Community
Participate
Working Groups
Hi, I am receiving this message when I try to push my changes to gerrit: ssh://fmadej@git.eclipse.org:29418/orion/org.eclipse.orion.server: push not permitted just two days ago I was able to make a push without any problem and since yesterday I receive that error. Ref Mappings: HEAD:refs/for/master
I think something is broken with your repository, as the Gerrit server is throwing this error: ERROR com.google.gerrit.server.util.MagicBranch : Repository 'orion/org.eclipse.orion.server' needs the following refs removed to receive changes: [master] Looks like there's a reference in there called refs/for/master. This was most likely caused by pushing directly to Git instead of Gerrit. I've cleared that bad ref away (see bug 377415 comment 4), and I've removed direct write access to the Git repo.
*** Bug 462092 has been marked as a duplicate of this bug. ***
Has anyone tried to push anything since? I don't see any orion-specific errors in my logs after 10:50 local time.
(In reply to Denis Roy from comment #3) > Has anyone tried to push anything since? I don't see any orion-specific > errors in my logs after 10:50 local time. Hi Denis, Filip is not an Orion committer, he is supposed to be pushing to Gerrit. Most of the other committers do not use Gerrit and push to git directly, so I think removing direct write access to the Git repo breaks everyone else? I pushed one second ago, it does not work.
> Most of the other committers do not use Gerrit and push to git directly, so > I think removing direct write access to the Git repo breaks everyone else? You can push directly to refs/heads/master using the Gerrit URLs. That will not trigger a code review and is what we call a direct push. If you bypass the Gerrit URL altogether and push to pure Git, a committer can mistakenly push to refs/for/* which will be accepted. Except it will totally break everyone on Gerrit as Gerrit uses the refs/for namespace for code review. We don't enable pure Git on repos anymore, since Gerrit gives you code review and bypass code review. > I pushed one second ago, it does not work. Can you try pushing using the Gerrit URL (ssh://ahunter@git.eclipse.org:29418/orion/org.eclipse.orion.server) ?
(In reply to Denis Roy from comment #5) > Can you try pushing using the Gerrit URL > (ssh://ahunter@git.eclipse.org:29418/orion/org.eclipse.orion.server) ? % git clone ssh://ahunter@git.eclipse.org:29418/orion/org.eclipse.orion.server Cloning into 'org.eclipse.orion.server'... Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. I do not think I have the right URL?
Have you uploaded your public key to Gerrit? Gerrit's SSH daemon is separate from Eclipse.org's: https://git.eclipse.org/r/#/settings/ssh-keys
Your repo should be all good now: $ git clone ssh://droy@git.eclipse.org:29418/orion/org.eclipse.orion.server Cloning into 'org.eclipse.orion.server'... remote: Counting objects: 3046, done remote: Finding sources: 100% (101/101) remote: Total 65686 (delta 1), reused 65618 (delta 1) Receiving objects: 100% (65686/65686), 30.02 MiB | 2.38 MiB/s, done. $ cd org.eclipse.orion.server/ $ git add README.md $ git commit -s [master 0b784f7] Test push to 1 file changed, 1 insertion(+) $ git push origin HEAD:refs/for/master Counting objects: 14, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 311 bytes | 0 bytes/s, done. Total 3 (delta 2), reused 0 (delta 0) remote: Resolving deltas: 100% (2/2) remote: Processing changes: new: 1, refs: 1, done remote: ---------- remote: Reviewing commit: 0b784f7b remote: Authored by: Denis Roy <denis.roy@eclipse.org> remote: remote: The author is not a committer on the project. remote: The author has a current Contributor License Agreement (CLA) on file. remote: The author has "signed-off" on the contribution. remote: remote: This commit passes Eclipse validation. remote: remote: New Changes: remote: https://git.eclipse.org/r/43823 remote: To ssh://droy@git.eclipse.org:29418/orion/org.eclipse.orion.server * [new branch] HEAD -> refs/for/master
(In reply to Denis Roy from comment #7) > Have you uploaded your public key to Gerrit? Gerrit's SSH daemon is > separate from Eclipse.org's: > > https://git.eclipse.org/r/#/settings/ssh-keys Once I did that I could clone the repo.
Works now. % git push Counting objects: 14, done. Delta compression using up to 8 threads. Compressing objects: 100% (8/8), done. Writing objects: 100% (14/14), 897 bytes | 0 bytes/s, done. Total 14 (delta 7), reused 0 (delta 0) remote: Resolving deltas: 100% (7/7) remote: Processing changes: refs: 1, done remote: ---------- remote: Reviewing commit: 08c16868 remote: Authored by: Anthony Hunter <anthonyh@ca.ibm.com> remote: remote: The author is a committer on the project. remote: remote: This commit passes Eclipse validation. To ssh://ahunter@git.eclipse.org:29418/orion/org.eclipse.orion.server 2e703cc..08c1686 master -> master Should I let the project know or are you going to do a global announcement? Not sure if the disabling of pure Git on repos change is going to be announced somewhere.
> Should I let the project know or are you going to do a global announcement? I'll do a global announcement eventually, but not in the near future. Please discuss with your project. Thanks for being open to this change. By only using Gerrit URLs committers can easily decide when to push direct (master -> refs/heads/master) or when to request code review (master -> refs/for/master).
