[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tricking peer review
|
From: |
Ryan Prior |
|
Subject: |
Re: Tricking peer review |
|
Date: |
Fri, 15 Oct 2021 22:59:24 +0000 |
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> A "bad" commit might still be perfectly fine to fetch certain things from if
> they're unaffected by it
The database could store a comment with each "bad" commit hash to help people
decide if they're affected. It could even go further and include a list of
tainted packages, so you could programmatically determine whether one of them
is in your dependency tree.
> you're now tasked with the job of keeping the list of bad commits safe
> somehow.
Right now afaik Ludovic's key is the root of trust (is this still true?) so I
imagine we'd sign the list too, with that key or some other key signed by it.
> In some situations resetting a branch might work, but obviously not for
> months old sleeper commits.
Not sure what you mean by this, can you explain?
- Tricking peer review, Ludovic Courtès, 2021/10/15
- Re: Tricking peer review, Liliana Marie Prikler, 2021/10/15
- Re: Tricking peer review, Ryan Prior, 2021/10/15
- Re: Tricking peer review, Ludovic Courtès, 2021/10/18
- Re: Tricking peer review, Ryan Prior, 2021/10/18
- Re: Tricking peer review, zimoun, 2021/10/19
- Re: Tricking peer review, Leo Famulari, 2021/10/20
- Re: Tricking peer review, zimoun, 2021/10/21
Re: Tricking peer review, Thiago Jung Bauermann, 2021/10/15
Re: Tricking peer review, Ludovic Courtès, 2021/10/18
Re: Tricking peer review, zimoun, 2021/10/19