One more improvement: the .git/config file is now enforced :)
This means that it's pretty much impossible for an attacker to make you
check out the wrong thing, even if they can modify the .git/config file
(they can always exploit a race condition, but it's still an improvement).
But it seems like `this.promise_filename' refers to the top-level
(i.e. runme.cf) filename, even though the vcs_freshclone promises are
made in a different file. This makes it impossible to find templates
relative to the sketch installation; e.g. when
bundle agent vcs_freshclone(prefix)
{
vars:
"bundle_home" string => dirname("$(this.promise_filename)"),
policy => "overridable";
}
is called from A/runme.cf, while B/vcs_freshclone.cf has the actual
bundle definition, $(bundle_home) will have A and not B.
Nick, if you can confirm this bug (I could always be doing something
dumb on my side), I'll submit it to the bugtracker and think of an
interim way to feed the template location to a sketch. This is the last
improvement before I consider vcs_freshclone production-ready. I've
been testing it since Saturday and it's working great for me.
Thanks
Ted
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
