[MERGE/RFC] Add transport jail to bzr smart server; add ignore_fallbacks option to BzrDir.open_branch
Vincent Ladeuil
v.ladeuil+lp at free.fr
Thu Mar 26 08:17:39 GMT 2009
>>>>> "Andrew" == Andrew Bennetts <andrew.bennetts at canonical.com> writes:
Andrew> The purpose of this hook is to enforce a global
Andrew> restriction that should always be checked. If
Andrew> jail_info.transports is set in a thread, then
Andrew> BzrDir.open *must* fail, no matter what code path
Andrew> lead us there. This prevents a smart server, even
Andrew> when running plugins that might not be careful about
Andrew> e.g. stacked branches, from accidentally opening
Andrew> bzrdirs outside the backing_transport. This closes a
Andrew> potential security hole, and also catches accidental
Andrew> bugs (like the bug it found in our cloning_metadir
Andrew> RPC).
Worth adding to the docstring module or as comment there.
Andrew> So, this hook has to always be installed, at least
Andrew> during the processing of a smart server request.
Andrew> Robert and I agreed that an always-installed[1] hook
Andrew> was the simplest and most robust way to do this. The
Andrew> obvious alternative would be to continually add and
Andrew> remove the hook in setup_jail and teardown_jail,
Andrew> while worrying about what other hooks might be
Andrew> installed and in what order, and still needing to
Andrew> provide a threading.local() or similar so that
Andrew> plugins can have the opportunity to adjust the jail
Andrew> if appropriate.
What I still don't get is why you use a per thread data instead
of just a global one ? You have a use case where different jails
are needed inside the same process ? Outside the test suite ?
The other disturbing thing is having a *permanent* hook, why not
just make it part of the appropriate class then ?
Aren't we abusing the hook mechanisms here ?
Andrew> And I'll mention that by making sure the hook was
Andrew> always installed in the test suite, just like it is
Andrew> in the production code, it found the bug in the hook
Andrew> that you just reported. So far from breaking test
Andrew> isolation, without having tests reinstalled the test
Andrew> environment would have been different from the real
Andrew> environment in a way that would have hidden this bug!
Touche.
But you shouldn't be proud about making unrelated code help you
debug your code :-)
Vincent
More information about the bazaar
mailing list