On Wed, Apr 28, 2021 at 4:18 PM Joe Watkins <krak...@gmail.com> wrote:
> That's a good point. > > I suppose the most we can do is prevent accidental committing of such > things. > > Appears to be two "solutions" ... > > We could distribute a pre-commit hook, which is somewhere between "not > bad", and "pretty awkward" if your git installation is old. > We could setup one of the unused boxes we have and leverage > api/actions/whatever and catch bad commits after they happen. > > Neither of these are perfect solutions ... and I've never tried using > hooks with github, but with a quick read it seems people do it - it's > another paragraph in the git/vcs readme on the wiki. > > Any more ideas ? > > Cheers > Joe > I don't think the tags themselves are a problem -- for those at least we have an audit trail in the form of our webhook integration, which sends out emails for all tag creations/deletions, and by whom they were made. I'm not even sure if our old karma setup had any special protection for tag creation. Having looked a bit closer now, it looks like the same would work for release assets as well. There are webhooks for changes to releases, which also list assets and who uploaded them. That should at least make us aware of any changes. Nikita > On Wed, 28 Apr 2021 at 15:52, Nikita Popov <nikita....@gmail.com> wrote: > >> On Tue, Apr 27, 2021 at 4:41 PM Christoph M. Becker <cmbecke...@gmx.de> >> wrote: >> >> > Hi all, >> > >> > the distributions repo[1] is huge (current ~ 26GiB), and it will grow >> > further over time; that causes issues when trying to check it out[2], >> > and frankly, I don't see why were having the tarballs in a VCS at all. >> > >> > Wouldn't it be more suitable to make the tarballs available somewhere >> > else? Since we're using Github anyway, an appropriate place could be >> > the tags, where it is already possible to add attachments. >> > >> > From what I can tell, that would require some modifications to web-php >> > and web-qa, so that the proper download links would be available there, >> > but otherwise shouldn't be a big issue. >> > >> >> One possible issue I see is that anyone with write access to the repo can >> upload release artifacts (I think), and I'm not even sure if changes in >> artifacts show up in the audit log. >> >> Nikita >> >
