[PATCH 0/4] Simplify 'guix git authenticate' usage

> + (title

> + (en "@command{guix git authenticate} usage simplified")

> )

> + (body

> + (en "Usage of the @command{guix git authenticate} command

> + (if (or (file-exists? pre-push-hook)

> + (file-exists? fpost-checkout-hook))

> + (begin

> + (warning (G_ "not overriding pre-existing hooks '~a' and '~a'~%")

> + pre-push-hook post-checkout-hook)

> + (display-hint (G_ "Consider running @command{guix git authenticate}

> +from your pre-push and update hooks so your repository is automatically

> +authenticated before you push or receive updates.")))

> + (define post-checkout-hook

> + (in-vicinity directory "hooks/post-checkout"))

> +while read local_ref local_oid remote_ref remote_oid

> +do

> + guix git authenticate --end=\"$local_ref\"

> +done\n")

> +(define (configured-introduction repository)

> + "Return two values: the commit and signer fingerprint (strings) as

> +configured in REPOSITORY. Error out if one or both were missing."

> + (let* ((config (repository-config repository))

> + (commit (config-value config "guix.authentication.introduction-commit"))

> + (signer (config-value config "guix.authentication.introduction-signer")))

> + (unless (and commit signer)

> + (leave (G_ "unknown introductory commit and signer~%")))

> + (values commit signer)))

> +(define (configured? repository)

> + "Return true if REPOSITORY already container introduction info in its

> +'config' file."

> * guix/scripts/git/authenticate.scm (install-hooks): New procedure.

> (guix-git-authenticate): Use it.

> * doc/guix.texi (Invoking guix git authenticate): Document it.

>

> Change-Id: I4464a33193186e85b476a12740e54412bd58429c

> ---

> doc/guix.texi | 5 ++++

> guix/scripts/git/authenticate.scm | 43 ++++++++++++++++++++++++++++++-

> 2 files changed, 47 insertions(+), 1 deletion(-)

>

> diff --git a/doc/guix.texi b/doc/guix.texi

> index ac0766b98c..b1672803c0 100644

> --- a/doc/guix.texi

> +++ b/doc/guix.texi

> @@ -7624,6 +7624,11 @@ Invoking guix git authenticate

> guix git authenticate [@var{options}@dots{}]

> @end example

>

> +The first run also attempts to install pre-push and post-checkout hooks,

> +such that @command{guix git authenticate} is invoked as soon as you run

> +@command{git push}, @command{git checkout}, and related commands; it

> +does not overwrite preexisting hooks though.

> +

> The options below allow you to fine-tune the process.

>

> @table @code

> diff --git a/guix/scripts/git/authenticate.scm b/guix/scripts/git/authenticate.scm

> index 36e1aa6228..13e1de3099 100644

> --- a/guix/scripts/git/authenticate.scm

> +++ b/guix/scripts/git/authenticate.scm

> @@ -129,6 +129,46 @@ (define* (record-configuration repository

> (info (G_ "introduction and keyring configuration recorded in '~a'~%")

> config-file))

>

> +(define (install-hooks repository)

> + "Attempt to install in REPOSITORY pre-push and update hooks that invoke

> +'guix git authenticate'. Bail out if one of these already exists."

> + (define directory

> + (repository-directory repository))

> +

> + (define pre-push-hook

> + (in-vicinity directory "hooks/pre-push"))

> +

> + (define post-checkout-hook

> + (in-vicinity directory "hooks/post-checkout"))

> +

> + (if (or (file-exists? pre-push-hook)

> + (file-exists? post-checkout-hook))

> + (begin

> + (warning (G_ "not overriding pre-existing hooks '~a' and '~a'~%")

> + pre-push-hook post-checkout-hook)

> + (display-hint (G_ "Consider running @command{guix git authenticate}

> +from your pre-push and update hooks so your repository is automatically

> +authenticated before you push or receive updates.")))

> + (begin

> + (call-with-output-file pre-push-hook

> + (lambda (port)

> + (format port "#!/bin/sh

> +set -e

> +while read local_ref local_oid remote_ref remote_oid

> +do

> + guix git authenticate --end=\"$local_ref\"

> +done\n")

> + (chmod port #o755)))

> + (call-with-output-file post-checkout-hook

> + (lambda (port)

> + (format port "#!/bin/sh

> +oldrev=\"$1\"

> +newrev=\"$2\"

> +exec guix git authenticate --end=\"$newrev\"\n")

> + (chmod port #o755)))

> + (info (G_ "installed hooks '~a' and '~a'~%")

> + pre-push-hook post-checkout-hook))))

> +

> (define (show-stats stats)

> "Display STATS, an alist containing commit signing stats as returned by

> 'authenticate-repository'."

