| 1 |
W. Trevor King: |
| 2 |
> On Sun, Sep 14, 2014 at 05:40:30PM +0200, Michał Górny wrote: |
| 3 |
>> Dnia 2014-09-15, o godz. 03:15:14 Kent Fredric napisał(a): |
| 4 |
>>> Only downside there is the way github pull reqs work is if the |
| 5 |
>>> final SHA1's that hit tree don't match, the pull req doesn't |
| 6 |
>>> close. |
| 7 |
>>> |
| 8 |
>>> Solutions: |
| 9 |
>>> |
| 10 |
>>> - A) Have somebody tasked with reaping old pull reqs with |
| 11 |
>>> permissions granted. ( Uck ) |
| 12 |
>>> - B) Always use a merge of some kind to mark the pull req as dead |
| 13 |
>>> ( for instance, an "ours" merge to mark the branch as deprecated ) |
| 14 |
>>> |
| 15 |
>>> Both of those options are kinda ugly. |
| 16 |
>> |
| 17 |
>> If you merge a pull request, I suggest doing a proper 'git merge -S' |
| 18 |
>> anyway to get a developer signature on top of all the changes. |
| 19 |
> |
| 20 |
> Some previous package-tree-in-Git efforts suggested that only |
| 21 |
> Gentoo-dev signatures were acceptable, and that those signatures would |
| 22 |
> be required on every commit (not just the first-parent line) [1,2]. I |
| 23 |
> don't see the point of that, so long as Gentoo devs are signing the |
| 24 |
> first-parent line, but if folks still want Gentoo-dev signatures on |
| 25 |
> every commit the ‘git merge -S’ approach will not work for closing |
| 26 |
> PRs. |
| 27 |
> |
| 28 |
> Cheers, |
| 29 |
> Trevor |
| 30 |
> |
| 31 |
> [1]: http://article.gmane.org/gmane.linux.gentoo.devel/77572 |
| 32 |
> id:CAGfcS_maNfikeVTj3cmcQ1OF-uQAVEbE2r1oKykYGwC5VOmvfw@××××××××××.com |
| 33 |
> [2]: https://bugs.gentoo.org/show_bug.cgi?id=502060#c0 |
| 34 |
> |
| 35 |
|
| 36 |
Yes, there is a possible attack vector mentioned in this comment |
| 37 |
https://bugs.gentoo.org/show_bug.cgi?id=502060#c16 |
| 38 |
|
| 39 |
So we'd basically end up using either "git cherry-pick" or "git am" for |
| 40 |
"pulling" user stuff, so that we also sign the blobs. |
| 41 |
|
| 42 |
Regular merges would still be possible for developer pull requests, but |
| 43 |
that's probably not the primary use case anyway. |
Archives