git-update: Deny non-fast-forwards

To make sure we never lose any history, non-fast-forwards are forbidden. Instead of relying on receive.denyNonFastForwards, add a simple check to the update hook. This has the added benefit of more flexibility. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

git-update: Deny non-fast-forwards
a0f3060f · Lukas Fleischer · e254a315 · a0f3060f · a0f3060f
Commit a0f3060f authored 9 years ago by Lukas Fleischer
--- a/INSTALL
+++ b/INSTALL
@@ -29,7 +29,6 @@ Setup on Arch Linux
    # cd /srv/http/aurweb/aur.git/
    # git init --bare
    # ln -s ../../git-interface/git-update.py hooks/update
-    # git config --local receive.denyNonFastForwards true
    # chown -R aur .

 7) Install the git-auth wrapper script:

--- a/git-interface/git-update.py
+++ b/git-interface/git-update.py
@@ -178,6 +178,15 @@ if refname != "refs/heads/master":
    die("pushing to a branch other than master is restricted")

 repo = pygit2.Repository(repo_path)
+
+# Detect and deny non-fast-forwards.
+if sha1_old != "0000000000000000000000000000000000000000":
+    walker = repo.walk(sha1_old, pygit2.GIT_SORT_TOPOLOGICAL)
+    walker.hide(sha1_new)
+    if next(walker, None) != None:
+        die("denying non-fast-forward (you should pull first)")
+
+# Prepare the walker that validates new commits.
 walker = repo.walk(sha1_new, pygit2.GIT_SORT_TOPOLOGICAL)
 if sha1_old != "0000000000000000000000000000000000000000":
    walker.hide(sha1_old)