From 86907d2ebf7ca94e653e060762a95ac182725fdd Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Mon, 5 Mar 2018 21:44:38 +0100 Subject: [PATCH] checkupdates: exit with error if fdroiddata git repo is dirty One key security property of the F-Droid ecosystem is that the sensitive code is all stored forever in git repos and source tarballs. That means we can easily go back and see if there where exploits and where they came from. Therefore, checkupdates should require everything in fdroiddata be committed to git before running. This provides --allow-dirty to override that behavior. --- completion/bash-completion | 2 +- fdroidserver/checkupdates.py | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/completion/bash-completion b/completion/bash-completion index 2142534e..af9acf00 100644 --- a/completion/bash-completion +++ b/completion/bash-completion @@ -174,7 +174,7 @@ __complete_publish() { __complete_checkupdates() { opts="-v -q" - lopts="--verbose --quiet --auto --autoonly --commit --gplay" + lopts="--verbose --quiet --auto --autoonly --commit --gplay --allow-dirty" case "${cur}" in -*) __complete_options diff --git a/fdroidserver/checkupdates.py b/fdroidserver/checkupdates.py index 0a4f6e27..54b614ec 100644 --- a/fdroidserver/checkupdates.py +++ b/fdroidserver/checkupdates.py @@ -572,6 +572,8 @@ def main(): help=_("Only process apps with auto-updates")) parser.add_argument("--commit", action="store_true", default=False, help=_("Commit changes")) + parser.add_argument("--allow-dirty", action="store_true", default=False, + help=_("Run on git repo that has uncommitted changes")) parser.add_argument("--gplay", action="store_true", default=False, help=_("Only print differences with the Play Store")) metadata.add_metadata_arguments(parser) @@ -580,6 +582,12 @@ def main(): config = common.read_config(options) + if not options.allow_dirty: + status = subprocess.check_output(['git', 'status', '--porcelain']) + if status: + logging.error(_('Build metadata git repo has uncommited changes!')) + sys.exit(1) + # Get all apps... allapps = metadata.read_metadata() -- 2.30.2