Comment by jdxcode

Comment by jdxcode 9 hours ago

4 replies

View on Hacker News

the second the hooks modify the code they've broken your sandbox

I think wasi is a cool way to handle this problem. I don't think security is a reason though.

timhh 8 hours ago

> the second the hooks modify the code they've broken your sandbox

Changes to code would obviously need to be reviewed before they are committed. That's still much better than with pre-commit, where e.g. to do simple things like banning tabs you pretty much give some guy you don't know full access to your machine. Even worse - almost everyone that uses pre-commit also uses tags instead of commit hashes so the hook can be modified retroactively.

One interesting attack would be for a hook to modify e.g. `.vscode/settings.json`... I should probably make the default config exclude those files. Is that what you meant? Even without that it's a lot more secure than pre-commit.

Reply View 1 reply
  • jdxcode 4 hours ago

    You will execute code before you commit it. Maybe not always, but often enough. You will also have lints on things like build scripts.

    I agree it’s better, but not because of wasi

    Reply View 0 replies
accelbred 7 hours ago

I wouldn't want hooks modifying the code. They should be only approve/reject. Ideally landlock rules would give them only ro access to repo dir

Reply View 1 reply
  • sgarland 3 hours ago

    It depends. I wrote a pre-commit hook (in shell, not precommit the tool) at a previous job that ran terraform fmt on any staged files (and add the changes to the commit) because I was really tired of having people push commits that would then fail for trivial things. It was overrideable with an env var.

    IMO if there’s a formatting issue, and the tool knows how it should look, it should fix it for you.

    Reply View 0 replies