Search code examples
gitgitattributesgit-filter

Relative directory for a GIT filter?


I have the following GIT filter defined in my repository's .gitconfig file that I have imported.

[filter "csprojarrange"]
  clean = CsProjArrange

However, it only works if CsProjArrange.exe is part of my PATH, and not if CsProjArrange.exe is checked into the root directory of the repository.

Is it possible to get GIT filters working on relative directories?


Solution

  • As I alluded to in comments, one important reason Git doesn't do this is that it's a huge security risk.

    The obvious way to mitigate that risk, using today's tools and technology, is to run an in-repo filter if and only if that filter has a valid digital signature (a la PGP / GPG signatures. That is, your .gitattributes file would read:

    [filter "csprojarrange"]
      clean = helper-check-git-signature CsProjArrange
    

    or similar. Meanwhile helper-check-git-signature would be a program you would have to install independently of Git and any repository; but you would only have to install it once, ever. (And perhaps your OS comes with something suitable, since this digital signature technique is how some phone OSes vet apps, although they tend to do it once during download, rather than at each filter-run.)

    The job of the helper is to locate the file within the repository, verify that it's OK to run, and then run it. Since the helper is installed in the "trusted" part of your computer (e.g., /usr/local/bin or $HOME/bin on Linux), it just runs. You need not reinstall it when updating the filter within the repository.

    The part that is not "canned" here is how the helper does the verification (if you have gpg, you might want to use that, since it has all the signature-checking and revocation support you would need), where the signatures themselves live vs the in-repo filters, how the helper locates the various parts, and so on. Think of making such a thing as a business opportunity, perhaps. :-)