Re: [DISCUSS] Branch Protection Rules

Tue, 05 Aug 2025 04:41:29 -0700

Thanks for your input. Let me try to summarize the current state of discussion:
- It seems we have consensus that implementing Tier 1 (Prevent force push + Prevent branch deletion) is a good idea 
- The rules should be synced between Gitbox and GitHub
- We need more time to evaluate which consequence implementing "Require at least 1 reviewer for approval before merging" and more will have. 


I will open a vote for introducing "Prevent force push + Prevent branch 
deletion" via .asf.yaml



Am 03.08.25 um 18:15 schrieb Maarten Mulders:

Hi Piotr,


Thanks for pointing me to that announcement. I must've missed it. But 
indeed it seems like one thing less to worry about - which is great!



Maarten

On August 01, 2025 at 08:09, Piotr P. Karwasz wrote:

Hi Maarten,

On 30.07.2025 21:45, Maarten Mulders wrote:

I'm curious, since we have bidirectional sync between GitHub and the
Apache Gitbox. How effective would these measures be? Could one (a
malevolent actor) perform a force-push against a branch on the Gitbox
which would then nevertheless end up on GitHub as well? Or delete a
branch? Or... (you get the idea).


You raise a very good point!

Until recently, you were absolutely right: pushing to GitBox was indeed
a way to bypass GitHub’s branch protection rules. I’ve personally done
it myself: I once accidentally bricked the `logging-log4j2` repository
by specifying the wrong “required check” name in the `.asf.yaml` file,
and had to use GitBox to fix it.

However, as of May (see Daniel's announcement [1]), this loophole has
been closed. The INFRA team has since updated the system so that branch
protection rules now propagate from GitHub to GitBox, preventing direct
pushes (including force-pushes) on protected branches via GitBox.

Piotr

References:
[1] https://lists.apache.org/thread/fgbr2y0r8yn9dj8myd8csk85ybf3mm48

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
























					Reply via email to