1538242 - Allow rewriting commit messages when landing for security bugs

Status: NEW

(Conduit :: Lando, enhancement, P2)

Description

[Steven MacLeod [:smacleod]]

In order to preserve proper information about the patch it would be
nice to keep Phabricator’s title and summary descriptive. The current
Lando will use these when landing, so we’ll want a way for the author,
or landing user, to provide an alternative message to be used for the
actual commit.

Tasks:

• Update Lando API to expose if a revision is security sensitive in the stacks endpoint.
• Add UI in Lando for providing an alternative commit message
  • The user should be prompted to do this when Lando detects it's a security sensitive landing.
  • Make it clear why this exists and what you should use for your message (maybe link to security docs?)
• Add an endpoint to Lando API to accept commit messages to be used.
  • This should post the new message to Phabricator as a comment and request sec-approval.
  • If sec-approval isn't required (sec-low, etc) this could just be part of landing immediately.
• Lando API should pull the commit message from the Phabricator comment (but verify there was no tampering) when landing.

Other Notes:

• Probably only need to allow a title override (summary should be left blank for landing).
• Bug # should not be provided in override, Lando is guaranteed to have it for security patches and will add to title.
• Bug #, revision URL, and reviewer names are not considered secret and should still be in commit message that lands.
• Might be worth warning on or blocking “trigger words” like "security fix", "exploitable", "vulnerable", "overflow", "injection", "use after free", etc.