On Wed, May 6, 2020 at 10:24 PM Simo Sorce <s...@redhat.com> wrote:
> Well, a way to allow force pushes would be to have a git hook that
> branches the tree before the force push. (creating a branch named
> something like audit-force-push-<timestamp>)
> That way you can retain data for legal/auditing reasons, while allowing
> every day history to be rewritten.

Wouldn't it be easier to approach this from a build system perspective
and let for example the build system (or tools) tag the commits which
were built from with some for-ever-living tags? This would still
ensure a complete audit trail for whatever was built and shipped, but
could eliminate the need for a complete lock down of dist/source-git.

> Not sure how "nice" that would be for an auditor that has to
> reconstruct what happened over multiple force pushes that way, it also
> will generate quite an amount of noisy metadata (branches), but it
> could work.

Refs created for auditing purposes could be kept in a separate git
namespace so they don't create noise in everyday workflows.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to