On 2019/01/07 14:35:08, Greg Stein <gst...@gmail.com> wrote:
> On Sun, Jan 6, 2019 at 10:20 PM Alex Harui <aha...@adobe.com.invalid> wrote:
> >...
>
> > All commits, even PR's from non-commiters accepted by a committer are
> > supposed to be reviewed, AIUI. So if the bot makes a commit to the repo,
> > the PMC is responsible for reviewing it. In Royale's case, the bot should
> > only be changing pom.xml files and making tags and branches, so a bad bot
> > commit should be easy to spot and detection may even be tool-able.
> >
>
> Git does not have path-based authorization, so there is no way to restrict
> a bot from changing *code*. Give it access to pom.xml, and it has access to
> the entire repository. "But the bot won't do that" ... Well, the bot is not
> auditable by Legal Affairs or Infrastructure, so there is no way to
> validate it is committing Properly.
The bot doesn't need commit access to gitbox... it needs commit access to *a*
git repo. The RM then pulls the tag from that repo and pushes it *after review*
back to gitbox.
And there's your auditability for you ;-)
>
> This is the basic conundrum behind Legal/Infra's decision to disallow bots
> from commit access to git repositories. We do have a couple running for svn
> repositories, using path-based authz.
>
> Within the Apache Subversion project, have tooling[1] to assist an RM with
> pretty much all the steps of a release. From reading this thread, it seems
> like Royale's problem is getting RMs up to speed, so maybe it can be solved
> with additional build-side tooling?
>
> Cheers,
> Greg
> InfraAdmin, ASF
>
> [1] https://svn.apache.org/repos/asf/subversion/trunk/tools/dist/
>
