Version not updating

[buhl]

Building from second latest commit

$ notion --version
3-2019050101-653-gc8805693+20200330-0130
$

Looking into this, either this line needs a --tags argument on the git describe command or this line needs an --annotate argument on the git tag command.

I can make a pull request, but I might have overlooked something so I would like to hear what solution the project prefers, since it might affect the use of git-tags in the project.

[raboof]

Thanks for noticing! I don't have any preference, what would be your recommendation?

[buhl]

So after asking me for a recommendation I thought I better look into what the internet thought :) I learned that annotated or signed tags are preferred because they come with come with information about who made the tag. I also learned that in that sense there is no difference between annotated vs signed tags which also means what is in place right now, is working. The "problem" is that the 4.0.0 tag is not signed.

$  git show-ref --tags -d
47261a872f8638b12651f31da6c738b8639d97b1 refs/tags/3-2011102900
91414f3a55bad7929562d3c3486c39e82b6418d2 refs/tags/3-2012042300
19c0bba27e1b5872d7b1bb2cca9384ecf409ea41 refs/tags/3-2013030200
19c0bba27e1b5872d7b1bb2cca9384ecf409ea41 refs/tags/3-2013030201
19c0bba27e1b5872d7b1bb2cca9384ecf409ea41 refs/tags/3-2013030202
6a098aa70341b588ad4b870f590def1338adef60 refs/tags/3-2014010400
6a098aa70341b588ad4b870f590def1338adef60 refs/tags/3-2014010401
6a098aa70341b588ad4b870f590def1338adef60 refs/tags/3-2014010402
7ef817935759b1435644b66af735a2444c2d0e93 refs/tags/3-2014010500
8440b6029e87656efc453b134d2225b3d0c7b871 refs/tags/3-2014010501
f840ba9cf44e4fb9606fda7f33a3a9a3f33312de refs/tags/3-2014010502
4f86207131e4f9c695a7ce28efddd1c43cbb9ed2 refs/tags/3-2014010503
17b6418698d711dc2106b4c260296120176ad01c refs/tags/3-2014010504
1777670636da449e1ce6d71693da9622c38be5d4 refs/tags/3-2014010505
d71f2c9d3e92ff52376359bd5a1d624d53c530e5 refs/tags/3-2014010900
c0a1d2c2b51c4ced8048b727cda6d004d7a67172 refs/tags/3-2014010901
7f44535693986369a6c634e0cef477649aa48a08 refs/tags/3-2014010901^{}
be232a34330577ddb027a7b4f1c1c29d567d0782 refs/tags/3-2014052800
f73b624d10c28db3c66232a51983ed7f830a9d06 refs/tags/3-2014052800^{}
3f182cf846c35521590d0defc9b3294fb8bde9d9 refs/tags/3-2015061300
4adccb561c84e9d895e4e624289de2b1d1f79a5a refs/tags/3-2015061300^{}
680152ea9e029e317a2ffee6f8d0cf3e1e35ebe7 refs/tags/3-2017050500
868302b6bcde438ab2e853b6978e3286619a76a5 refs/tags/3-2017050500^{}
a3f0c294ec59026f407c1a37491a2f3268bb77db refs/tags/3-2017050501
e12377e03a7d7bc4cdd4306fe6f343dfba9b271f refs/tags/3-2017050501^{}
269e2ea3df9bcb4190f13bdbec873a8bb240a878 refs/tags/3-2019050100
a0266d3bfab69800a3892432bdfe9a3e77f2ed01 refs/tags/3-2019050100^{}
c3a589a08a6a816984bfb29f3219141b0abb06a2 refs/tags/3-2019050101
435631f5cc635e0dcc90f2945cdd93ef7afeab7d refs/tags/3-2019050101^{}
5efdade4d8808eab8611ae2042c40a99828de924 refs/tags/4.0.0

Unsigned tag

git show 4.0.0
commit 5efdade4d8808eab8611ae2042c40a99828de924 (tag: 4.0.0)
Author: Arnout Engelen <arnout@bzzt.net>
Date:   Fri Mar 6 11:32:52 2020 +0100

    Load jquery over https

diff --git a/ioncore/ioncore_misc.lua b/ioncore/ioncore_misc.lua
index 844894db..da7a26f1 100644
--- a/ioncore/ioncore_misc.lua
+++ b/ioncore/ioncore_misc.lua
@@ -216,7 +216,7 @@ td
   width: 4px
 }
 </style>
-  <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
+  <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
 <script>
 $().ready(function(){
   $('.shortcut').mouseenter(function() {

Signed tag

 $ git show 3-2019050101
tag 3-2019050101
Tagger: Arnout Engelen <arnout@bzzt.net>
Date:   Wed May 1 08:09:48 2019 +0200

