Do git snapshots to protect mirror branches against upstream changing revision or rewriting history
Updated by Denis 'GNUtoo' Carikli about 1 year ago
- Hosting infrastructure VM @ FSF added
We use mirrors for various projects (LineageOS, AOSP, etc) which are tagged at each release. So corruption aside, we know we have the right history because it's behind a tag, regardless of what upstream does and on if we fetch new upstream revisions or not.
However this is not the case for branches like replicant-6.0.
Here's the advise I got on IRC:
< doak[m]> You could for example do something like this during the regular update:
< doak[m]> `git fetch "refs/heads/*:refs/snapshot/<date>/heads/*"`
Updated by doak complex about 1 year ago
With the assumed used refspec
+refs/*:refs/* to fetch everything from the remote into own mirror, every remote reference, which had been rewritten, will also be rewritten in the mirror. This includes remote branches and tags.
Though this is usually intended, creating snapshots of them just in case something will be changed maliciously, seems to be a good idea.
Updated by doak complex 12 months ago
I made an conceptional mistake: `git fetch <remote> --prune "+refs/*:refs/*"` would also prune any snapshots below `refs/snapshots` :/I played around with different approaches, but all the simple ones had some flaw.
Attached is a small script which does the job pretty well:
- It fetches all references available on the remote and prune local ones if necessary.
- It keeps a snapshot of all current references (which are never pruned) below
- It removes the default fetch configuration to ensure, that the snapshots can't be pruned with a plain
git fetch --pruneby accident. This also reminds the user that she should use this script to update the mirror.