From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qL2cG4UbzF6GKAAA0tVLHw (envelope-from ) for ; Mon, 25 May 2020 19:24:53 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id EMhqF4UbzF4nNAAAbx9fmQ (envelope-from ) for ; Mon, 25 May 2020 19:24:53 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E1503940D95 for ; Mon, 25 May 2020 19:24:52 +0000 (UTC) Received: from localhost ([::1]:36178 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jdIiR-0003cl-9k for larch@yhetil.org; Mon, 25 May 2020 15:24:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53632) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jdIiK-0003ce-0v for guix-devel@gnu.org; Mon, 25 May 2020 15:24:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:55280) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jdIiJ-0004hz-OJ for guix-devel@gnu.org; Mon, 25 May 2020 15:24:43 -0400 Received: from ti0006q161-2604.bb.online.no ([84.202.68.75]:38166 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jdIiJ-0004Up-A4 for guix-devel@gnu.org; Mon, 25 May 2020 15:24:43 -0400 From: Marius Bakke To: guix-devel@gnu.org Subject: Heads-up: hard reset of the 'staging' branch Date: Mon, 25 May 2020 21:24:40 +0200 Message-ID: <87ftbn7r7r.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: nQZwTqmfMIxy --=-=-= Content-Type: text/plain Guix, I have good news and bad news. The good news is that the new commit verification infrastructure works great. 'make authenticate' will verify that all commits were signed by a key that was authorized by .guix-authorizations at that point in time. The bad news is that we need to ensure .guix-authorizations has been updated on any branches that new committers/keys will be pushing to. Currently the 'staging' branch has one commit (8229ce3116c1f522c7157ab2dcd50dc2d765686a) signed by a not-yet-authorized key (it had been authorized on 'master' by d074f73aacc5a39aed0202d6e45721f53f34a8c0, but that was not yet merged to 'staging' at the time). To fix it properly without leaving a gap where 'make authenticate' will fail, we actually need to rewrite the history. Luckily git supports rebasing merges(!), and the merge we need was the next commit on that branch. I have pushed a 'staging2' branch where I did the following: 1) git rebase -i --rebase-merges 8229ce3116c1f522c7157ab2dcd50dc2d765686a~ 2) Moved 8229ce3116c1f522c7157ab2dcd50dc2d765686a after f00270d35a6ca814903a9392caedc29d44959088 (the first merge that includes .guix-authorizations) -- it was "one step down" in Magits interactive rebase menu. 3) "solved" three merge conflicts (actually git rerere remembered the resolutions, and I could have used git rebase --rerere-autoupdate to make the process entirely automatic). I intend to move the current 'staging' branch to 'staging-old', and rename 'staging2' to 'staging' once I'm fully confident in the result and resolution. In the mean time, comments or replications of the experiment welcome. In other good news, the new pre-push hook proposed by Ludovic in will eliminate this issue as long as people remember to activate it. For total confidence we should perform it on the server side though. Sorry for the inconvenience! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl7MG3gACgkQoqBt8qM6 VPr+xAgA0NSNzaYkQ2HGZQ6xuTzu4LPsjUAxpaBo3Z4o90DellctnqiHMNT35FRn v3zW9egVo8IKabjm8JYD5u+JhxC5FeEMykO3V385QAPACyJT6gg+USXNIhV1Ha1e sDEzty7zAjAW63AyDs2eiCB8x55kibztQA/+CogAARGx9J0osU4sbX91Qh02hF4M 9ARQvOFUWAnGiR1Rfao6puFrt8S8Q7l3eRvSV7sToJN+cQGVaqM51xKI6hRLfLeG +BC9qMcnK2Oy9tn6/d75LRKO9lqoDve0XEJFVEfVS0XSh0lxSzwDghEcp3dwSLjN kxdQ2ZJAn9MSuJbxlnTGmh+WS1KQWg== =6qq3 -----END PGP SIGNATURE----- --=-=-=--