Re: Checkout of web-platform-tests pull request

On 04/11/2013 03:14 PM, Dominique Hazael-Massieux wrote:
> Le mercredi 10 avril 2013 à 21:02 +0200, James Graham a écrit :

>>   I'm also not sure how
>> the github API is related to security; all the github API is needed for is
>> to get notifications about when there are new pull requests or when the
>> repo is updated.
> I was fairly elusive, indeed :) Let me explain what I meant by security
> here:
> * I wounldn't want any random pull requests from any random person made
> on our github repository to result in publishing the content of the said
> pull request — this would make it too easy to abuse

Ah, I see. That does seem like a reasonable concern.

> * there is the specific case of content including PHP files that need to
> be reviewed before being activated
> * what I had looked at was to use github issues' assignment and/or
> issues' labeling (given that pull requests automatically creates issues)
> to make it possible for someone to easily mark a submission as
> mirroring-worthy
> * but the github API doesn't expose who assigned an issue or labeled it,
> making it hard to account for a given decision

I suggest we:
a) Automatically mirror PRs from people who are members of the organisation
b) Mirror PRs that have a special label added (which it seems only 
organisation members can do). Unhappily there aren't any events that 
trigger when labels are changed, but I can't think of an alternate 
solution right now that's just as simple (my best alternative would be 
looking for comments with known strings).

I note that if you are paranoid there is still the problem that someone 
can make a legitimate push, get their PR mirrored, and then make a 
second push that is full of unwelcome content.

I can try adding these features to the code I wrote if there's any 
chance it will be used. If you are planning to start from scratch I 
won't bother :)

Received on Thursday, 11 April 2013 14:05:19 UTC