
> is in a correct state).
You could likely set transfer.fsckObjects¹ and skip the
secondary git fsck call.
The transfer.fsckObjects option will check objects as they
are pulled in via fetch (or git-receive-pack). The option
is available with git-1.8.3.1 in RHEL 7 that is currently
installed on batcave.
That could be set in the repo config or via git -c for just
the invocation in your script.
Here's the docs from the current git release:
https://git-scm.com/docs/git-config#Documentation/git-config.txt-transfer...
I don't know whether all of the later improvements to catch
malicious objects are backported to the RHEL 7 version or
not. Some aren't relevant due to the features which allow
for the malicious behaviors not being available in that
version of git. But the core of the check is still present
and should handle the "fsck on fetch" portion. Details are
in git-config(1).
¹ or fetch.transferObjects
Nice!
Thanks, I'll look into this.
Pierre