changeset 38:b49a7dd4e564

More content for hook chapter. Overview of hooks. Description of hook security implications.
author Bryan O'Sullivan <bos@serpentine.com>
date Wed, 19 Jul 2006 00:06:21 -0700
parents 9fd0c59b009a
children 576fef93bb49
files en/99defs.tex en/hook.tex
diffstat 2 files changed, 173 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/en/99defs.tex	Mon Jul 17 00:01:01 2006 -0700
+++ b/en/99defs.tex	Wed Jul 19 00:06:21 2006 -0700
@@ -1,5 +1,8 @@
 % Bug ID.
-\newcommand{\bug}[1]{\index{Mercurial issue!no.~#1}\href{http://www.selenic.com/mercurial/bts/issue#1}{Mercurial issue no.~#1}}
+\newcommand{\bug}[1]{\index{Mercurial bug
+    database!\href{http://www.selenic.com/mercurial/bts/issue#1}{bug
+      ~#1}}\href{http://www.selenic.com/mercurial/bts/issue#1}{Mercurial
+    bug no.~#1}}
 
 % File name in the user's home directory.
 \newcommand{\tildefile}[1]{\texttt{\~{}/#1}}
--- a/en/hook.tex	Mon Jul 17 00:01:01 2006 -0700
+++ b/en/hook.tex	Wed Jul 19 00:06:21 2006 -0700
@@ -9,6 +9,175 @@
 Hooks are called ``triggers'' in some revision control systems, but
 the two names refer to the same idea.
 