> @@ -250,7 +290,8 @@ (define (guix-git-authenticate . args)

> (unless (configured? repository)

> (record-configuration repository

> #:commit commit #:signer signer

> - #:keyring-reference keyring))

> + #:keyring-reference keyring)

> + (install-hooks repository))

>

> (when (and show-stats? (not (null? stats)))

> (show-stats stats))))))

> --

> 2.41.0

>

>

>

>

>> +(define* (record-configuration repository

>> + #:key commit signer keyring-reference)

>> + "Record COMMIT, SIGNER, and KEYRING-REFERENCE in the 'config' file of

>> +REPOSITORY."

>> + (define directory

>> + (repository-directory repository))

>> +

>> + (define config-file

>> + (in-vicinity directory "config"))

>

> I do not think this will work with worktrees. It will create the config file in

> the worktree's git directory, but that file will be ignored by git.

>

> scheme@(guile-user)> (repository-discover "/home/xx/src/guix-wt/patch-1")

> $7 = "/home/xx/src/guix/.git/worktrees/orig/"

> scheme@(guile-user)> (repository-open $7)

> $8 = #<git-repository 128cbe0>

> scheme@(guile-user)> (repository-directory $8)

> $9 = "/home/xx/src/guix/.git/worktrees/orig/"

> scheme@(guile-user)> (in-vicinity $9 "config")

> $10 = "/home/xx/src/guix/.git/worktrees/orig/config"

>

> The $10 should be "/home/xx/src/guix/.git/config" instead.

>> + (call-with-port (open-file config-file "a")

>> + (lambda (port)

>> + (format port "

>> +# Added by 'guix git authenticate'.

>> +[guix \"authentication\"]

>> + introduction-commit = ~a

>> + introduction-signer = ~a

>> + keyring = ~a~%"

>> + commit signer keyring-reference)))

>

> I guess these specific values might not need any escaping? But the escaping

> (and the previous problem) would be solved by just shelling out to the `git

> config --local ...' to set the value. Something to consider.

>> + (unless (configured? repository)

>> + (record-configuration repository

>> + #:commit commit #:signer signer

>> + #:keyring-reference keyring))

>

> Hm, so this records the information only on the very first successful

> authentication?

> So if I re-run with different values (e.g. I am creating a new channel

> and `git commit --amend'-ed after checking the authorization), I am

> stuck with the (now) invalid values forever until I edit the

> .git/config by hand?

> Also (as Skyler Ferris already mentioned) this ignores the case of multiple

> branches with different authentication origins (I actually do have such use

> case), so the suggested option of storing it per-branch might be nice. Not sure

> how to deal with pruning of old values though (if at all?).

> On 2024-03-13 18:42:21 +0100, Ludovic Courtès wrote:

>> * guix/scripts/git/authenticate.scm (install-hooks): New procedure.

>> (guix-git-authenticate): Use it.

>> * doc/guix.texi (Invoking guix git authenticate): Document it.

>>

>> Change-Id: I4464a33193186e85b476a12740e54412bd58429c

>> + (define directory

>> + (repository-directory repository))

>> +

>> + (define pre-push-hook

>> + (in-vicinity directory "hooks/pre-push"))

>> +

>> + (define post-checkout-hook

>> + (in-vicinity directory "hooks/post-checkout"))

>

> I think these will not work with worktrees.

>> +while read local_ref local_oid remote_ref remote_oid

>> +do

>> + guix git authenticate --end=\"$local_ref\"

>

> Am I right in believing that the --end does solve #69541? Shame it (--end) is

> not documented in the --help.

>> +done\n")

>> + (chmod port #o755)))

>

> What is role of etc/git/pre-push now? Should it be removed? Should it be

> updated to run this code instead?

> Haven’t tested, but looks like now I won’t get confused which guix git

> authenticate command from my bash history is the right one for which

> repository. :)

> Could you add this German translation:

>> + (if (or (file-exists? pre-push-hook)

>> + (file-exists? fpost-checkout-hook))

>> + (begin

>> + (warning (G_ "not overriding pre-existing hooks '~a' and '~a'~%")

>> + pre-push-hook post-checkout-hook)

>> + (display-hint (G_ "Consider running @command{guix git authenticate}

>> +from your pre-push and update hooks so your repository is automatically

>> +authenticated before you push or receive updates.")))

