Audit manual-resolving-conflicts in arc land?


We want to enforce code review on all changes. However, we realized that, during arc land, when there is a need to resolve conflicts after rebase, one can make any arbitrary change to the affected files, as long as not deleting or adding files. Is it possible to trigger an audit if manually resolving conflicts happened?


I’m wondering, is herald rule enough to do this?

Any suggestion will be appreciated. Thanks

Authors can make changes even if don’t need to resolve conflicts - see
You could replace arc land with a server-side landing via but even then, an attacker can have different code reviewed and committed.

You can have audit/prevent commits that have no revision at all, but that’s not enough to stop a committed attacker.

I believe the general suggestion with this issue is “don’t let untrusted users push code”; This is not completely unreasonable, as non-trusted users can still arc diff, you just need some trusted user to perform the actual landing.

1 Like

Thanks. We have turned off sticky-accpet. So that shouldn’t be an issue.

Any advice will be appreciated. Thanks

You can use your CI system to compare each commit to the Revision it corresponds to, and use the Conduit api to create an audit.
Note that the Revision gets updated with the content of the commit, so you’ll need to look up the relevant Diff instance.

arcanist 83661809e532c3fe444a8bf7c7d6936e6377691b (26 Oct 2018)
libphutil f9a65ebb0e0c70940321e20c1ee5c5df6573822f (27 Oct 2018)

After some experiment, it seems this will be blocked by error like

Local "test-merge-rebase-branch" does not merge cleanly into "origin/master". Merge or rebase local changes so they can merge cleanly.

So it seems we’re good here. Thanks