Annoying behaviour of the GPG signature verification pre-push hook

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* Annoying behaviour of the GPG signature verification pre-push hook
@ 2018-03-27 21:39 Leo Famulari
  0 siblings, 0 replies; only message in thread
From: Leo Famulari @ 2018-03-27 21:39 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 2037 bytes --]

In HACKING, we recommend Guix committers install a pre-push hook to
verify their GPG signatures before pushing to Savannah. [0] This is
intended to catch mistakes only.

This generally works, and I tend to forget I'm using it for months at a
time :)

There is one case where the hook is annoying: pushing a new branch.

In this case, Git tries to verify a very large number of commit
signatures.  This takes a long time and is bound to fail due to
signatures made with keys that have since expired. [1] You have to
disable the hook temporarily in order to push new branches to our Git
repo.

So, you end up waiting for several minutes for something that is
definitely not going to work.

We discussed this on #guix today [2]. Salient points:

* This annoying behaviour requires users to disable the hook, and they
might forget to re-enable it. That is bad.

* This behaviour forces users to think about signatures, and they might
double-check things by hand after disabling the hook, which is better
than nothing.

* The hook could simply print a warning and allow the new branch to be
pushed, which would avoid the annoying behaviour. But, BAD signatures
have made it into our repo, and they may have been caught by manual
verification.

* Pushing a new branch happens very rarely, so maybe this annoying
behaviour doesn't matter. We could reduce the range of commits to start
at the last release to make it fail more quickly.

* Maybe HACKING should suggest symlinking the hook instead of copying it,
so we could deploy changes to it automatically.

Thoughts? Personally, I'm inclined to leave it as is, perhaps reducing
the range and changing HACKING to suggest a symlink instead of a copy.

[0]
https://git.savannah.gnu.org/cgit/guix.git/tree/HACKING?id=75176f1b94903b592f5b1eb5a1b856c5ec761276#n50
https://git.savannah.gnu.org/cgit/guix.git/tree/etc/git/pre-push?id=75176f1b94903b592f5b1eb5a1b856c5ec761276

[1] This shouldn't count as a failure, in my opinion, but it does.

[2]
https://gnunet.org/bot/log/guix/2018-03-27#T1661747

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-03-27 21:39 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-27 21:39 Annoying behaviour of the GPG signature verification pre-push hook Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.