Contributors mailing list archives

contributors@odoo-community.org

Avatar

Re: Procedure to create 16.0 branches

by "Raphaël Valyi" <rvalyi@akretion.com> - 21/07/2022 03:46:01
Hello,

My vote goes to the opt-in option at least unless Pedro get convinced, because going against the will of somebody processing such a large portion of the PRs would be a terrible shot in the feet.

That being said, earlier Pedro raised the concern about the possibility to craft an attack commit inside a missing commit that would be cherry-picked just like with the current way of migrating. But:

On Wed, Jul 20, 2022, 3:42 PM Roussel, Denis <notifications@odoo-community.org> wrote:
To summarize:

  • commits SHA are different with current behaviour
  • commits SHA are equal with proposed one
Denis could you confirm this SHA conservation could make us safe against such crafted attack commits in the middle of the missing commits that one would need to cherry-pick with the new procedure?

This crafted commit attack thing is indeed extremely concerning...

Reference