Security commits available on GitLab.com
From https://gitlab.com/gitlab-org/release/tasks/issues/185, it looks like the security commits are available on GitLab.com if you know the commit SHA. This isn't the first time it has happened, so I'm curious how this occurred.
The odd thing is that the security tags are NOT present on GitLab.com, and it doesn't appear that I can check out the commit locally after issuing a git pull
. But it looks like the GPRD site also has a copy of the commits, so I have to wonder if some git reference is being synced between dev and GitLab.com.
Summary:
This happens because our remote (aka push) mirrors work like this (https://gitlab.com/gitlab-org/gitlab-ee/blob/4bd51416bffa5357e13fca4831f48fec2e87e86c/lib/gitlab/git/remote_mirror.rb#L25-41):
- Find all the local branches and their references
- Fetch all the remote branches matching the local ones and the references
- Figure out which refs have been deleted
- Push any changed branches
Step 2 fetches all the remote stable branches and pulls in all their commits.