>

> When the developer builds guix a pre-push hook is already installed,

> from etc/git/pre-push.

>> + (define post-checkout-hook

>> + (in-vicinity directory "hooks/post-checkout"))

>

> The post-checkout hook does not run when `git pull` is called. Instead, the post-merge hook is called. Note that post-merge does not receive the same set of arguments as post-checkout. I had success replacing "$newrev" with "$(git rev-parse HEAD)". We could leave out the value completely for post-merge because the script will use HEAD by default if no end is given. But maybe we don't want to rely on default behavior for a script that will not be automatically updated with the tool.

>

> I can think of more ways that a developer could end up on a new commit. For example, running `git fetch` followed by `git reset --hard`. I'm not sure if it makes to support every possible case because that could get complicated very quickly. But git pull is the most common way to get updates (at least in my experience, which could have a sample bias) so I think it makes sense to at least support that.

>> +while read local_ref local_oid remote_ref remote_oid

>> +do

>> + guix git authenticate --end=\"$local_ref\"

>> +done\n")

>

> I believe this should be "$local_oid", not "$local_ref".

>> +(define (configured-introduction repository)

>> + "Return two values: the commit and signer fingerprint (strings) as

>> +configured in REPOSITORY. Error out if one or both were missing."

>> + (let* ((config (repository-config repository))

>> + (commit (config-value config "guix.authentication.introduction-commit"))

>> + (signer (config-value config "guix.authentication.introduction-signer")))

>> + (unless (and commit signer)

>> + (leave (G_ "unknown introductory commit and signer~%")))

>> + (values commit signer)))

>

> I am wondering how this would work if somebody is working with multiple branches, in particular if they do not all use the same introduction. Maybe that doesn't need to be addressed in this patch series but it might be easier to address it in the future if the branch name was included in the config file instead assuming that a specific introduction applies to every branch in a given checkout (for example, by using "guix.authentication.introduction-commit.branch-name"). This is probably more relevant to external users of the tool than to the guix repository itself. The logistics of using unrelated branches simultaneously seems complicated and not very helpful, especially when channels are such an appealing alternative. But it could be useful for other projects.

> Tomas Volf <~@wolfsden.cz> skribis:

>

>>> +(define* (record-configuration repository

>>> + #:key commit signer keyring-reference)

>>> + "Record COMMIT, SIGNER, and KEYRING-REFERENCE in the 'config' file of

>>> +REPOSITORY."

>>> + (define directory

>>> + (repository-directory repository))

>>> +

>>> + (define config-file

>>> + (in-vicinity directory "config"))

>>

>> I do not think this will work with worktrees. It will create the config file in

>> the worktree's git directory, but that file will be ignored by git.

>>

>> scheme@(guile-user)> (repository-discover "/home/xx/src/guix-wt/patch-1")

>> $7 = "/home/xx/src/guix/.git/worktrees/orig/"

>> scheme@(guile-user)> (repository-open $7)

>> $8 = #<git-repository 128cbe0>

>> scheme@(guile-user)> (repository-directory $8)

>> $9 = "/home/xx/src/guix/.git/worktrees/orig/"

>> scheme@(guile-user)> (in-vicinity $9 "config")

>> $10 = "/home/xx/src/guix/.git/worktrees/orig/config"

>>

>> The $10 should be "/home/xx/src/guix/.git/config" instead.

>

> Damn it. So hmm, I can see two options:

>

> 1. Add more bindings to (git config) in Guile-Git so we can populate

> that file “the right way”. But then we’ll have to require that

> newer version of Guile-Git.

>

> 2. Bail out when the ‘.git/config’ isn’t found, as in the case of

> worktrees; we can change that to use the proper (git config)

> eventually.

>

> Maybe we should go straight to #1 though. Thoughts?

> Hi,

>

> Ludovic Courtès <ludo@gnu.org> skribis:

>

> > Tomas Volf <~@wolfsden.cz> skribis:

> >

> >>> +(define* (record-configuration repository

> >>> + #:key commit signer keyring-reference)

> >>> + "Record COMMIT, SIGNER, and KEYRING-REFERENCE in the 'config' file of

> >>> +REPOSITORY."