+\section{An overview of hooks in Mercurial}
+
+Here is a brief list of the hooks that Mercurial supports. For each
+hook, we indicate when it is run, and a few examples of common tasks
+you can use it for.  We will revisit each of these hooks in more
+detail later.
+\begin{itemize}
+\item[\small\hook{changegroup}] This is run after a group of
+  changesets has been brought into the repository from elsewhere.  In
+  other words, it is run after a \hgcmd{pull} or \hgcmd{push} into a
+  repository, but not after a \hgcmd{commit}.  You can use this for
+  performing an action once for the entire group of newly arrived
+  changesets.  For example, you could use this hook to send out email
+  notifications, or kick off an automated build or test.
+\item[\small\hook{commit}] This is run after a new changeset has been
+  created in the local repository, typically using the \hgcmd{commit}
+  command.
+\item[\small\hook{incoming}] This is run once for each new changeset
+  that is brought into the repository from elsewhere.  Notice the
+  difference from \hook{changegroup}, which is run once per
+  \emph{group} of changesets brought in.  You can use this for the
+  same purposes as the \hook{changegroup} hook; it's simply more
+  convenient sometimes to run a hook once per group of changesets,
+  while othher times it's handier once per changeset.
+\item[\small\hook{outgoing}] This is run after a group of changesets
+  has been transmitted from this repository to another.  You can use
+  this, for example, to notify subscribers every time changes are
+  cloned or pulled from the repository.
+\item[\small\hook{prechangegroup}] This is run before starting to
+  bring a group of changesets into the repository.  It cannot see the
+  actual changesets, because they have not yet been transmitted.  If
+  it fails, the changesets will not be transmitted.  You can use this
+  hook to ``lock down'' a repository against incoming changes.
+\item[\small\hook{precommit}] This is run before starting a commit.
+  It cannot tell what files are included in the commit, or any other
+  information about the commit.  If it fails, the commit will not be
+  allowed to start.  You can use this to perform a build and require
+  it to complete successfully before a commit can proceed, or
+  automatically enforce a requirement that modified files pass your
+  coding style guidelines.
+\item[\small\hook{preoutgoing}] This is run before starting to
+  transmit a group of changesets from this repository.  You can use
+  this to lock a repository against clones or pulls from remote
+  clients.
+\item[\small\hook{pretag}] This is run before creating a tag.  If it
+  fails, the tag will not be created.  You can use this to enforce a
+  uniform tag naming convention.
+\item[\small\hook{pretxnchangegroup}] This is run after a group of
+  changesets has been brought into the local repository from another,
+  but before the transaction completes that will make the changes
+  permanent in the repository.  If it fails, the transaction will be
+  rolled back and the changes will disappear from the local
+  repository.  You can use this to automatically check newly arrived
+  changes and, for example, roll them back if the group as a whole
+  does not build or pass your test suite.
+\item[\small\hook{pretxncommit}] This is run after a new changeset has
+  been created in the local repository, but before the transaction
+  completes that will make it permanent.  Unlike the \hook{precommit}
+  hook, this hook can see which changes are present in the changeset,
+  and it can also see all other changeset metadata, such as the commit
+  message.  You can use this to require that a commit message follows
+  your local conventions, or that a changeset builds cleanly.
+\item[\small\hook{preupdate}] This is run before starting an update or
+  merge of the working directory.
+\item[\small\hook{tag}] This is run after a tag is created.
+\item[\small\hook{update}] This is run after an update or merge of the
+  working directory has finished.
+\end{itemize}
+Each of the hooks with a ``\texttt{pre}'' prefix has the ability to
+\emph{control} an activity.  If the hook succeeds, the activity may
+proceed; if it fails, the activity is either not permitted or undone,
+depending on the hook.
+
+\section{Hooks and security}
+
+\subsection{Hooks are run with your privileges}
+
+When you run a Mercurial command in a repository, and the command
+causes a hook to run, that hook runs on your system, under your user
+account, with your privilege level.  Since hooks are arbitrary pieces
+of executable code, you should treat them with an appropriate level of
+suspicion.  Do not install a hook unless you are confident that you
+know who created it and what it does.
+
+In some cases, you may be exposed to hooks that you did not install
+yourself.  If you work with Mercurial on an unfamiliar system,
+Mercurial will run hooks defined in that system's global \hgrc\ file.
+
+If you are working with a repository owned by another user, Mercurial
+will run hooks defined in that repository.  For example, if you
+\hgcmd{pull} from that repository, and its \sfilename{.hg/hgrc}
+defines a local \hook{outgoing} hook, that hook will run under your
+user account, even though you don't own that repository.
+
+\begin{note}
+  This only applies if you are pulling from a repository on a local or
+  network filesystem.  If you're pulling over http or ssh, any
+  \hook{outgoing} hook will run under the account of the server
+  process, on the server.
+\end{note}
+
+XXX To see what hooks are defined in a repository, use the
+\hgcmdargs{config}{hooks} command.  If you are working in one
+repository, but talking to another that you do not own (e.g.~using
+\hgcmd{pull} or \hgcmd{incoming}), remember that it is the other
+repository's hooks you should be checking, not your own.
+
+\subsection{Hooks do not propagate}
+
+In Mercurial, hooks are not revision controlled, and do not propagate
+when you clone, or pull from, a repository.  The reason for this is
+simple: a hook is a completely arbitrary piece of executable code.  It
+runs under your user identity, with your privilege level, on your
+machine.
+
+It would be extremely reckless for any distributed revision control
+system to implement revision-controlled hooks, as this would offer an
+easily exploitable way to subvert the accounts of users of the
+revision control system.
+
+Since Mercurial does not propagate hooks, if you are collaborating
+with other people on a common project, you should not assume that they
+are using the same Mercurial hooks as you are, or that theirs are
+correctly configured.  You should document the hooks you expect people
+to use.
+
+In a corporate intranet, this is somewhat easier to control, as you
+can for example provide a ``standard'' installation of Mercurial on an
+NFS filesystem, and use a site-wide \hgrc\ file to define hooks that
+all users will see.  However, this too has its limits; see below.
+
+\subsection{Hooks can be overridden}
+
+Mercurial allows you to override a hook definition by redefining the
+hook.  You can disable it by setting its value to the empty string, or
+change its behaviour as you wish.
+
+If you deploy a system-~or site-wide \hgrc\ file that defines some
+hooks, you should thus understand that your users can disable or
+override those hooks.
+
+\subsection{Ensuring that critical hooks are run}
+
+Sometimes you may want to enforce a policy that you do not want others
+to be able to work around.  For example, you may have a requirement
+that every changeset must pass a rigorous set of tests.  Defining this
+requirement via a hook in a site-wide \hgrc\ won't work for remote
+users on laptops, and of course local users can subvert it at will by
+overriding the hook.
+
+Instead, you can set up your policies for use of Mercurial so that
+people are expected to propagate changes through a well-known
+``canonical'' server that you have locked down and configured
+appropriately.
+
+One way to do this is via a combination of social engineering and
+technology.  Set up a restricted-access account; users can push
+changes over the network to repositories managed by this account, but
+they cannot log into the account and run normal shell commands.  In
+this scenario, a user can commit a changeset that contains any old
+garbage they want.
+
+When someone pushes a changeset to the server that everyone pulls
+from, the server will test the changeset before it accepts it as
+permanent, and reject it if it fails to pass the test suite.  If
+people only pull changes from this filtering server, it will serve to
+ensure that all changes that people pull have been automatically
+vetted.
+
 \section{A short tutorial on using hooks}
 \label{sec:hook:simple}