Hi,
Pierre-Yves Chibon wrote:
For a first step I went with a third approach: a small python
service that
runs every 3 minutes (configurable): git fetch && git fsck (to ensure the git
is in a correct state).
You could likely set transfer.fsckObjects¹ and skip the
secondary git fsck call.
The transfer.fsckObjects option will check objects as they
are pulled in via fetch (or git-receive-pack). The option
is available with git-1.8.3.1 in RHEL 7 that is currently
installed on batcave.
That could be set in the repo config or via git -c for just
the invocation in your script.
Here's the docs from the current git release:
https://git-scm.com/docs/git-config#Documentation/git-config.txt-transfer...
I don't know whether all of the later improvements to catch
malicious objects are backported to the RHEL 7 version or
not. Some aren't relevant due to the features which allow
for the malicious behaviors not being available in that
version of git. But the core of the check is still present
and should handle the "fsck on fetch" portion. Details are
in git-config(1).
¹ or fetch.transferObjects
--
Todd