> >>> + (define directory

> >>> + (repository-directory repository))

> >>> +

> >>> + (define config-file

> >>> + (in-vicinity directory "config"))

> >>

> >> I do not think this will work with worktrees. It will create the config file in

> >> the worktree's git directory, but that file will be ignored by git.

> >>

> >> scheme@(guile-user)> (repository-discover "/home/xx/src/guix-wt/patch-1")

> >> $7 = "/home/xx/src/guix/.git/worktrees/orig/"

> >> scheme@(guile-user)> (repository-open $7)

> >> $8 = #<git-repository 128cbe0>

> >> scheme@(guile-user)> (repository-directory $8)

> >> $9 = "/home/xx/src/guix/.git/worktrees/orig/"

> >> scheme@(guile-user)> (in-vicinity $9 "config")

> >> $10 = "/home/xx/src/guix/.git/worktrees/orig/config"

> >>

> >> The $10 should be "/home/xx/src/guix/.git/config" instead.

> >

> > Damn it. So hmm, I can see two options:

> >

> > 1. Add more bindings to (git config) in Guile-Git so we can populate

> > that file “the right way”. But then we’ll have to require that

> > newer version of Guile-Git.

> >

> > 2. Bail out when the ‘.git/config’ isn’t found, as in the case of

> > worktrees; we can change that to use the proper (git config)

> > eventually.

> >

> > Maybe we should go straight to #1 though. Thoughts?

>

> Done:

>

> https://gitlab.com/guile-git/guile-git/-/commit/b3be1dd752682b2b6c9a7c11ccdbfc0f0b5cf4e7

> https://gitlab.com/guile-git/guile-git/-/commit/d38c09230467ca5cca7faabb0c3a43c61a1e2c05

>

> I can cut a new Guile-Git release soonish and we’d use these new

> bindings.

>

> The only open issue left is branches: how to configure different

> introductions for different branches. I’m all ears!

> Right. Like I wrote when replying to Tomas, I view this as a helper

> primarily for people outside Guix itself, because Guix already has its

> own hooks installed as you write.

>

> We could discuss what to do with Guix’s own hooks, but to me that’s a

> separate issue.

> I spent time looking for the “right” hook and couldn’t find anything

> really satisfying. Ideally, I’d want a hook that runs on ‘fetch’, for

> each new reference.

>

> Is post-merge better than post-checkout? githooks(5) says ‘post-merge’

> “is invoked by git-merge(1), which happens when a git pull is done on a

> local repository.” Is it actually invoked when ‘git pull’ does *not*

> trigger a merge?

> Very good point. Now, what would it look like?

>

> Currently we have:

>

> --8<---------------cut here---------------start------------->8---

> [guix "authentication"]

> introduction-commit = 9edb3f66fd807b096b48283debdcddccfea34bad

> introduction-signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA

> keyring = keyring

> --8<---------------cut here---------------end--------------->8---

>

> Using this configuration format, it seems there’s no room left for a

> branch name, or am I overlooking something?

>

> Or we could take the risk of removing ‘guix’ and make it:

>

> --8<---------------cut here---------------start------------->8---

> [authentication "master"]

> introduction-commit = 9edb3f66fd807b096b48283debdcddccfea34bad

> introduction-signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA

> keyring = keyring

> --8<---------------cut here---------------end--------------->8---

>

> WDYT?

> That gave me pause too, but I tested it with a pull that caused a fast-forward (no separate merge commit) and it still ran the hook. I looked for a `post-fetch` hook but couldn't find one, I agree that would be ideal.

> Fair enough, that can be addressed in a separate patch. On a related note, this patch reminded me of an idea I mentioned in a private thread with the security team about writing a package that provides `guix git authenticate` as a standalone script, which can be done by extracting the dependent modules and building just them (I have successfully done this for the "(guix build utils)" library, for shell-like guile scripts that have a lighter footprint than all of guix). This will help people who are installing guix from source for the first time. They will not have guix itself available, but it would be easier for them to use the standalone script than to install all of guix (which they will presumably be replacing anyway). Is there anything else around `guix git authenticate` you are working on that might conflict with this? I am starting to look at it now that I have been reminded.

>> I spent time looking for the “right” hook and couldn’t find anything

>> really satisfying. Ideally, I’d want a hook that runs on ‘fetch’, for

>> each new reference.

