Shulou(Shulou.com)06/03 Report--

This article mainly explains "what are the implementation methods of Git warehouse management". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the implementation methods of Git warehouse management"?

Access to source code makes security analysis and application security possible. However, if no one has actually seen the code, the problem will not be discovered, and even if people actively look at the code, they usually have to see a lot of things. Fortunately, GitHub has an active security team that has recently discovered Trojans that have been submitted to multiple Git repositories, and even the owner of the warehouse has slipped away. Although we can't control how other people manage their own warehouses, we can learn from their mistakes.

Know your warehouse.

Git warehouse terminal this can be said to be the number one rule for secure Git repositories. As a project maintainer, whether you create it yourself or adopt someone else's, your job is to understand what's in your warehouse. You may not be able to remember every file in the code base, but you need to understand the basic components of what you manage. If a free file appears after dozens of merges, you will easily find it because you don't know what it is for, and you need to check it to refresh your memory. When this happens, review the file and make sure you know exactly why it is necessary.

Prohibit binary large files

Binary check command of Git in terminal

Git is created for text, whether it's C or Python or Java text written in plain text, or JSON, YAML, XML, Markdown, HTML, or similar text. Git is not ideal for binaries.

The difference between the two is:

$cat hello.txt This is plain text. It's readable by humans and machines alike. Git knows how to version this. $git diff hello.txt diff-- git a/hello.txt b/hello.txt index f227cc3..0d85b44 100644-a/hello.txt + b/hello.txt @ @-1 This is plain text 2 + 1 b/hello.txt @. + It's readable by humans and machines alike. Git knows how to version this.

And

$git diff pixel.png diff-- git a/pixel.png b/pixel.png index 563235a..7aab7bc 100644 Binary files a/pixel.png and b/pixel.png differ $cat pixel.png "PNG ▒ IHDR7n" $gAMA "abKGD"tIME"-2R "IDA" c`! "3%tEXtdate:create2020-06-11T11:45:04+12:00" r.%tEXtdate:modify2020-06-11T11:45:04+12:00 "" IEND "B`"

The data in the binary cannot be parsed like plain text, so if anything changes to the binary, the entire content must be rewritten. The only difference between one version and another is that it is all different, which quickly increases the size of the warehouse.

To make matters worse, Git repository maintainers are unable to audit binary data properly. This violates the number one rule: you should know the contents of the warehouse like the back of your hand.

In addition to the usual POSIX tools, you can also use git diff to detect binaries. When you try to compare binaries with the-- numstat option, Git returns an empty result:

$git diff-- numstat / dev/null pixel.png | tee-- / dev/null = > pixel.png $git diff-- numstat / dev/null file.txt | tee 5788 0 / dev/null = > list.txt

If you are considering submitting large binary files (BLOB) to the warehouse, please stop and think about it first. If it is a binary file, then what is it generated by? Is there a good reason not to generate them at build time, but to submit them to the repository? If you think it makes sense to submit binary data, be sure to indicate the location of the binaries in the README file or similar file, why it is the binary file, and what is the protocol to update them. You must be careful to update it, because every time you submit a change in a large binary file, its storage space actually doubles.

Let the third-party library stay with the third party

Third-party libraries are no exception. Although it is one of the many advantages of open source, and you can reuse and redistribute code that is not written by you without restrictions, there are many good reasons not to store third-party libraries in your own repository. First of all, unless you have checked all the code (and future merges) yourself, you cannot fully guarantee for a third party. Second, when you copy a third-party library to your Git repository, you separate the focus from the real upstream source code. Technically, people who have confidence in the library are only sure of the master copy of the library, not the copy of the random warehouse. If you need to lock down a specific version of the library, please provide the developer with a reasonable release URL for the project, or use the Git submodule.

Resist blind git add

Git manually add command terminal

If your project has been compiled, please resist using git add. The impulse (among them. Is the path to the current directory or specific folder, because this is an easy way to add anything new. This is especially important if you are not compiling the project manually, but using IDE to manage the project for you. When managing a project with IDE, it can be very difficult to keep track of what is added to the repository, so it is important to add only what you actually write, not any new objects that appear in the project folder.

If you use git add., please check the contents of the staging area before pushing. If you see a strange object in the project folder when you execute git status after running make clean or equivalent, find out where it came from and why it is still in the project's directory. This is a rare build artifact that does not regenerate during compilation, so think twice before committing.

Use Git ignore

Commands in the terminal

Many of the conveniences created for programmers are also messy. The typical project directory for any project, whether programmatic, artistic or otherwise, is full of hidden files, metadata, and legacy artifacts. You can try to ignore these objects, but the more hints in git status, the more likely you are to miss something.

You can filter out this noise for you by maintaining a good gitignore file. Because this is a common requirement of users using Git, there are some entry-level gitignore files. Github.com/github/gitignore provides several specially created gitignore files that you can download and place in your own project. Gitlab.com integrated the gitignore template into the warehouse creation workflow several years ago. Use these templates to help you create an appropriate gitignore strategy for your project and follow it.

View merge request

Git merge request

When you receive a merge / pull request or patch file via email, don't test it just to make sure it works. Your job is to read the new code that enters the code base and understand how it produces results. If you don't agree with the implementation, or worse, you don't understand the implementation, send a message to the person who submitted the implementation and ask for an explanation. Questioning code that wants to be a permanent member of the version library is not a social mistake, but if you don't know what you incorporate into the code used by the user, it is a violation of the social contract between you and the user.

Git responsibility

The community is committed to the good security of open source software. Don't encourage bad Git practices in your warehouse, and don't ignore the security threats in your cloned warehouse. Git is powerful, but it is still just a computer program, so it should be people-oriented to ensure everyone's safety.

Thank you for your reading, the above is the content of "what are the implementation methods of Git warehouse management". After the study of this article, I believe you have a deeper understanding of what the implementation methods of Git warehouse management have, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.