Conversation
|
Well, this will also add overhead if you fix a typo and are safe to push directly. |
|
And this prevents release plugin as well (when doing a release from master)? |
slawekjaranowski
left a comment
slawekjaranowski
left a comment
There was a problem hiding this comment.
Although I like PR review I wouldn't to do such strict restrictions.
- all PR will be must past one by one and each will be must rebased with the latest master before merge
- all even simple fix (typo) will be must pass by whole machine
- we don't have a consesus for RTC
- release from master will be not possible
this one would be a blocker to me |
just saying nothing really prevents. create a branch |
Bah, even more work... |
says the one is asking people to create jira for everything :P
I just find the "hey guys hold on your merge for a week or two I'm releasing so nobody touch anything" a bit archaic svn/cvs style :) BTW I'm not for ban direct push but not for this release reason. |
...and how do you want to reconcile two diverging branches back to a linear history? |
I don't see the problem here. Can you explain? You have |
What if master has developed from then? A ff-merge isn't possible anymore, no? |
and so what is the problem? |
|
Bringing this one back up. Accidental and deliberate pushes to the master branch without review continue to happen and this is not good for security or reliability. I think @olamy has clearly indicated how the release process can work following this change. |
It should be obviously summarized because no one remembers. Also note that the "Merge Button" on GH does not replace a merge in the terminal especially because it cannot set the proper committer email address. |
|
I think @olamy can explain better than me, but briefly the procedure would be to make a branch for the release, release from the branch, and then increment the version in master, manually if necessary. |
Overhead for a volunteer |
|
Yes, it is extra overhead. IMHO it's worth it. The current situation is unacceptably vulnerable to supply chain attacks. Today any committer account can unilaterally install a crypto miner, backdoor, or other malware into Maven with a strong chance that it will go unnoticed before release. |
Maven for the paranoid. |
|
It's not like these problems haven't happened before multiple times in multiple projects. When people really are out to get you, paranoia is the rational state of mind. |
even if we have a protected master (or other branches) I will do release by creating branch for release like even more I can prepare own binary artifacts which will be released .... if nobody check reproducible build result ... so protected branches don't protect us by supply chain attacks and so on |
|
You might be able to do that. I and other non-PMC committers can't. And generally a release requires a review and a vote. Possibly that's a formality and you could skip the vote but the release would be noticed, and likely someone would take a closer look. And usually someone does check the reproducible build result. OTOH you or I certainly could commit something to master with a reasonable likelihood no one would pay any attention. We can close that hole and we should. Let's not let the perfect be the enemy of the good. |
|
I do not see this fixing any security problems... |
|
But if doing so, |
|
To be clear, I want a PR only workflow, full stop. I suppose if we were using some non-Github system, then there would be other non-PR mechanisms for guaranteeing code review, but two person sign-off on all changes is standard practice for good reason. Given that we're using github though, PRs are simply how that is done. And yes, maven-3.9.x should be protected too. |
elharo
changed the title
Well such change can only come from what "we" want (maven dev community) and not from what "you" want (a single person opinion).
|
|
I'm happy to discuss on the mailing list. I do think this is important to get right. I don't want Maven to to become the next cautionary tale on Hacker News. |
|
Re consensus, https://maven.apache.org/developers/conventions/github.html states: "We should always provide changes by Pull Request. Direct commits will be not visible in Milestones issues list nor Release Notes." And I did not write the PR that put that language there. :-) |
|
Not everything has to be in release notes. Some changes are pure cosmetic and doesn't affect users and turns to be useless noise in release notes |
I'm not an English native speaker, but I think there is a difference between should and must.
https://maven.apache.org/developers/conventions/git.html |
6 participants
The goal is to keep committers (i.e. me) from accidentally pushing straight into master. I think this does that, but I've only done this before through the github UI so please review carefully.