[darcs-users] darcs patch: remove --run-posthook and --run-prehook flags (and --p...

Jason Dagit dagit at codersbase.com
Mon Oct 13 21:06:03 UTC 2008

On Mon, Oct 13, 2008 at 11:11 AM, David Roundy <droundy at darcs.net> wrote:

> Hi all (and Jason in particular),
> This is a proposed change that needs to be discussed.  I have never
> cared for the --run-posthook and --run-prehook flags (and
> --prompt-posthook and --prompt-prehook), and would prefer to remove
> them.

I think we should have --disable-posthook (or whatever it's currently named)
for the same reason we have --no-test.  If we have the disable option,
perhaps we should keep --run-posthook for symmetry regardless of the default

Again, regardless of the default behavior, --prompt-posthook is nice for the
same reason as --disable-posthook and the reason to have -i in rm as you
point out.  If I recall correctly, --prompt-posthook shows you the command
before running it and alerts you to the fact that it's about to happen.
This is particularly useful in the case where you get a new repository and
you're working with it.  I know how to change the default behavior locally,
so again, I argue for this regardless of the default.

As I mention below, I don't think they serve a valid security
> feature.  If you allow a hostile user to call darcs with an arbitrary
> command line, that user can add both --posthook='rm -rf ~' and
> --run-posthook at the same time.  Ditto for hostile users who are able
> to modify your defaults file.

I guess it depends on the interaction between prefs and commandline
options.  When I added this I didn't really get how a push works interms of
the remote apply.  I seem to recall thinking it would help make it possible
to make a push more secure, or at least this could be used to keep it from
becoming less secure.  But, as you point out, things like 'darcs push'
cannot be secured.

> So it isn't a possible security feature, but just a "safety" feature
> (like rm -i).  But I'm also unable to imagine a scenario where someone
> "accidentally" calls --posthook, or accidentally adds it to their
> defaults file.  Which just leaves it as an annoyance, and I'm annoyed
> by it, so I'd rather just remove the feature.

Why don't we just change the default behavior?  I don't see why we should
remove this safety feature.  I guess if we change the default then perhaps
the flag --run-posthook is unneeded, but disable and prompt still seem
useful much like --no-test and rm -i.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osuosl.org/pipermail/darcs-users/attachments/20081013/b3dbee21/attachment.htm 

More information about the darcs-users mailing list