Re: Updating the “pre-push” Git hook

["Ludovic Courtès" <ludo@gnu.org>]

Hi!

Vagrant Cascadian <vagrant@debian.org> skribis:

> On 2020-05-24, Ludovic Courtès wrote:
>> Efraim Flashner <efraim@flashner.co.il> skribis:
>>> On Fri, May 22, 2020 at 10:44:48PM +0200, Ludovic Courtès wrote:
>>>> Hello Guix!
>>>> 
>>>> I think we should change our pre-push hook as shown below.
>>>> 
>>>> Thoughts?
> ...
>>> (ins)efraim@E5400 ~$ type -P make
>>> (ins)efraim@E5400 ~$ command -v make
>>>
>>> I'd need to run 'guix environment --ad-hoc make -- git push'
>>
>> You’d need to run ‘git push’ from a full Guix development environment.
>> Do you think it could be a problem?
>
> Wait a minute... you're saying this is something that needs to be
> configured on each committer's machine(s)?
>
> Shouldn't it be on the server-side recieve hooks instead, otherwise
> someone might accidentally (or intentially) push commits not
> appropriately signed to the repository or validated by this check...
>
> Or is this an optional check for recommended for committers? Have I been
> missing something all along that I was supposed to be doing?

It should be a server-side check so we don’t shoot ourselves in the foot.

However, it’s not done yet (but hey, the code is not even a month old
:-)), so in the meantime, this hook will be very strongly recommended.

Making this a server-side hook on Savannah will be challenging since
“we” don’t have direct access to Savannah.  That makes me wonder if we
should have a push server say on berlin, and make Savannah mirror it or
something.

Help welcome!

> For my own workflow, I usually do not (yet) sign or push commits from a
> machine with guix installed... it's a bit awkward, admittedly, but I
> don't yet have any SSH or OpenPGP keys I trust guix with directly
> (ironically, "make authenticate" is working towards addressing exactly
> that trust issue).

Heh.  :-)

Thanks,
Ludo’.