1 |
W. Trevor King: |
2 |
> On Sun, Sep 14, 2014 at 05:40:30PM +0200, Michał Górny wrote: |
3 |
>> Dnia 2014-09-15, o godz. 03:15:14 Kent Fredric napisał(a): |
4 |
>>> Only downside there is the way github pull reqs work is if the |
5 |
>>> final SHA1's that hit tree don't match, the pull req doesn't |
6 |
>>> close. |
7 |
>>> |
8 |
>>> Solutions: |
9 |
>>> |
10 |
>>> - A) Have somebody tasked with reaping old pull reqs with |
11 |
>>> permissions granted. ( Uck ) |
12 |
>>> - B) Always use a merge of some kind to mark the pull req as dead |
13 |
>>> ( for instance, an "ours" merge to mark the branch as deprecated ) |
14 |
>>> |
15 |
>>> Both of those options are kinda ugly. |
16 |
>> |
17 |
>> If you merge a pull request, I suggest doing a proper 'git merge -S' |
18 |
>> anyway to get a developer signature on top of all the changes. |
19 |
> |
20 |
> Some previous package-tree-in-Git efforts suggested that only |
21 |
> Gentoo-dev signatures were acceptable, and that those signatures would |
22 |
> be required on every commit (not just the first-parent line) [1,2]. I |
23 |
> don't see the point of that, so long as Gentoo devs are signing the |
24 |
> first-parent line, but if folks still want Gentoo-dev signatures on |
25 |
> every commit the ‘git merge -S’ approach will not work for closing |
26 |
> PRs. |
27 |
> |
28 |
> Cheers, |
29 |
> Trevor |
30 |
> |
31 |
> [1]: http://article.gmane.org/gmane.linux.gentoo.devel/77572 |
32 |
> id:CAGfcS_maNfikeVTj3cmcQ1OF-uQAVEbE2r1oKykYGwC5VOmvfw@××××××××××.com |
33 |
> [2]: https://bugs.gentoo.org/show_bug.cgi?id=502060#c0 |
34 |
> |
35 |
|
36 |
Yes, there is a possible attack vector mentioned in this comment |
37 |
https://bugs.gentoo.org/show_bug.cgi?id=502060#c16 |
38 |
|
39 |
So we'd basically end up using either "git cherry-pick" or "git am" for |
40 |
"pulling" user stuff, so that we also sign the blobs. |
41 |
|
42 |
Regular merges would still be possible for developer pull requests, but |
43 |
that's probably not the primary use case anyway. |