- From: James Graham <jgraham@opera.com>
- Date: Thu, 11 Apr 2013 16:04:45 +0200
- To: public-test-infra@w3.org
On 04/11/2013 03:14 PM, Dominique Hazael-Massieux wrote: > Le mercredi 10 avril 2013 à 21:02 +0200, James Graham a écrit : >> I'm also not sure how >> the github API is related to security; all the github API is needed for is >> to get notifications about when there are new pull requests or when the >> repo is updated. > > I was fairly elusive, indeed :) Let me explain what I meant by security > here: > * I wounldn't want any random pull requests from any random person made > on our github repository to result in publishing the content of the said > pull request — this would make it too easy to abuse Ah, I see. That does seem like a reasonable concern. > * there is the specific case of content including PHP files that need to > be reviewed before being activated > * what I had looked at was to use github issues' assignment and/or > issues' labeling (given that pull requests automatically creates issues) > to make it possible for someone to easily mark a submission as > mirroring-worthy > * but the github API doesn't expose who assigned an issue or labeled it, > making it hard to account for a given decision I suggest we: a) Automatically mirror PRs from people who are members of the organisation b) Mirror PRs that have a special label added (which it seems only organisation members can do). Unhappily there aren't any events that trigger when labels are changed, but I can't think of an alternate solution right now that's just as simple (my best alternative would be looking for comments with known strings). I note that if you are paranoid there is still the problem that someone can make a legitimate push, get their PR mirrored, and then make a second push that is full of unwelcome content. I can try adding these features to the code I wrote if there's any chance it will be used. If you are planning to start from scratch I won't bother :)
Received on Thursday, 11 April 2013 14:05:19 UTC