On 3/19/19 6:55 PM, Christian Grothoff wrote: > On 3/16/19 10:32 PM, Florian Dold wrote: >> The model of "nobody should push to master" is great if you have the >> right tooling on the server, but breaks GPG signing of commits by the >> author, AFAICT. > > Hmm. Are you sure? I understand that sometimes merging and rebasing > requires re-signing, but I'm not 100% clear on which operations the CI > would require, and if it is possible to do it with a subset which may > not require re-signing. Breaking the GPG signing would be a major loss > indeed.
Yes. Let's say I commit a change (and my commit references the last head X). Then you make a change at the same time on your branch, for simplicity also based on the last commit X. Then we both tell the CI bot to "please apply my changes to master". Then for my change that will work (if it's picked first), but your commit must be changed to have my commit as the parent, which destroys your signature. Alternatively, the CI bot can create merge-commits. This preserves both our signatures, but then the CI bot needs to make a signature for the merge commit itself, and additionally there are lots of merge commits, making the history (IMHO) ugly. Furthermore, all these merge commits make it hard to back out changes, since creating a reverse commit for a merge commit in git creates all kinds of problems. > Sure, and I'm also fine with allowing people to delete branches as long > as they are scoped to their prefix, i.e. flo deleting the > wip-flo-branches should be fine. (ng0: you suggested a nicer naming > convention, that's also fine with me). > > If someone knows how to encode this in the Gitolite config, please go > ahead and just do it ;-). I've done this for git.taler.net, using the VREF feature of gitolite. You're in the "admin" group, so it won't affect you. But for a normal $user, they can now only force-push or delete branches of the form dev/$user/... from now on :-) Every normal user can still *create* arbitrary branches, but can't delete them. Not sure if that's the best policy, but it can be trivially changed in the config to only allow admins to create new non-"dev/..." branches. - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ GNUnet-developers mailing list GNUnet-developers@gnu.org https://lists.gnu.org/mailman/listinfo/gnunet-developers