diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2022-01-16 11:25:20 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2022-01-17 13:59:55 -0700 |
commit | 9156131802dc0ad6e2e9e7aa753d067b4ccce97d (patch) | |
tree | f8143b685ca3a84eab57ca8f1bc99894d16ccf7c /bin | |
parent | c1495c8788e3c653ff581be0cd78c8ef7b19f5ce (diff) | |
download | dotfiles-9156131802dc0ad6e2e9e7aa753d067b4ccce97d.tar.gz |
git-dotfiles-update-master: refuse to operate on shallow clone
Diffstat (limited to 'bin')
-rwxr-xr-x | bin/git-dotfiles-update-master | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bin/git-dotfiles-update-master b/bin/git-dotfiles-update-master index 731cd2f4..594ba803 100755 --- a/bin/git-dotfiles-update-master +++ b/bin/git-dotfiles-update-master @@ -17,6 +17,16 @@ set -e . $HOME/.shenv +# To update a shallow clone we would do 'git fetch --depth 1' and then 'git +# reset --hard origin/master'. But that would leave us vulnerable to an +# attacker causing us to check out an older signed commit than the one we have +# now. So require an explicit 'git unshallow' from the user, or get +# Consfigurator to update repo from a snapshot from laptop, or something. +if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then + echo >&2 "shallow dotfiles clone; refusing to reset to origin/master" + exit 1 +fi + git fetch origin if git verify-commit-by-fp \ 8DC2487E51ABDD90B5C4753F0F56D0553B6D411B origin/master; then |