Contributors mailing list archives


Re: Procedure to create 16.0 branches

Tecnativa. S. L., Pedro M. Baeza
- 21/07/2022 06:16:06
> Denis could you confirm this SHA conservation could make us safe against such crafted attack commits in the middle of the missing commits that one would need to cherry-pick with the new procedure?
> This crafted commit attack thing is indeed extremely concerning...

It will be safer if the commit already resides in the prior branch when creating the new branch (and the SHA or signings will be the same). The problem is for missing commits that come after the branch creation. The only way to totally avoid this risk is to have one module per repo, and only "fork" when migrating the module, but we all know that this is impossible technically and by permission scheme.