[bind10-dev] Subversion to Git conversion

[Michal 'vorner' Vaner]

Hello

On Wed, Oct 20, 2010 at 12:47:19PM +0900, JINMEI Tatuya / 神明達哉 wrote:
> Assuming my understanding is correct, can that be done easily and
> without much risk of accidental disclosure?  I guess we run some cron
> script that normally pulls "everything", but if the expected operation
> is that someone sets up a filter when we start a security branch, I'm
> afraid it's susceptible to human operational errors.  If we use a
> specific convention on branch names such as "security-xxx" with a
> filter rule that always works, it may be better than human
> intervention, but there's still a risk that we misspelled the branch
> name.

Well, I proposed a post-push hook, that would push it from the master
repository. First, pull does full copy, push sends only what you tell it to, so
you can just have something:

case "$GIT_BRANCH_NAME" in # I made that name up, it might be different
  security/*)
    # Don't do anything
    ;;
  *)
    git push pub_repo
    ;;
esac

Second, it works faster when there is a change and does nothing where nothing
happens, unlike cron that just looks every now and then.

> A related point is where/how we handle security bugs with trac.  If we
> use the "sensitive" bit of the trac ticket system, it may have a
> similar problem as not pulling the repository, that is, the fact that
> we have a trac ticket that is invisible to everyone (while most of the
> other tickets are open) may disclose some information.

We said we would have the sensitive set as default and unset it as developers if
OK, I guess. And, maybe, having numbers chosen randomly would be nice too, if it
is a reasonable option.

Have a nice day

-- 
Please enter password:

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20101020/45d3e3e3/attachment.bin>