From 13beb3a02e5c59eb8c2c481f79535fb4469392d3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 18 May 2018 10:31:18 -0400 Subject: modernized and simplified the MetaTypes implementation now that compatability with ghc 7 is no longer needed. Data.Type.Bool contains effectively the same stuff that was implemented here, so removed my code. Tried to use Data.Type.Equality instead of my EqT, but it seems to be some other type of (type level) equality, and didn't compile. Instead went with the simpler EqT implementation that newer ghc versions allow. The rest of the changes are simply better syntax for defining type families. And upon using that syntax, ghc noticed that `type family a + b` does not have kind "ab" like I wrote before, but is kind *. Tested on debian stable with ghc 8.0.1. This commit was sponsored by John Pellman on Patreon. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index ae97e9db..bf4df720 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +propellor (5.4.1) UNRELEASED; urgency=medium + + * Modernized and simplified the MetaTypes implementation now that + compatability with ghc 7 is no longer needed. + + -- Joey Hess Fri, 18 May 2018 10:25:05 -0400 + propellor (5.4.0) unstable; urgency=medium [ Sean Whitton ] -- cgit v1.2.3 From f35f487831872bf4254b2712f2f49abbb03318e1 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 18 May 2018 11:26:10 -0400 Subject: use git verify-commit Use git verify-commit to verify gpg signatures, rather than the old method of parsing git log output. These two methods should always have the same result. Note that git verify-commit allows signatures with unknown validity, the same as git log's "U" output which was accepted. So any key in the gpg keyring is allowed to sign the commit. Propellor provides gpg with a keyring containing only the allowed keys. Needs git 2.0, which is in even debian oldstable. This commit was sponsored by Ewen McNeill on Patreon. --- debian/changelog | 2 ++ debian/control | 4 ++-- src/Propellor/Git/VerifiedBranch.hs | 9 ++++----- 3 files changed, 8 insertions(+), 7 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index bf4df720..c4707e71 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ propellor (5.4.1) UNRELEASED; urgency=medium * Modernized and simplified the MetaTypes implementation now that compatability with ghc 7 is no longer needed. + * Use git verify-commit to verify gpg signatures, rather than the old + method of parsing git log output. Needs git 2.0. -- Joey Hess Fri, 18 May 2018 10:25:05 -0400 diff --git a/debian/control b/debian/control index 5a041c90..0a8701a0 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: admin Priority: optional Build-Depends: debhelper (>= 9), - git, + git (>= 2.0), ghc (>= 7.6), cabal-install, libghc-async-dev, @@ -43,7 +43,7 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, libghc-stm-dev, libghc-text-dev, libghc-hashable-dev, - git, + git (>= 2.0), Description: property-based host configuration management in haskell Propellor ensures that the system it's run in satisfies a list of properties, taking action as necessary when a property is not yet met. diff --git a/src/Propellor/Git/VerifiedBranch.hs b/src/Propellor/Git/VerifiedBranch.hs index df607bd2..e56379f4 100644 --- a/src/Propellor/Git/VerifiedBranch.hs +++ b/src/Propellor/Git/VerifiedBranch.hs @@ -6,9 +6,8 @@ import Propellor.PrivData.Paths import Utility.FileMode {- To verify origin branch commit's signature, have to convince gpg - - to use our keyring. - - While running git log. Which has no way to pass options to gpg. - - Argh! + - to use our keyring while running git verify-tag. + - Which has no way to pass options to gpg. Argh! -} verifyOriginBranch :: String -> IO Bool verifyOriginBranch originbranch = do @@ -20,12 +19,12 @@ verifyOriginBranch originbranch = do ] -- gpg is picky about perms modifyFileMode privDataDir (removeModes otherGroupModes) - s <- readProcessEnv "git" ["log", "-n", "1", "--format=%G?", originbranch] + verified <- boolSystemEnv "git" ["verify-commit", originbranch] (Just [("GNUPGHOME", privDataDir)]) nukeFile $ privDataDir "trustdb.gpg" nukeFile $ privDataDir "pubring.gpg" nukeFile $ privDataDir "gpg.conf" - return (s == "U\n" || s == "G\n") + return verified -- Returns True if HEAD is changed by fetching and merging from origin. fetchOrigin :: IO Bool -- cgit v1.2.3