Skip to content

Commit

Permalink
more copyediting of the docs
Browse files Browse the repository at this point in the history
  • Loading branch information
avar committed Dec 29, 2014
1 parent 75d5366 commit 69199ed
Showing 1 changed file with 25 additions and 11 deletions.
36 changes: 25 additions & 11 deletions pre-receive-reject-binaries
Original file line number Diff line number Diff line change
Expand Up @@ -48,21 +48,35 @@ pre-receive-reject-binaries - A configurable Git hook to intelligently reject bi
This is a Git hook meant to be set up as a C<pre-receive> hook (see
C<githooks(5)>) that'll reject the addition of binary data to a
repository, either all binary additions if they go above a given size.
repository, either all binary additions if they on a per-commit basis
go above a given size.
The general strategy of this hook is that when we get a push for a
given "master" branch we'll do a C<log --stat> of C<$branch..$to> and
find all the commits that add binary data, and how much they add.
Each commit in the push is then given a quota of how much binary data
is allowed, if any commit goes above that quota the entire push is
rejected, depending on the configuration (see below) the user is
rejected. Depending on the configuration (see below) the user is
allowed to force the push to go through by amending the commit message
to include some string saying they forced it through.
To entirely reject binary pushes the size limit can be set to 0, but
you can also allow some amount of binary data in the repository,
e.g. to allow committing small icons but not giant images.
To entirely reject binary pushes you can set the size limit to 0 and
don't define an override message to allow users to push those changes
manually.
You can also allow some amount of binary data in the repository
per-commit, e.g. to allow committing small icons but not giant images.
Of course someone could be clever and commit a bunch of huge
Base64-encoded data that wouldn't be detected by Git as binary, or
manually split up huge binary data into multiple commits, each of whom
don't go above the configured limit.
This hook is not meant to stop a dedicated attacker from enlarging
your Git history, it's meant to stop someone who doesn't know better
("what do you mean people have to download my binary data on every
checkout, forever?!") from accidentally messing up the history.
We only care about updates to the "master" branch for two reasons, one
is that if you're e.g. doing some temporary work and committing some
Expand All @@ -87,19 +101,19 @@ validating the entire history being pushed.
=head1 INSTALLATION
Our only dependencies are a working perl interpreter. We only depend
on modules that have shipped with perl itself forever, so we should
Just Work on any *nix-like OS that has perl installed.
on modules that have shipped with perl itself forever, so this hook
should just work out of the box on any *nix-like OS that has perl
installed.
To enable it for a given bare repository you want to push to just
create a F<hook/pre-receive> with something like:
#!/bin/sh
/path/to/where/you/cloned-pre-receive-reject-binaries/pre-receive-reject-binaries --dry-run=0
See L</CONFIGURATION> below for how to configure it. We just shell out
to C<git config> so you can enable this configuration per-repository,
or globally (via e.g. F</etc/gitconfig>) or any combination of the
two.
See L</CONFIGURATION> below for how to configure it. We shell out to
C<git config> so you can enable this configuration per-repository, or
globally (via e.g. F</etc/gitconfig>) or any combination of the two.
=head1 CONFIGURATION
Expand Down

0 comments on commit 69199ed

Please sign in to comment.