From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id maSJNc45yF5XFQAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 22 May 2020 20:45:02 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id sG4eMc45yF4ydQAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 22 May 2020 20:45:02 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 68359940144
	for <larch@yhetil.org>; Fri, 22 May 2020 20:45:02 +0000 (UTC)
Received: from localhost ([::1]:42364 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1jcEXN-0002v6-9m
	for larch@yhetil.org; Fri, 22 May 2020 16:45:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38662)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1jcEXE-0002qA-Mc
 for guix-devel@gnu.org; Fri, 22 May 2020 16:44:52 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:56752)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1jcEXE-00078g-19; Fri, 22 May 2020 16:44:52 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=51046 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1jcEXC-0001tn-VI; Fri, 22 May 2020 16:44:51 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Guix Devel <guix-devel@gnu.org>
Subject: Updating the =?utf-8?B?4oCccHJlLXB1c2jigJ0=?= Git hook
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 4 Prairial an 228 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 22 May 2020 22:44:48 +0200
Message-ID: <87imgn8zsv.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Spam-Score: -1.01
X-TUID: 32NdNfOo/Uhx

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello Guix!

I think we should change our pre-push hook as shown below.

Thoughts?

Thanks,
Ludo=E2=80=99.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/etc/git/pre-push b/etc/git/pre-push
index 9206a2dfe5..415345fc75 100755
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@@ -1,7 +1,8 @@
 #!/bin/sh
 
 # This hook script prevents the user from pushing to Savannah if any of the new
-# commits' OpenPGP signatures cannot be verified.
+# commits' OpenPGP signatures cannot be verified, or if a commit is signed
+# with an unauthorized key.
 
 # Called by "git push" after it has checked the remote status, but before
 # anything has been pushed.  If this script exits with a non-zero status nothing
@@ -19,51 +20,13 @@
 #
 #   <local ref> <local sha1> <remote ref> <remote sha1>
 
-z40=0000000000000000000000000000000000000000
-
 # Only use the hook when pushing to Savannah.
 case "$2" in
-*git.sv.gnu.org*)
-	break
+    *.gnu.org*)
+	exec make authenticate check-channel-news
+	exit 127
 	;;
-*)
+    *)
 	exit 0
 	;;
 esac
-
-while read local_ref local_sha remote_ref remote_sha
-do
-	if [ "$local_sha" = $z40 ]
-	then
-		# Handle delete
-		:
-	else
-		if [ "$remote_sha" = $z40 ]
-		then
-			# We are pushing a new branch. To prevent wasting too
-			# much time for this relatively rare case, we examine
-			# all commits since the first signed commit, rather than
-			# the full history. This check *will* fail, and the user
-			# will need to temporarily disable the hook to push the
-			# new branch.
-			range="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha"
-		else
-			# Update to existing branch, examine new commits
-			range="$remote_sha..$local_sha"
-		fi
-
-		# Verify the signatures of all commits being pushed.
-		ret=0
-		for commit in $(git rev-list $range)
-		do
-			if ! git verify-commit $commit >/dev/null 2>&1
-			then
-				printf "%s failed signature check\n" $commit
-				ret=1
-			fi
-		done
-		exit $ret
-	fi
-done
-
-exit 0

--=-=-=--