Hi Maarten, On 30.07.2025 21:45, Maarten Mulders wrote: > I'm curious, since we have bidirectional sync between GitHub and the > Apache Gitbox. How effective would these measures be? Could one (a > malevolent actor) perform a force-push against a branch on the Gitbox > which would then nevertheless end up on GitHub as well? Or delete a > branch? Or... (you get the idea).
You raise a very good point! Until recently, you were absolutely right: pushing to GitBox was indeed a way to bypass GitHub’s branch protection rules. I’ve personally done it myself: I once accidentally bricked the `logging-log4j2` repository by specifying the wrong “required check” name in the `.asf.yaml` file, and had to use GitBox to fix it. However, as of May (see Daniel's announcement [1]), this loophole has been closed. The INFRA team has since updated the system so that branch protection rules now propagate from GitHub to GitBox, preventing direct pushes (including force-pushes) on protected branches via GitBox. Piotr References: [1] https://lists.apache.org/thread/fgbr2y0r8yn9dj8myd8csk85ybf3mm48 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
