[sysadmin/repo-management] hooks: Implement a more permanent solution to known bad commits that end up in our repositories.

Ben Cooksley null at kde.org
Sat Dec 18 09:38:46 GMT 2021


Git commit 59846469b7a97bf5550b2026aeac5a510af0f4be by Ben Cooksley.
Committed on 18/12/2021 at 09:38.
Pushed by bcooksley into branch 'master'.

Implement a more permanent solution to known bad commits that end up in our repositories.
This whitelists them across all of our repositories.

Prior to the move to Gitlab an exception would only be needed once to fix the original repository, but with Gitlab we now have forks of repositories.
This means that the hooks will be seeing bad commits again and again as people update their forks - making one off exceptions a non-scalable solution to the issue.

While having the list within the hooks themselves is not ideal, it should only be needed in rare and exceptional circumstances such as this one.
It is still of great concern that some of these commits made it into our repositories past when the initial block was implemented, but hopefully the changes done more recently have corrected any potential weaknesses in our systems there..

CCMAIL: plasma-devel at kde.org
CCMAIL: kde-devel at kde.org

M  +10   -0    hooks/hooklib.py
M  +17   -0    hooks/invent.pre-receive

https://invent.kde.org/sysadmin/repo-management/commit/59846469b7a97bf5550b2026aeac5a510af0f4be

diff --git a/hooks/hooklib.py b/hooks/hooklib.py
index e402ae8..062b0e3 100644
--- a/hooks/hooklib.py
+++ b/hooks/hooklib.py
@@ -422,6 +422,9 @@ class CommitAuditor:
         # Initialize default state - by default we don't have any problems
         self.__failed = False
 
+        # Initialise a list of commits that we should be ignoring (empty by default)
+        self.commits_to_ignore = []
+
         # Setup a logger for later use
         self.__logger = logging.getLogger("auditor")
         self.__logger.setLevel(logging.WARNING)
@@ -434,6 +437,13 @@ class CommitAuditor:
 
     # Convenience helper for declaring a failure
     def log_failure(self, commit, message):
+        # Are we supposed to ignore this?
+        if commit in self.commits_to_ignore:
+            log_message = "Audit exception - Commit {0} - {1}".format(commit, message)
+            self.__logger.critical(log_message)
+            return
+
+        # Otherwise proceed to fail as normal
         log_message = "Audit failure - Commit {0} - {1}".format(commit, message)
         self.__logger.critical(log_message)
         self.__failed = True
diff --git a/hooks/invent.pre-receive b/hooks/invent.pre-receive
index de8a959..31dbe7b 100755
--- a/hooks/invent.pre-receive
+++ b/hooks/invent.pre-receive
@@ -41,6 +41,22 @@ allow_github_merges = [
     'sdk/heaptrack'
 ]
 
+# These are known bad commit SHA-1 hashes which the audits will need to ignore
+known_bad_commits = [
+    'fde79c09cb9ae5991d6b36c7c1d125628f2c7914', # system/dolphin
+    'bcbb9482ae465441699abe8f72ecc0aedca13a44', # plasma/libksysguard
+    '0d847a0230a9f643a197a43599775b4146eb08e7', # plasma/plasma-desktop
+    '87f56ffc5b48a7054254d151a9ae2c5ac875af6d', # plasma/systemsettings
+    'e10c443aa5b9263b523a4eec9b0e3766e0b0bf93', # multimedia/stopmotion
+    '81e5509ca91fb426b1e8e9bd5d6a8e96e20a696e', # office/kmymoney
+    '13f437a1fa95bd1cb3d07f3b906bf6016d1167d7', # office/calligra
+    '3d3905bf1b0a0aa948ecec7fecdce2e9203dd7cc', # office/calligra
+    '6bb7bf1539acdb3024bc930a6622c0f474709dd7', # office/calligra
+    '2d11f7c0b8ab644e0e7681451315535f9e64279b', # office/calligra
+    'c3e784ec69e16e1c1feba47a24f2505b0f80a873', # office/calligra
+    'e21efdeeae010169d55e3e84f0a1dbd61347baa0', # graphics/spectacle
+]
+
 # These file types are either binary in nature, or otherwise need to be in a specific encoding (otherwise they're corrupt) so we skip EOL checks for them
 eol_mimetype_exceptions  = {"text/vcard", "text/x-vcard", "text/directory", "image/svg", "image/x-portable-graymap"}
 eol_extension_exceptions = {"vcf", "vcf.ref", "svg", "pdf", "pgm", "fits"}
@@ -185,6 +201,7 @@ if repository.repo_type in [RepositoryType.Wiki, RepositoryType.Design, Reposito
 
 # Initialize the commit auditor
 auditor = CommitAuditor()
+auditor.commits_to_ignore = known_bad_commits
 
 # Will we be allowing merge commits from GitHub?
 if repository.path in allow_github_merges:


More information about the kde-devel mailing list