From: Skyler Ferris via Guix-patches via <guix-patches@gnu.org>
To: "Ludovic Courtès" <ludo@gnu.org>, 69780@debbugs.gnu.org
Cc: Julien Lepiller <julien@lepiller.eu>,
Florian Pelz <pelzflorian@pelzflorian.de>
Subject: [bug#69780] [PATCH 4/4] DRAFT news: Add entry for ‘guix git authenticate’ changes.
Date: Fri, 15 Mar 2024 00:58:03 +0000 [thread overview]
Message-ID: <73ead80c-9159-4e03-b2a7-68434cade060@protonmail.com> (raw)
In-Reply-To: <e1e5ac9fc790e58a2496d46ccefb5e72daa91e19.1710351278.git.ludo@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 4252 bytes --]
Hello Ludo’,
This looks like a great way to improve protection for guix developers. Saving the input, which still initially comes from the developer, and using it automatically in the future means less overhead for developers and less chances for something to go wrong in the process. I'm trying it locally on my machine and there are a few things I noticed.
> + (if (or (file-exists? pre-push-hook)
> + (file-exists? fpost-checkout-hook))
> + (begin
> + (warning (G_ "not overriding pre-existing hooks '~a' and '~a'~%")
> + pre-push-hook post-checkout-hook)
> + (display-hint (G_ "Consider running @command{guix git authenticate}
> +from your pre-push and update hooks so your repository is automatically
> +authenticated before you push or receive updates.")))
When the developer builds guix a pre-push hook is already installed, from etc/git/pre-push. This runs `make authenticate` itself but also runs `make check-channel-news`. I don't think we can just get rid of that file because then people would lose check-channel-news, but it seems useful to have this functionality built into the authenticate script so that other projects can use it. Unfortunately, unconditionally appending to the script could cause problems because the developer could have added their own hook which could have been written in any language. Perhaps we could update etc/git/pre-push to call the authenticate script in the new way and install any hooks that do not clobber (eg, if pre-push exists then we skip that hook but install the rest)?
> + (define post-checkout-hook
> + (in-vicinity directory "hooks/post-checkout"))
The post-checkout hook does not run when `git pull` is called. Instead, the post-merge hook is called. Note that post-merge does not receive the same set of arguments as post-checkout. I had success replacing "$newrev" with "$(git rev-parse HEAD)". We could leave out the value completely for post-merge because the script will use HEAD by default if no end is given. But maybe we don't want to rely on default behavior for a script that will not be automatically updated with the tool.
I can think of more ways that a developer could end up on a new commit. For example, running `git fetch` followed by `git reset --hard`. I'm not sure if it makes to support every possible case because that could get complicated very quickly. But git pull is the most common way to get updates (at least in my experience, which could have a sample bias) so I think it makes sense to at least support that.
> +while read local_ref local_oid remote_ref remote_oid
> +do
> + guix git authenticate --end=\"$local_ref\"
> +done\n")
I believe this should be "$local_oid", not "$local_ref".
> +(define (configured-introduction repository)
> + "Return two values: the commit and signer fingerprint (strings) as
> +configured in REPOSITORY. Error out if one or both were missing."
> + (let* ((config (repository-config repository))
> + (commit (config-value config "guix.authentication.introduction-commit"))
> + (signer (config-value config "guix.authentication.introduction-signer")))
> + (unless (and commit signer)
> + (leave (G_ "unknown introductory commit and signer~%")))
> + (values commit signer)))
I am wondering how this would work if somebody is working with multiple branches, in particular if they do not all use the same introduction. Maybe that doesn't need to be addressed in this patch series but it might be easier to address it in the future if the branch name was included in the config file instead assuming that a specific introduction applies to every branch in a given checkout (for example, by using "guix.authentication.introduction-commit.branch-name"). This is probably more relevant to external users of the tool than to the guix repository itself. The logistics of using unrelated branches simultaneously seems complicated and not very helpful, especially when channels are such an appealing alternative. But it could be useful for other projects.
> +(define (configured? repository)
> + "Return true if REPOSITORY already container introduction info in its
> +'config' file."
Typo: this should be "contains", not "container"
Regards,
Skyler
[-- Attachment #2: Type: text/html, Size: 5486 bytes --]
next prev parent reply other threads:[~2024-03-15 0:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-13 17:40 [bug#69780] [PATCH 0/4] Simplify 'guix git authenticate' usage Ludovic Courtès
2024-03-13 17:42 ` [bug#69780] [PATCH 1/4] git authenticate: Record introduction and keyring in ‘.git/config’ Ludovic Courtès
2024-03-16 21:00 ` Tomas Volf
2024-03-19 13:32 ` Ludovic Courtès
2024-03-20 16:03 ` Ludovic Courtès
2024-03-20 22:13 ` Tomas Volf
2024-03-29 10:34 ` Ludovic Courtès
2024-03-31 12:24 ` Tomas Volf
2024-04-07 20:38 ` [bug#69780] [PATCH v2 0/5] Simplify 'guix git authenticate' usage Ludovic Courtès
2024-04-12 14:52 ` Ludovic Courtès
2024-05-01 15:52 ` bug#69780: " Ludovic Courtès
2024-04-07 20:38 ` [bug#69780] [PATCH v2 1/5] git authenticate: Record introduction and keyring in ‘.git/config’ Ludovic Courtès
2024-04-07 20:38 ` [bug#69780] [PATCH v2 2/5] git authenticate: Discover the repository Ludovic Courtès
2024-04-07 20:38 ` [bug#69780] [PATCH v2 3/5] git authenticate: Print something upon success Ludovic Courtès
2024-04-07 20:38 ` [bug#69780] [PATCH v2 4/5] git authenticate: Install pre-push and post-checkout hooks Ludovic Courtès
2024-04-07 20:38 ` [bug#69780] [PATCH v2 5/5] DRAFT news: Add entry for ‘guix git authenticate’ changes Ludovic Courtès
2024-03-13 17:42 ` [bug#69780] [PATCH 2/4] git authenticate: Discover the repository Ludovic Courtès
2024-03-13 17:42 ` [bug#69780] [PATCH 3/4] git authenticate: Install pre-push and post-checkout hooks Ludovic Courtès
2024-03-16 21:09 ` Tomas Volf
2024-03-19 14:02 ` Ludovic Courtès
2024-03-13 17:42 ` [bug#69780] [PATCH 4/4] DRAFT news: Add entry for ‘guix git authenticate’ changes Ludovic Courtès
2024-03-14 14:51 ` pelzflorian (Florian Pelz)
2024-03-19 14:02 ` Ludovic Courtès
2024-03-15 0:58 ` Skyler Ferris via Guix-patches via [this message]
2024-03-19 14:12 ` Ludovic Courtès
2024-03-21 1:43 ` Skyler Ferris via Guix-patches via
2024-03-21 2:14 ` Skyler Ferris via Guix-patches via
2024-03-21 14:13 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=73ead80c-9159-4e03-b2a7-68434cade060@protonmail.com \
--to=guix-patches@gnu.org \
--cc=69780@debbugs.gnu.org \
--cc=julien@lepiller.eu \
--cc=ludo@gnu.org \
--cc=pelzflorian@pelzflorian.de \
--cc=skyvine@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).