launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] ~pappacena/launchpad:create-mp-refs into launchpad:master

To: "Thiago F. Pappacena" <pappacena@xxxxxxxxx>
From: "Thiago F. Pappacena" <pappacena@xxxxxxxxx>
Date: Fri, 11 Sep 2020 14:38:00 -0000
In-reply-to: <159977666066.6430.7351770873101787676.launchpad@ackee.canonical.com>
Reply-to: mp+390581@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

wgrant, good point.

When a user opens a MP#1 targeting RepositoryX's master, for example, RepositoryX itself will have a read-only ref called `refs/merge/1/head`. The idea is that whomever is responsible for RepositoryX will have an easier way to pull locally the changes introduced by MP#1.

Let's assume a RepositoryX is private. In theory, nothing changes for the user opening the MP#1: the privacy checks and requirements to actually open a new MP targeting RepositoryX are still the same. 

The only extra security check introduced on RepositoryX will be on Turnip side, to block pushes to `refs/merge/...` namespace: https://code.launchpad.net/~pappacena/turnip/+git/turnip/+merge/390620.

Do you see any specific privacy problem with this scenario?
-- 
https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/390581
Your team Launchpad code reviewers is requested to review the proposed merge of ~pappacena/launchpad:create-mp-refs into launchpad:master.

Follow ups

Re: [Merge] ~pappacena/launchpad:create-mp-refs into launchpad:master
From: William Grant, 2020-09-12

References

[Merge] ~pappacena/launchpad:create-mp-refs into launchpad:master
From: Thiago F. Pappacena, 2020-09-10