[bind10-dev] Subversion to Git conversion

[JINMEI Tatuya / 神明達哉]

At Fri, 15 Oct 2010 12:02:15 +0200,
Shane Kerr <shane at isc.org> wrote:

> > > * "Public R/O" is a copy of the Developer repository, but is
> > >   read-only. When we have a security issue, we turn off the
> > >   replication mechanism until we have made an announcement of the
> > >   issue which can include a fix.
> > 
> > We turn off replication of security branches only, not the others
> > where we keep working on stuff like performance, new features, so
> > nothing is suspected.
> 
> Correct.

This is for preventing implicitly disclosing some security change
takes place, right?  That was a concern of mine when I first read the
original proposal.

Assuming my understanding is correct, can that be done easily and
without much risk of accidental disclosure?  I guess we run some cron
script that normally pulls "everything", but if the expected operation
is that someone sets up a filter when we start a security branch, I'm
afraid it's susceptible to human operational errors.  If we use a
specific convention on branch names such as "security-xxx" with a
filter rule that always works, it may be better than human
intervention, but there's still a risk that we misspelled the branch
name.

A related point is where/how we handle security bugs with trac.  If we
use the "sensitive" bit of the trac ticket system, it may have a
similar problem as not pulling the repository, that is, the fact that
we have a trac ticket that is invisible to everyone (while most of the
other tickets are open) may disclose some information.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.