checkupdates: exit with error if fdroiddata git repo is dirty

One key security property of the F-Droid ecosystem is that the sensitive
code is all stored forever in git repos and source tarballs.  That means
we can easily go back and see if there where exploits and where they came
from.  Therefore, checkupdates should require everything in fdroiddata be
committed to git before running.

This provides --allow-dirty to override that behavior.

diff --git a/completion/bash-completion b/completion/bash-completion
index 2142534ebe76f662df9d167891f2b34c103accc9..af9acf00538c184bbf0c6234fa3c0bff3ddeba0d 100644 (file)
--- a/completion/bash-completion
+++ b/completion/bash-completion
@@ -174,7 +174,7 @@ __complete_publish() {
 
 __complete_checkupdates() {
        opts="-v -q"
-       lopts="--verbose --quiet --auto --autoonly --commit --gplay"
+       lopts="--verbose --quiet --auto --autoonly --commit --gplay --allow-dirty"
        case "${cur}" in
                -*)
                        __complete_options

diff --git a/fdroidserver/checkupdates.py b/fdroidserver/checkupdates.py
index 0a4f6e27af114bf1d2ad46e3945bc9cfcebd18dd..54b614ecc850c798c1c272aeffcf19a7dc8a5577 100644 (file)
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@@ -572,6 +572,8 @@ def main():
                         help=_("Only process apps with auto-updates"))
     parser.add_argument("--commit", action="store_true", default=False,
                         help=_("Commit changes"))
+    parser.add_argument("--allow-dirty", action="store_true", default=False,
+                        help=_("Run on git repo that has uncommitted changes"))
     parser.add_argument("--gplay", action="store_true", default=False,
                         help=_("Only print differences with the Play Store"))
     metadata.add_metadata_arguments(parser)
@@ -580,6 +582,12 @@ def main():
 
     config = common.read_config(options)
 
+    if not options.allow_dirty:
+        status = subprocess.check_output(['git', 'status', '--porcelain'])
+        if status:
+            logging.error(_('Build metadata git repo has uncommited changes!'))
+            sys.exit(1)
+
     # Get all apps...
     allapps = metadata.read_metadata()