(In reply to Denis Roy from comment #11) > > Should I let the project know or are you going to do a global announcement? > > I'll do a global announcement eventually, but not in the near future. > Please discuss with your project. > > Thanks for being open to this change. By only using Gerrit URLs committers > can easily decide when to push direct (master -> refs/heads/master) or when > to request code review (master -> refs/for/master). So this means the project can revert this change so things can work as they did before?
You can if you'd like.
1.) Most Orion committers are doing direct push to the remote. 2.) Unless I am mistaken, Gerrit does not allow password authentication, which I know some committers are using. You have to set up your SSH keys within Gerrit before you can push. 3.) The workflow for pushing topic branches to Gerrit is awkward. Gerrit does not seem to allow creation of new branches during a push. So if you just do: $ git push gerrit refs/for/newBranch .. you will get "pre-receive hook declined". You must create "newBranch" in the project's Gerrit web UI [1] first. In truth, I was not able to get this working at all. Even after fetching, I still can't push to refs/heads/newBranch: > $ git config branch.newBranch.merge > refs/heads/newBranch > $ git push > remote: error: insufficient permission for adding an object to repository database objects > remote: fatal: failed to write object > error: unpack failed: unpack-objects abnormal exit > To ssh://mmacdonald@dev.eclipse.org/gitroot/orion/org.eclipse.orion.client.git > ! [remote rejected] newBranch -> newBranch (unpacker error) > error: failed to push some refs to 'ssh://mmacdonald@dev.eclipse.org/gitroot/orion/org.eclipse.orion.client.git' So.. I think we should undo this config change. I just can't see any advantage in using Gerrit for day-to-day work by committers that doesn't involve code review. [1] https://git.eclipse.org/r/#/admin/projects/orion/org.eclipse.orion.client,branches
(In reply to Mark Macdonald from comment #14) > Even after fetching, I still can't push to refs/heads/newBranch: Disregard point (3), it was my mistake (my push URL was incorrect). I can push new branches to Gerrit fine. I just can't delete them when they're no longer needed.
> 1.) Most Orion committers are doing direct push to the remote. Gerrit does not prohibit this. Using Gerrit URLs, if you push to refs/for/master you'll trigger a review. If you push to refs/heads/master it goes to master without review. > 2.) Unless I am mistaken, Gerrit does not allow password authentication, > which I know some committers are using. You have to set up your SSH keys > within Gerrit before you can push. Gerrit does not support SSH passwords, but it does support password authentication using https using a password that is generated by Gerrit. Please see: https://git.eclipse.org/r/#/settings/http-password > 3.) The workflow for pushing topic branches to Gerrit is awkward. Actually, we can configure gerrit to allow topic/feature branches using this refspec: refs/heads/${username}/* We can grant force push and delete options in that namespace only to allow you full control to delete feature branches. Platform manage their feature branches this way.
(In reply to Denis Roy from comment #13) > You can if you'd like. Could you confirm that org.eclipse.orion.server and org.eclipse.orion.client have the similar access pattern as https://git.eclipse.org/r/#/admin/projects/platform/eclipse.platform.ui,access ? They both say they inherit access permissions from orion-parent, but I can't see that. PW
(In reply to Paul Webster from comment #17) > They both say they inherit access permissions from orion-parent, but I can't > see that. > > PW Same here: I tried force pushing & deleting branches named like "refs/heads/mmacdonald/*" but got rejected: > $ git push -f > .... > remote: This commit passes Eclipse validation. > To ssh://mmacdonald@git.eclipse.org:29418/orion/org.eclipse.orion.client.git > ! [remote rejected] htmlcontentas -> mmacdonald/htmlcontentas (non-fast forward) > error: failed to push some refs to 'ssh://mmacdonald@git.eclipse.org:29418/orion/org.eclipse.orion.client.git'
Created attachment 251616 [details] Screenshot Paul, this is orion/orion-parent.
Denis, can you grant Paul, John Arthorne, and myself permission to modify the 'orion-parent' project? We need to set up the ref pattern there, but none of us can access it right now.
I've added the eclipse.orion group to the list of owners... that should allow you to do your setup. Let me know when you're done so I can remove it.
I added refs for refs/heads/${username}/* refs/tags/${username}/* @Paul can you give this a sanity check? I'm not sure what to do with the "refs/*" ref (it's the only remaining difference between orion-parent and platform UI).
(In reply to Denis Roy from comment #21) > I've added the eclipse.orion group to the list of owners... that should > allow you to do your setup. Let me know when you're done so I can remove it. Thanks Denis. We're done now.
(In reply to Mark Macdonald from comment #22) > I added refs for > refs/heads/${username}/* > refs/tags/${username}/* They look good, with the exception of the Push Merge Commit. If we want to have it at all, it should be under refs/for/refs/heads/.... Although I'm fine with not having that enabled, and if we really do need to merge in a feature branch (we rebase our commits for our normal workflow) we would enable it as a one-off. https://review.typo3.org/Documentation/access-control.html#category_push_merge > > @Paul can you give this a sanity check? I'm not sure what to do with the > "refs/*" ref (it's the only remaining difference between orion-parent and > platform UI). That's OK, we don't need to worry about that. PW
I've removed the Orion group from the Owners. Is there anything left to do?
Fixed it is! Please reopen if you need anything else.
