From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5F7A0138316 for ; Fri, 15 Jul 2016 18:03:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6A11621C07D; Fri, 15 Jul 2016 18:03:32 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5286D21C028 for ; Fri, 15 Jul 2016 18:03:31 +0000 (UTC) Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id CEEB9340C50 for ; Fri, 15 Jul 2016 18:03:29 +0000 (UTC) Received: (qmail 29660 invoked by uid 10000); 15 Jul 2016 18:03:30 -0000 Date: Fri, 15 Jul 2016 18:03:30 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Cc: gentoo-dev-announce@lists.gentoo.org Subject: [gentoo-dev] Signed push & clock drift rejection Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yUmmepPgoWmUqRhm" Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Archives-Salt: ae315a61-a52f-47ec-9569-1afd6646a5ae X-Archives-Hash: 63e20a5ce7e6812c7e232f76f3c841a3 --yUmmepPgoWmUqRhm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, In tracing down problems with the git->rsync path, it has been noticed that some developers have significant clock drift on their local systems (up to one case of 14 days wrong), and it's potentially contributing to problems in generating the rsync tree. I have implemented a check as part of the hook that validates Git push certificates (require-signed-push). It looks for clock drift or an overly long push, and aborts if needed. The tolerances are presently set to: - 5 seconds of clock drift. - 'git push' must be completed in 60 seconds. The two possible errors you will get during push are: =3D=3D=3D Your system clock is off by 119 seconds (limit 5). Run NTP, rebase your commits as needed, and push again. =3D=3D=3D Try again! Your push took 80 seconds (limit 60). =3D=3D=3D If you do get the first error, please strongly look at running ntpd, tlsdate or some other time keeping solution. This applies to all Git repos that require signed pushes presently: - data/* - foundation/* - infra/* - proj/portage - repo/gentoo - repo/proj/gen-b0rk (and a few more) --=20 Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 --yUmmepPgoWmUqRhm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1 Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iKYEARECAGYFAleJJXFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDc1OTQwNEJFQkQ0MUY3MTIzODIzODZFRjNF OTIyQzIyMzIzM0MyMkMACgkQPpIsIjIzwixCugCfd2UhoI0K6ubr49ZePcKz0UXx gzAAoPvE4tpM/i6M1tAMx/kguLyzTFRa =IaSR -----END PGP SIGNATURE----- --yUmmepPgoWmUqRhm--