Release 3-2019050101
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEAHU2zK2YSt+EXmj9u4wPhUoeIQUFAlzJOCwACgkQu4wPhUoe
IQUxxBAAxh1CNREujLae4HGajBe60HNNFszVCGuX/qBnaRqzy3Ryas4xzUb6ScwB
xAB9jNQAP7di5TeOYRwMTHkZHa92gnWoUvEePdxZB6zZHEiS+gURB307DkW5EBH6
zr6pZ5NpS20lO//2VhwSBIjS18BzdDZl+gWWQppyZ6AtHn/PHjQgN+ja8r73Lav4
H/uxDakMqS0eKTC7TosB2gTMRMUCJyNjBgaYW46Nnwo18H1Z5nMYKKW6b5h7jggc
rYyDNJTdgzfdZXGCVmA2EnEVzStlEzlcR3OTgxBEuy6iEuMAUjbFODyuunJIyvbq
9aF8ugnrjxg/4MKYUcwtpMSz56cZ79GcxUA8QBTUMLzpdEBdsgNm2kVnVGLvi0L4
xkwwgmTeZM5C+uwPkCzDbb4BJxleu+2K++nNpYUDm8UxIQjR+dVapVc3HIDyMzVM
PEPNEokTd12DiFGP50IgYwA0NDPZ34DxAbK40ZT8h955bFRUr9zKHfxsiOOfrX2G
AusPmCKCSaYKSIVaXRcYwJkFsUusZ0vheHoS2kshWq6pfW2o/RsVk9Qs7gjOeacN
RXJUoihLODVGr1bja2AgdQplH76C47m+geL5vKATqTEgXNMf6jHwukhWmB+lGl/i
wTT9psK5J9iHKtrtWlnghOluEn/nNZUpyj7wcWSUV/a+PRapDXQ=
=zCnz
-----END PGP SIGNATURE-----

commit 435631f5cc635e0dcc90f2945cdd93ef7afeab7d (tag: 3-2019050101)
Merge: 744d6986 a0266d3b
Author: Arnout Engelen <arnout@bzzt.net>
Date:   Wed May 1 08:05:10 2019 +0200

    Merge pull request #81 from raboof/determineVersionFromLastTaggedCommit

    Determine version based on git tag (or pwd)

I am guessing that since the nextversion.sh is not working with major version bumps the version bump was made "by hand" and missed the signing?

So my suggestion is that we fix the nextversion.sh script so that it prepend 4- to the version. Unless the project has now moved to semantic versioning? As for signing the release tag here is someone talking about that: https://stackoverflow.com/questions/25347534/can-i-sign-a-git-tag-after-it-was-created

[buhl]

FWIW I like the - versioning

[wilhelmy]

I suppose I should generally start signing commits for authenticity reasons. Once you have a gpg key, it's relatively little effort, at least if you use gpg-agent or a yubikey, or remove the passphrase from your key (not best practice but for the code signing key it's probably fine).

Apparently it's only a matter of git config --global commit.gpgsign true (with the obvious local overrides) and telling gpg which key to use in case you have more than one (See https://help.github.com/en/github/authenticating-to-github/signing-commits).

[raboof]

I am guessing that since the nextversion.sh is not working with major version bumps (...) So my suggestion is that we fix the nextversion.sh script so that it prepend 4- to the version.

Ha, indeed it looks like that needs updating

the version bump was made "by hand" and missed the signing?

The version was tagged from the GitHub UI, which is convenient because that way you can attach the release notes in the same action.

It's a shame github doesn't automatically generate signed tags when tagging releases from the UI - it already creates signed commits when merging/squashing through the UI, after all.

I think signing the tags makes sense, I'll look into replacing the 4.0.0 tag with a signed one.

Unless the project has now moved to semantic versioning?

We decided to go for 4.x.y versions in #121

I suppose I should generally start signing commits for authenticity reasons. Once you have a gpg key, it's relatively little effort, at least if you use gpg-agent or a yubikey

Yeah, I used a yubikey with its 'touch to sign' feature, I quite liked it but the key on it expired so I have to reset it. I'll try to remember to 'merge' instead of 'squash and merge' your commits to keep the signature intact ;)

[buhl]

Should I do anything?

[raboof]

If you can fix the nextversion.sh script that'd be nice!

[raboof]

(replaced the tag with a signed one)

[buhl]

great I will work on the nextversion.sh script and make a pull request.

[buhl]

To get the new signed tag do git fetch --all --tags -f

[knixeur]

Maybe a lightweight tag was created instead of an annotated one

[raboof]

273 is now merged, but we should probably keep this issue open until we add a RELEASING.md documenting how to properly release notion (with a signed, annotated tag)

[buhl]

I think requirements for closing this issue are now met?

[raboof]

thanks, I forgot about this one! I agree #308 closes this