[ https://issues.apache.org/jira/browse/LOG4J2-3260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Volkan Yazici closed LOG4J2-3260. --------------------------------- Resolution: Won't Fix The PMC couldn't have a consensus on enabling branch protection settings. > Missing branch protection settings on log4j2 repo > ------------------------------------------------- > > Key: LOG4J2-3260 > URL: https://issues.apache.org/jira/browse/LOG4J2-3260 > Project: Log4j 2 > Issue Type: Improvement > Reporter: Abhishek Arya > Assignee: Volkan Yazici > Priority: Trivial > Attachments: 20211224-scorecard-report.txt > > > The branch protection setting is missing on > [https://github.com/apache/logging-log4j2] repo. Please check > [https://github.com/ossf/scorecard/blob/090ae4f0bbc3b6956971bec83530c86696e1e75d/docs/checks.md#branch-protection] > for reason why this setting is important. This setting is easy to enable and > needs to be done for main and all release branches using > [https://github.com/apache/logging-log4j2/settings/branches]. > You can run OpenSSF Scorecard to see the failures:: > ./scorecard --repo [https://github.com/apache/logging-log4j2] --show-details > You will see some failures, but this branch protection check failure is the > the most important failure out of them. > Different types of branch protection protect against different risks: > * Require code review: requires at least one reviewer, which greatly reduces > the risk that a compromised contributor can inject malicious code. Review > also increases the likelihood that an unintentional vulnerability in a > contribution will be detected and fixed before the change is accepted. > * Prevent force push: prevents use of the {{--force}} command on public > branches, which overwrites code irrevocably. This protection prevents the > rewriting of public history without external notice. > * Require [status > checks|https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks]: > ensures that all required CI tests are met before a change is accepted. > Next good one to have is to enable CodeQL CI/CD check. Also, in the near > future, please consider installing the OpenSSF AllStar app > (https://github.com/ossf/allstar) on your github organization. It will help > with continuous enforcement of various security policies (including branch > protection). > -Abhishek Arya, Principal Engineer and Manager, Google Open Source Security > Team -- This message was sent by Atlassian Jira (v8.20.10#820010)