4 files changed, 113 insertions, 37 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 00000000..e35f8e99
--- /dev/null
+++ b/README.md
@@ -0,0 +1,14 @@
+# repo
+Repo is a tool built on top of Git.  Repo helps manage many Git repositories,
+does the uploads to revision control systems, and automates parts of the
+development workflow.  Repo is not meant to replace Git, only to make it
+easier to work with Git.  The repo command is an executable Python script
+that you can put anywhere in your path.
+* Homepage: https://code.google.com/p/git-repo/
+* Bug reports: https://code.google.com/p/git-repo/issues/
+* Source: https://code.google.com/p/git-repo/
+* Overview: https://source.android.com/source/developing.html
+* Docs: https://source.android.com/source/using-repo.html
+* [Submitting patches](./SUBMITTING_PATCHES.md)
diff --git a/SUBMITTING_PATCHES b/SUBMITTING_PATCHES.md
index 8656ee7d..085ae06a 100644
--- a/SUBMITTING_PATCHES
+++ b/SUBMITTING_PATCHES.md
@@ -1,4 +1,4 @@
-Short Version:
+# Short Version
 - Make small logical changes.
 - Provide a meaningful commit message.
@@ -8,10 +8,10 @@ Short Version:
 - Make corrections if requested.
 - Verify your changes on gerrit so they can be submitted.
-   git push https://gerrit-review.googlesource.com/git-repo HEAD:refs/for/master
+   `git push https://gerrit-review.googlesource.com/git-repo HEAD:refs/for/master`
-Long Version:
+# Long Version
 I wanted a file describing how to submit patches for repo,
 so I started with the one found in the core Git distribution
@@ -19,10 +19,10 @@ so I started with the one found in the core Git distribution
 patch submission guidelines for the Linux kernel.
 However there are some differences, so please review and familiarize
-yourself with the following relevant bits:
+yourself with the following relevant bits.
-(1) Make separate commits for logically separate changes.
+## Make separate commits for logically separate changes.
 Unless your patch is really trivial, you should not be sending
 out a patch that was generated between your working tree and your
@@ -36,14 +36,14 @@ If your description starts to get too long, that's a sign that you
 probably need to split up your commit to finer grained pieces.
-(2) Check for coding errors with pylint
+## Check for coding errors with pylint
 Run pylint on changed modules using the provided configuration:
-  pylint --rcfile=.pylintrc file.py
+    pylint --rcfile=.pylintrc file.py
-(3) Check the license
+## Check the license
 repo is licensed under the Apache License, 2.0.
@@ -59,7 +59,7 @@ your patch.  It is virtually impossible to remove a patch once it
 has been applied and pushed out.
-(4) Sending your patches.
+## Sending your patches.
 Do not email your patches to anyone.
@@ -91,23 +91,23 @@ to get the ChangeId added.
 Push your patches over HTTPS to the review server, possibly through
 a remembered remote to make this easier in the future:
-   git config remote.review.url https://gerrit-review.googlesource.com/git-repo
+    git config remote.review.url https://gerrit-review.googlesource.com/git-repo
-   git config remote.review.push HEAD:refs/for/master
+    git config remote.review.push HEAD:refs/for/master
-   git push review
+    git push review
 You will be automatically emailed a copy of your commits, and any
 comments made by the project maintainers.
-(5) Make changes if requested
+## Make changes if requested
 The project maintainer who reviews your changes might request changes to your
 commit. If you make the requested changes you will need to amend your commit
 and push it to the review server again.
-(6) Verify your changes on gerrit
+## Verify your changes on gerrit
 After you receive a Code-Review+2 from the maintainer, select the Verified
 button on the gerrit page for the change. This verifies that you have tested
diff --git a/project.py b/project.py
index 918ee09c..019f29d4 100644
--- a/project.py
+++ b/project.py
@@ -40,7 +40,13 @@ from trace import IsTrace, Trace
 from git_refs import GitRefs, HEAD, R_HEADS, R_TAGS, R_PUB, R_M
 from pyversion import is_python3
-if not is_python3():
+if is_python3():
+  import urllib.parse
+else:
+  import imp
+  import urlparse
+  urllib = imp.new_module('urllib')
+  urllib.parse = urlparse
  # pylint:disable=W0622
  input = raw_input
  # pylint:enable=W0622
@@ -343,6 +349,7 @@ class RepoHook(object):
               hook_type,
               hooks_project,
               topdir,
+               manifest_url,
               abort_if_user_denies=False):
    """RepoHook constructor.
@@ -356,11 +363,13 @@ class RepoHook(object):
      topdir: Repo's top directory (the one containing the .repo directory).
          Scripts will run with CWD as this directory.  If you have a manifest,
          this is manifest.topdir
+      manifest_url: The URL to the manifest git repo.
      abort_if_user_denies: If True, we'll throw a HookError() if the user
          doesn't allow us to run the hook.
    """
    self._hook_type = hook_type
    self._hooks_project = hooks_project
+    self._manifest_url = manifest_url
    self._topdir = topdir
    self._abort_if_user_denies = abort_if_user_denies
@@ -409,9 +418,9 @@ class RepoHook(object):
  def _CheckForHookApproval(self):
    """Check to see whether this hook has been approved.
-    We'll look at the hash of all of the hooks.  If this matches the hash that
+    We'll accept approval of manifest URLs if they're using secure transports.
-    the user last approved, we're done.  If it doesn't, we'll ask the user
+    This way the user can say they trust the manifest hoster.  For insecure
-    about approval.
+    hosts, we fall back to checking the hash of the hooks repo.