>>

>> Is post-merge better than post-checkout? githooks(5) says ‘post-merge’

>> “is invoked by git-merge(1), which happens when a git pull is done on a

>> local repository.” Is it actually invoked when ‘git pull’ does *not*

>> trigger a merge?

>

> That gave me pause too, but I tested it with a pull that caused a fast-forward (no separate merge commit) and it still ran the hook. I looked for a `post-fetch` hook but couldn't find one, I agree that would be ideal.

>> Using this configuration format, it seems there’s no room left for a

>> branch name, or am I overlooking something?

> Hmm, I didn't realize that git limited the number of components available in config names, but it looks like you're correct - my suggestion of appending `.branch-name` caused git to produce an error that the config was invalid.

>

> But we don't necessarily need git to be aware of the semantic meaning of the branch name since the value is calculated by the guile script. So we could just use a hyphen as a separator and have "introduction-commit-master" and "introduction-commit-feature" as separate values unrelated to each other (aside from being in the "guix authentication" namespace).

>> The only open issue left is branches: how to configure different

>> introductions for different branches. I’m all ears!

>

> Right, so I have few ideas, not sure if they are any good though. And I myself

> am not really sure which one I like the most, so...

> The problem here is that any possible "smart" solution leaves something to be

> desired. Either it is not automated enough (new branches are unconfigured), or

> it is too magical (new branches inherit the config from... something). 5. is

> probably the most flexible and covering edge cases, but will not be exactly

> one-line change.

>

> Hm, now when I read it after myself, maybe it is just not a problem worth

> solving. All of these are likely to complicate the code quite a bit. Not sure.

>

> Dunno, was this of any help? :)

> > [..]

> >

> > Dunno, was this of any help? :)

>

> Yes, in a way. :-)

>

> For me the takeaway is that we shouldn’t go to far in attempting to

> address this. The proposal we came up with Skyler, where

> ‘introduction-commit’ is taken as the default but may be overridden by

> ‘introduction-commit-BRANCH’ sounds reasonable:

>

> https://issues.guix.gnu.org/69780#17

>

> It does mean that people who need this would have to manually edit their

> ‘.git/config’, but I think that’s acceptable: that’s an advanced use

> case.

>

> Thoughts?

> This is an update on https://issues.guix.gnu.org/69780.

>

> Changes since v1:

>

> • Write config to the right file using the new

> ‘set-config-string’ procedure of Guile-Git.

>

> • Write hooks to the right place (again, accounting for

> worktrees) using the new ‘repository-common-directory’

> procedure of Guile-Git.

>

> • Support branch-specific configuration, as suggested by

> Skyler and Tomas.

>

> • Create a post-merge hook rather than post-checkout, as

> suggested by Skyler.

>

> • Add German translation by Florian and French translation

> of the news entry.

>

> Since this requires the latest Guile-Git, you can use this

> trick to test locally:

>

> guix shell -CPW -m manifest.scm \

> guile-git --with-branch=guile-git=master

>

> If we agree on the patch set, I’ll tag Guile-Git 0.7.0 and

> update it in Guix before applying these patches.

>

> Feedback welcome!

>

> Ludo’.

>

> Ludovic Courtès (5):

> git authenticate: Record introduction and keyring in ‘.git/config’.

> git authenticate: Discover the repository.

> git authenticate: Print something upon success.

> git authenticate: Install pre-push and post-checkout hooks.

> DRAFT news: Add entry for ‘guix git authenticate’ changes.

>

> doc/guix.texi | 33 ++++-

> etc/news.scm | 44 +++++++

> guix/scripts/git/authenticate.scm | 197 +++++++++++++++++++++++++-----

> tests/guix-git-authenticate.sh | 9 +-

> 4 files changed, 249 insertions(+), 34 deletions(-)

>

>

> base-commit: 9b50a35fc0764f48688974af106fd7a6809f33ee

> This is an update on https://issues.guix.gnu.org/69780.

>

> Changes since v1:

>

> • Write config to the right file using the new

> ‘set-config-string’ procedure of Guile-Git.

>

> • Write hooks to the right place (again, accounting for

> worktrees) using the new ‘repository-common-directory’

> procedure of Guile-Git.

>

> • Support branch-specific configuration, as suggested by

> Skyler and Tomas.

>

> • Create a post-merge hook rather than post-checkout, as

> suggested by Skyler.

>

> • Add German translation by Florian and French translation

> of the news entry.

> If we agree on the patch set, I’ll tag Guile-Git 0.7.0 and

> update it in Guix before applying these patches.