733355 - Update the commit hook on tamarin-redux to look for the security marker

Status: RESOLVED WONTFIX

(Tamarin Graveyard :: Tools, defect)

Description

[Brent Baker]

Currently the commit hook that is run on hg.mozilla.org/tamarin-redux is only checking for blacklisted changeset hashes and a couple of old Wasabi and Serrano bugs. We need to have it scan the change for the "MARK_SECURITY_CHANGE" marker and reject any attempt to push a change that has this string.

This will pretty much be just copying the code from utils/hooks/tamarin-commit-hook.py and applying it to the hg.mozilla.org/hgcustom/hghooks/tamarin-hook.py

Comment 1

[Brent Baker]

Not really a security bug considering that the active code that I am modifying is publicly visible.

Comment 2

[Brent Baker]

Attachment: Add check for sec marker

Comment 3

[Brent Baker]

Note, when this change gets pushed a new bug will need to be created to have the hook deployed, see bug #631071.

Comment 4

[Brent Baker]

Also going to remove the following blacklist bugs:
563795: scheduled to be released
567107: was declassified
580489: bug not reproducible
507624: already released
618215: scheduled to be released

Comment 5

[Brent Baker]

Attachment: check for sec marker

check for additional marker

Comment 6

[Brent Baker]

Comment on attachment 603272 [details] [diff] [review]
check for sec marker

Removing Felix from the review since he already reviewed the patch via 659380.

Comment 7

[Brent Baker]

Commit hook is working as one would expect. On a local mirror of tamarin-redux that has this hook activated it blocked the following change from being pushed:

http://hg.mozilla.org/tamarin-redux/rev/16a6db6a3cb2