This is just utterly silly: I am NOT interested at all in your branches:
➜ maven git:(master) git fetch upstream -p
>From github.com:apache/maven
- [deleted] (none)
-> upstream/dependabot/maven/org.assertj-assertj-core-3.27.1
remote: Enumerating objects: 72, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 72 (delta 14), reused 31 (delta 11), pack-reused 32 (from 2)
Unpacking objects: 100% (72/72), 26.64 KiB | 245.00 KiB/s, done.
ce3c2a90a3..d438ebb443 apidoc
-> upstream/apidoc
2296b16971..828c2bb70e copy
-> upstream/copy
* [new branch]
dependabot/maven/ch.qos.logback-logback-classic-1.5.16 ->
upstream/dependabot/maven/ch.qos.logback-logback-classic-1.5.16
* [new branch]
dependabot/maven/org.assertj-assertj-core-3.27.2 ->
upstream/dependabot/maven/org.assertj-assertj-core-3.27.2
0b7235c094..0176ffb825 master
-> upstream/master
8b8bb3b3b1..6115eb24c3 mdo
-> upstream/mdo
* [new branch] pathsource
-> upstream/pathsource
➜ maven git:(master)
On Mon, Jan 6, 2025 at 4:28 PM Elliotte Rusty Harold <[email protected]> wrote:
>
> On Mon, Jan 6, 2025 at 7:38 AM Guillaume Nodet <[email protected]> wrote:
> >
> > Le dim. 5 janv. 2025 à 15:49, Elliotte Rusty Harold
> > <[email protected]> a écrit :
> > >
> > > I do think the mailing list is severely misconfigured if it's paying
> > > any attention to dev branches. There's no reason it should be picking
> > > these commits up. If it is, let's fix it, not contort people's
> > > development process
> >
> > What kind of security issues are you talking about ?
> > Whether the coode / commits / changes are reviewed before entering
> > the repo or after does not change much afaik.
> >
>
> Changes aren't reviewed after they're committed. Maybe one day someone
> happens to look at the code, but usually no one does. Allowing a skip
> of review makes it too easy to sneak in malicious code that no one
> will notice. Mandatory code review isn't the only part of software
> supply chain security, but it is an important one.
>
> I note that at Google this practice — mandatory code review before
> commit — is an absolute requirement, and security (also bugs) is a big
> part of the reason why. The same is true of most medium-to-large
> projects. Maven's the outlier here, perhaps because it's history
> predates git and modern security concerns.
>
> --
> Elliotte Rusty Harold
> [email protected]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