    Note that we ask permission for each individual hook even though we use
    the hash of all hooks when detecting changes.  We'd like the user to be
@@ -425,44 +434,58 @@ class RepoHook(object):
      HookError: Raised if the user doesn't approve and abort_if_user_denies
          was passed to the consturctor.
    """
-    hooks_config = self._hooks_project.config
+    if self._ManifestUrlHasSecureScheme():
-    git_approval_key = 'repo.hooks.%s.approvedhash' % self._hook_type
+      return self._CheckForHookApprovalManifest()
+    else:
+      return self._CheckForHookApprovalHash()
+  def _CheckForHookApprovalHelper(self, subkey, new_val, main_prompt,
+                                  changed_prompt):
+    """Check for approval for a particular attribute and hook.
+    Args:
+      subkey: The git config key under [repo.hooks.<hook_type>] to store the
+          last approved string.
+      new_val: The new value to compare against the last approved one.
+      main_prompt: Message to display to the user to ask for approval.
+      changed_prompt: Message explaining why we're re-asking for approval.
+    Returns:
+      True if this hook is approved to run; False otherwise.
-    # Get the last hash that the user approved for this hook; may be None.
+    Raises:
-    old_hash = hooks_config.GetString(git_approval_key)
+      HookError: Raised if the user doesn't approve and abort_if_user_denies
+          was passed to the consturctor.
+    """
+    hooks_config = self._hooks_project.config
+    git_approval_key = 'repo.hooks.%s.%s' % (self._hook_type, subkey)
-    # Get the current hash so we can tell if scripts changed since approval.
+    # Get the last value that the user approved for this hook; may be None.
-    new_hash = self._GetHash()
+    old_val = hooks_config.GetString(git_approval_key)
-    if old_hash is not None:
+    if old_val is not None:
      # User previously approved hook and asked not to be prompted again.
-      if new_hash == old_hash:
+      if new_val == old_val:
        # Approval matched.  We're done.
        return True
      else:
        # Give the user a reason why we're prompting, since they last told
        # us to "never ask again".
-        prompt = 'WARNING: Scripts have changed since %s was allowed.\n\n' % (
+        prompt = 'WARNING: %s\n\n' % (changed_prompt,)
-            self._hook_type)
    else:
      prompt = ''
    # Prompt the user if we're not on a tty; on a tty we'll assume "no".
    if sys.stdout.isatty():
-      prompt += ('Repo %s run the script:\n'
+      prompt += main_prompt + ' (yes/always/NO)? '
-                 '  %s\n'
-                 '\n'
-                 'Do you want to allow this script to run '
-                 '(yes/yes-never-ask-again/NO)? ') % (self._GetMustVerb(),
-                                                      self._script_fullpath)
      response = input(prompt).lower()
      print()
      # User is doing a one-time approval.
      if response in ('y', 'yes'):
        return True
-      elif response == 'yes-never-ask-again':
+      elif response == 'always':
-        hooks_config.SetString(git_approval_key, new_hash)
+        hooks_config.SetString(git_approval_key, new_val)
        return True
    # For anything else, we'll assume no approval.
@@ -472,6 +495,42 @@ class RepoHook(object):
    return False
+  def _ManifestUrlHasSecureScheme(self):
+    """Check if the URI for the manifest is a secure transport."""
+    secure_schemes = ('file', 'https', 'ssh', 'persistent-https', 'sso', 'rpc')
+    parse_results = urllib.parse.urlparse(self._manifest_url)
+    return parse_results.scheme in secure_schemes
+  def _CheckForHookApprovalManifest(self):
+    """Check whether the user has approved this manifest host.
+    Returns:
+      True if this hook is approved to run; False otherwise.
+    """
+    return self._CheckForHookApprovalHelper(
+        'approvedmanifest',
+        self._manifest_url,
+        'Run hook scripts from %s' % (self._manifest_url,),
+        'Manifest URL has changed since %s was allowed.' % (self._hook_type,))
+  def _CheckForHookApprovalHash(self):
+    """Check whether the user has approved the hooks repo.
+    Returns:
+      True if this hook is approved to run; False otherwise.
+    """
+    prompt = ('Repo %s run the script:\n'
+              '  %s\n'
+              '\n'
+              'Do you want to allow this script to run '
+              '(yes/yes-never-ask-again/NO)? ') % (self._GetMustVerb(),
+                                                   self._script_fullpath)
+    return self._CheckForHookApprovalHelper(
+        'approvedhash',
+        self._GetHash(),
+        prompt,
+        'Scripts have changed since %s was allowed.' % (self._hook_type,))
  def _ExecuteHook(self, **kwargs):
    """Actually execute the given hook.
@@ -2235,6 +2294,7 @@ class Project(object):
        for key in ['user.name', 'user.email']:
          if m.Has(key, include_defaults=False):
            self.config.SetString(key, m.GetString(key))
+        self.config.SetString('filter.lfs.smudge', 'git-lfs smudge --skip -- %f')
        if self.manifest.IsMirror:
          self.config.SetString('core.bare', 'true')
        else:
diff --git a/subcmds/upload.py b/subcmds/upload.py
index 674fc17d..4b05f1e8 100644
--- a/subcmds/upload.py
+++ b/subcmds/upload.py
@@ -456,7 +456,9 @@ Gerrit Code Review:  http://code.google.com/p/gerrit/
    if pending and (not opt.bypass_hooks):
      hook = RepoHook('pre-upload', self.manifest.repo_hooks_project,
-                      self.manifest.topdir, abort_if_user_denies=True)
+                      self.manifest.topdir,
+                      self.manifest.manifestProject.GetRemote('origin').url,
+                      abort_if_user_denies=True)
      pending_proj_names = [project.name for (project, avail) in pending]
      pending_worktrees = [project.worktree for (project, avail) in pending]
      try: