In HACKING, we recommend Guix committers install a pre-push hook to verify their GPG signatures before pushing to Savannah. [0] This is intended to catch mistakes only.
This generally works, and I tend to forget I'm using it for months at a time :) There is one case where the hook is annoying: pushing a new branch. In this case, Git tries to verify a very large number of commit signatures. This takes a long time and is bound to fail due to signatures made with keys that have since expired. [1] You have to disable the hook temporarily in order to push new branches to our Git repo. So, you end up waiting for several minutes for something that is definitely not going to work. We discussed this on #guix today [2]. Salient points: * This annoying behaviour requires users to disable the hook, and they might forget to re-enable it. That is bad. * This behaviour forces users to think about signatures, and they might double-check things by hand after disabling the hook, which is better than nothing. * The hook could simply print a warning and allow the new branch to be pushed, which would avoid the annoying behaviour. But, BAD signatures have made it into our repo, and they may have been caught by manual verification. * Pushing a new branch happens very rarely, so maybe this annoying behaviour doesn't matter. We could reduce the range of commits to start at the last release to make it fail more quickly. * Maybe HACKING should suggest symlinking the hook instead of copying it, so we could deploy changes to it automatically. Thoughts? Personally, I'm inclined to leave it as is, perhaps reducing the range and changing HACKING to suggest a symlink instead of a copy. [0] https://git.savannah.gnu.org/cgit/guix.git/tree/HACKING?id=75176f1b94903b592f5b1eb5a1b856c5ec761276#n50 https://git.savannah.gnu.org/cgit/guix.git/tree/etc/git/pre-push?id=75176f1b94903b592f5b1eb5a1b856c5ec761276 [1] This shouldn't count as a failure, in my opinion, but it does. [2] https://gnunet.org/bot/log/guix/2018-03-27#T1661747
signature.asc
Description: PGP signature
