Community
Participate
Working Groups
Moving this discussion from mails to Bugzilla: I can't push to eclipse.platform.common any more: -------------------------------------------------------------------------- Repository ssh://mkeller@dev.eclipse.org/gitroot/platform/eclipse.platform.common.git hook declined error: git.eclipse.org does not know this committer, or this this committer cannot commit to this project (gid=8777 repo:eclipse.platform.common): mkeller. denied: You (mkeller) cannot push changes that were not committed by you or members of your project. Please fix your repository, and see http://wiki.eclipse.org/Git for information on configuring your Git environment. error: hook declined to update refs/heads/master -------------------------------------------------------------------------- Pushing to other repos (e.g. eclipse.jdt.ui) still works fine. I didn't change any settings recently and the configurations of the two repos look the same. Matt confirmed that > the issue is the script doesn't check for 'extended' access permissions. and added possible solutions: > we can either remove the hook script(allowing you and others to commit, with > the potential for IP oddness), or you can be elected to eclipse.platform. While I personally would not have problem with being elected to eclipse.platform, I don't think this should be the solution for all committers that should have access to the eclipse.platform.common repo. Can't you change the update hook to use "test -w <repoDir>" instead of asking LDAP?
> ), or you can be elected to eclipse.platform. This is not an option.
The purpose of the update hook is to ensure that all the commit entries are done by a committer on the project that owns the repo. I know the answer you're looking for is "fix the script" but I don't believe that investing hours of time and adding layers of complexity for this one corner case is efficient. My suggestion is to simply remove the hook from /gitroot/platform/eclipse.platform.common.git given its nature.
> Can't you change the update hook to use "test -w <repoDir>" instead of asking > LDAP? If the only purpose of the hook was testing if the person performing the push could write to the file system, we wouldn't need the hook, eh?
Denis, this used to work. I suspect this got broken by the changes made for bug 374248.
(In reply to comment #3) OK, so a setuid program would have to do something like "sudo -u <user> test -w <repoDir>" (but making sure that the variables cannot be abused to run code as root).
(In reply to comment #4) > Denis, this used to work. I suspect this got broken by the changes made for bug > 374248. I commented in bug 374248 that it probably wasn't the changes, per se, to the update hook that caused this, but instead that the update/commit hook happened to be added/replaced in all repos, even ones that previously did not have one (such as our "maps repo"). I don't know if any of you "old timers" :) would recall, but my guess is this "documentation repo" had also previously removed the commit (update) hook. So, before I forgot, wanted to mention if you want to do that for the documentation repo, any member of eclipse.platform group can remove the file /gitroot/platform/eclipse.platform.common.git/hooks/update (its owned by root ... don't ask me how it it works :) ... but, I think that it is directory owner or group that has ultimate control of the files in the directory ... so I heard laughingly when I foolishly asked Denis to type his root password on my computer at EclispeCon :) Just trying to help ... and wanted to write it down before I shutdown my computer and loose my notes :)
*** Bug 376318 has been marked as a duplicate of this bug. ***
(In reply to comment #6) > I don't know if any of you "old timers" :) would > recall, but my guess is this "documentation repo" had also previously removed > the commit (update) hook. What do you mean by "previously"? CVS?
(In reply to comment #8) > What do you mean by "previously"? CVS? No, the update hook was not applied to all the Git repos. There were 100 (or so) repos that did not have the hook. When I updated it for bug 374248 I proceeded to copy it to all the repos. In the case of this repo, the hook was likely never there. As per comment 2, I recommend we simply remove it from the repo as it was before.
(In reply to comment #8) > (In reply to comment #6) > > I don't know if any of you "old timers" :) would > > recall, but my guess is this "documentation repo" had also previously removed > > the commit (update) hook. > > What do you mean by "previously"? CVS? I mean"previously" like a few weeks or months ago, when the Eclipse Project started using Git.
(In reply to comment #10) > (In reply to comment #8) > > (In reply to comment #6) > > > I don't know if any of you "old timers" :) would > > > recall, but my guess is this "documentation repo" had also previously removed > > > the commit (update) hook. > > > > What do you mean by "previously"? CVS? > > I mean"previously" like a few weeks or months ago, when the Eclipse Project > started using Git. OK. The "old timers" comment distracted me here ;-). > As per comment 2, I recommend we simply remove it from the repo as it was > before. I think that's the best we can do for now. +1.
(In reply to comment #9) > As per comment 2, I recommend we simply remove it from the repo as it was > before. Done.
I'm facing the same problem today with eclipse.platform.news repo. I think the fix was done only for eclipse.platform.common. Please fix this for platform.news since N&N are due today. Thanks!
(In reply to comment #13) > I'm facing the same problem today with eclipse.platform.news repo. I think the > fix was done only for eclipse.platform.common. > > Please fix this for platform.news since N&N are due today. Thanks! Please try again now.
(In reply to comment #14) > Please try again now. It works now. Thanks Dani!
Just for the records: even without the update script, only committers that are part of one of the ACLs can actually push a change. The script only checks whether the committer field of a change holds a registered committer for that project. Since that check is done against the file's group instead of the ACLs, this fails for projects with > 1 ACL (this bug). The check is needed so that also commits which are e.g. taken (i.e. pushed) from Git Hub are correctly validated.
Outcome of this bug / reminder for everyone touching hook scripts on eclipse.org: Repos that use extended ACLs cannot use the current *.git/hooks/update script (eclipse.platform.common, eclipse.platform.news, eclipse.platform.releng.maps).
(In reply to Markus Keller from comment #17) > Outcome of this bug / reminder for everyone touching hook scripts on > eclipse.org: > > Repos that use extended ACLs cannot use the current *.git/hooks/update > script (eclipse.platform.common, eclipse.platform.news, > eclipse.platform.releng.maps). OTOH, *all* projects can use the hooks/pre-receive that prevents non-FF updates and branch deletions, etc. (bug 362363). I've added the missing /platform/eclipse.platform.news.git/hooks/pre-receive .
