Conversation
|
Well, this will also add overhead if you fix a typo and are safe to push directly. |
|
And this prevents release plugin as well (when doing a release from master)? |
slawekjaranowski
left a comment
There was a problem hiding this comment.
Although I like PR review I wouldn't to do such strict restrictions.
- all PR will be must past one by one and each will be must rebased with the latest master before merge
- all even simple fix (typo) will be must pass by whole machine
- we don't have a consesus for RTC
- release from master will be not possible
this one would be a blocker to me |
just saying nothing really prevents. create a branch |
Bah, even more work... |
says the one is asking people to create jira for everything :P
I just find the "hey guys hold on your merge for a week or two I'm releasing so nobody touch anything" a bit archaic svn/cvs style :) BTW I'm not for ban direct push but not for this release reason. |
...and how do you want to reconcile two diverging branches back to a linear history? |
I don't see the problem here. Can you explain? You have |
What if master has developed from then? A ff-merge isn't possible anymore, no? |
and so what is the problem? |
|
Bringing this one back up. Accidental and deliberate pushes to the master branch without review continue to happen and this is not good for security or reliability. I think @olamy has clearly indicated how the release process can work following this change. |
It should be obviously summarized because no one remembers. Also note that the "Merge Button" on GH does not replace a merge in the terminal especially because it cannot set the proper committer email address. |
|
I think @olamy can explain better than me, but briefly the procedure would be to make a branch for the release, release from the branch, and then increment the version in master, manually if necessary. |
Overhead for a volunteer |
|
Yes, it is extra overhead. IMHO it's worth it. The current situation is unacceptably vulnerable to supply chain attacks. Today any committer account can unilaterally install a crypto miner, backdoor, or other malware into Maven with a strong chance that it will go unnoticed before release. |
Maven for the paranoid. |
|
It's not like these problems haven't happened before multiple times in multiple projects. When people really are out to get you, paranoia is the rational state of mind. |
even if we have a protected master (or other branches) I will do release by creating branch for release like even more I can prepare own binary artifacts which will be released .... if nobody check reproducible build result ... so protected branches don't protect us by supply chain attacks and so on |
|
You might be able to do that. I and other non-PMC committers can't. And generally a release requires a review and a vote. Possibly that's a formality and you could skip the vote but the release would be noticed, and likely someone would take a closer look. And usually someone does check the reproducible build result. OTOH you or I certainly could commit something to master with a reasonable likelihood no one would pay any attention. We can close that hole and we should. Let's not let the perfect be the enemy of the good. |
|
I do not see this fixing any security problems... |
|
But if doing so, |
|
To be clear, I want a PR only workflow, full stop. I suppose if we were using some non-Github system, then there would be other non-PR mechanisms for guaranteeing code review, but two person sign-off on all changes is standard practice for good reason. Given that we're using github though, PRs are simply how that is done. And yes, maven-3.9.x should be protected too. |
Well such change can only come from what "we" want (maven dev community) and not from what "you" want (a single person opinion).
|
|
I'm happy to discuss on the mailing list. I do think this is important to get right. I don't want Maven to to become the next cautionary tale on Hacker News. |
|
Re consensus, https://maven.apache.org/developers/conventions/github.html states: "We should always provide changes by Pull Request. Direct commits will be not visible in Milestones issues list nor Release Notes." And I did not write the PR that put that language there. :-) |
|
Not everything has to be in release notes. Some changes are pure cosmetic and doesn't affect users and turns to be useless noise in release notes |
I'm not an English native speaker, but I think there is a difference between should and must.
https://maven.apache.org/developers/conventions/git.html |
gnodet
left a comment
There was a problem hiding this comment.
AI Code Review — PR #1035
Verdict: 💬 Superseded — recommend close
This PR proposed adding protected_branches for master and maven-3.9.x with strict status checks and required reviews. However, branch protection has since been enabled through other PRs and direct commits.
Status
The current .asf.yaml on master already includes comprehensive branch protection:
protected_branches:
master: {}
maven-4.0.x: {}
maven-3.10.x: {}
maven-3.9.x: {}
maven-3.8.x: {}
maven-3.0.x: {}
maven-2.2.x: {}
pre-reset-master: {}This covers 8 branches (vs. the 2 proposed here). The community chose empty {} rules (preventing force-pushes and branch deletion) rather than the stricter required_status_checks and required_pull_request_reviews proposed here — as discussed in the PR comments, the stricter settings raised governance concerns about release workflow overhead.
Recommendation
Close this PR as superseded. The core goal (protecting key branches) is already accomplished. If stricter settings (required reviews, up-to-date branches) are desired later, that should be proposed via the dev mailing list with a fresh PR against the current .asf.yaml.
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
Claude Code on behalf of Guillaume Nodet
Reviewed 3 PRs: apache#1511 (COMMENT), apache#1035 (COMMENT, superseded), apache#964 (COMMENT). 30 total reviews posted. ~29 PRs remaining. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
OK sounds good. I'll close this. But I am going to check if I can still commit straight to master without review (using some innocuous typo fix, they're easy to find) and if I can I'll ask for stronger protections. |
The goal is to keep committers (i.e. me) from accidentally pushing straight into master. I think this does that, but I've only done this before through the github UI so please review carefully.