Prevent side-effects from mirrored markdown syntax #1
Comments
|
More on evaluation of mentions polutions: Taking the example of https://github.com/gberche-orange/pivotal-tracker-mirror/issues/222 it did not trigger a mention since the CF Gitbot uses the following syntax which is not recognized as a @mention Taking the example of https://github.com/gberche-orange/pivotal-tracker-mirror/issues/224#issuecomment-235375789 the mention did not trigger because the github userid (sreetummidi) and the pivotal tracker ids (stummidi ) were different: For some users with identical ids, mentions polution indeeded triggered, eg in https://github.com/gberche-orange/pivotal-tracker-mirror/issues/87#issuecomment-235332997 for fhanik or madhurab In general, the @mentions seems indeed notify users even for repos they are not watching. See https://github.com/settings/notifications which mentions " Your notification settings apply to the repositories you’re watching" while https://help.github.com/articles/about-notifications/#types-of-notifications is somewhat more clearly specifying that direct mentions will notify you https://github.com/gberche-orange/polutting-referencer/issues/2 as an experiment of a poluting mention indeed triggered on non-watched repos. |
|
More on issue cross-reference pollution: Pollution occur for mirrored stories that were automatically created by the CF git bot for issues or pull-requests https://github.com/gberche-orange/pivotal-tracker-mirror/issues/220 is using the syntax https://github.com/gberche-orange/pivotal-tracker-mirror/issues/222 is using the syntax: and additionally the plain text referencing a the To fix existing pollution of cross referenced issues, the following alternatives were considered/tested:
|
|
More on the email disclosure leading to spam: The following fixes come to mind:
|
|
More on the short-term option of escaping the whole markdown content using pros:
cons:
|
gberche-orange
changed the title
|
commit 32ee460 addressed:
I suggested to leave the issue cross-reference as a way to let the CF community discover the mirror issues, and therefore not applying initial suggestions in #1 (comment) |
|
Reopening following @williammartin 's message on cf-dev The problem is that the mirroring process is enabling implicit back references whereas backlog contributors are not aware of this, and hence could not take care of escaping/sanitizing references they'd like to keep private/without back references. Proposal to redact all github issue or PR URLs except a whitelist of GH organizations such as "cloudfoundry*" which would be still left as is. As mentionned into #1 (comment) there are multiple formats to redact (in addition to the officially documented at https://help.github.com/articles/autolinked-references-and-urls/#issues-and-pull-requests ): which render as the following and indeed trigger cross references: https://github.com/jlord/sheetsee.js/issues/27 Note the following syntax variations may display as urls but don't create cross-refs:
Suggesting to redact them with double backquotes: which render as and don't trigger cross references:
|
and others
mirrored markdown content (in story description or comment) may be interpreted by github markdown syntax as:
github commit cross references (don't seem to have side effects)This may have the following undesired polluting side effects:
We need to find a way to avoid such pollution. Some ideas:
try to escape @mentions such as @gberche with a backslash escape such as /@gbercheThe text was updated successfully, but these errors were encountered: