On 12/9/20 12:38 am, Thiago F. Pappacena wrote: > wgrant, good point. > > When a user opens a MP#1 targeting RepositoryX's master, for example, > RepositoryX itself will have a read-only ref called `refs/merge/1/head`. The > idea is that whomever is responsible for RepositoryX will have an easier way > to pull locally the changes introduced by MP#1. > > Let's assume a RepositoryX is private. In theory, nothing changes for the > user opening the MP#1: the privacy checks and requirements to actually open a > new MP targeting RepositoryX are still the same. > > The only extra security check introduced on RepositoryX will be on Turnip > side, to block pushes to `refs/merge/...` namespace: > https://code.launchpad.net/~pappacena/turnip/+git/turnip/+merge/390620. > > Do you see any specific privacy problem with this scenario?
The problem arises when the *source* repository is private. Consider, for example, a security fix MP: a user can only view an MP if they can see both the source and target branches. But this will let anyone who can see the target repository examine the code in the MP from a potentially invisible private branch. -- https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/390581 Your team Launchpad code reviewers is requested to review the proposed merge of ~pappacena/launchpad:create-mp-refs into launchpad:master. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp
