[bind10-dev] Subversion to Git conversion
Robert Edmonds
edmonds at isc.org
Wed Oct 20 17:59:14 UTC 2010
Michael Graff wrote:
> On 2010-10-20 5:00 AM, Shane Kerr wrote:
>
> > Thinking about Jinmei's points, maybe it makes more sense to simply turn
> > off the push when we are working on a security issue. That way there
> > will be less chance of error and accidentally leaking the problem.
>
> Another option is to always push normal things out in real-time, but
> never push a security* branch out automatically, but only manually. The
> post-push hook could scream loudly if this didn't happen in a day or
> something, just to let us know there are undisclosed security branches.
apologies for pointing out the obvious, but git allows one to push to
and pull from multiple repositories. so another option that doesn't
involve filtering or post-push hooks or turning off automatic pushing
and only involves simple git "porcelain" commands would be to simply
have a "sensitive" repo for storing and reviewing branches that should
never be automatically pushed anywhere.
e.g., when a developer writes a security patch, he commits it to a
branch in his own local, private repository, and when he wants it
reviewed he pushes it to the "sensitive" repo and says "please review my
branch XYZ in the sensitive repository". one or more other developers
pull it down, review it, and approve it. then, when it needs to be
released, another developer pulls it down, merges it, and pushes it to
wherever it needs to go.
--
Robert Edmonds
edmonds at isc.org
More information about the bind10-dev
mailing list