Closed Bug 1336624 Opened 7 years ago Closed 7 years ago

Prevent changes to servo/ directory in Firefox repos

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: gps)

References

Details

The servo/ directory in Firefox repos should only be changed by certain people. Currently, that would be whatever account is running the periodic Git -> Mercurial "syncing." Eventually, that will be autoland.

We need the read-only nature of the servo/ directory enforced by a hook.

This is a bit problematic to implement because of merges. It is easy to prevent changes to a directory wholesale. But we need to carve out an exception for pushes that merge repos into each other. I suppose we could have a whitelist of trusted push users (likely sheriffs) or we could look for a merge commit in the ancestry and assume the best.
Assignee: nobody → gps
Status: NEW → ASSIGNED
Given that the servo/ directory will only be written to on the servo-integration repo, can't we just enforce that the only writes to servo/ on other repos come from clean merge commits from servo-integration? It should always be a fast-forward as far as the servo/ directory is concerned.
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/6d618ac81fcf
hghooks: add a hook to restrict who can push changes to servo/ directory
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Gah - didn't post reply hanging out in my browser before landing...

(In reply to Bobby Holley (:bholley) (busy with Stylo) from comment #1)
> Given that the servo/ directory will only be written to on the
> servo-integration repo, can't we just enforce that the only writes to servo/
> on other repos come from clean merge commits from servo-integration? It
> should always be a fast-forward as far as the servo/ directory is concerned.

We could look into something like this. But it isn't how we do things anywhere else. I'm going to just implement an allow list of push users who can change the servo/ directory and we'll see where that gets us. The list will be comprised of sheriffs initially.

This means that non-sheriffs won't be able to merge changesets touching the servo/ directory around to other repos.
Anyway, I added the new hook to mozilla-central, mozilla-inbound, autoland, mozilla-aurora, mozilla-beta, mozilla-release, and mozilla-esr45.

KWierso was able to merge things around after the hook was deployed. So it looks like it is working.
You need to log in before you can comment on or make changes to this bug.