For the cases where we expect writers to only write once -- probably at least:
- rust-lang/rust CI uploads
- mirror bucket (maybe, not sure about this one)
- crates.io crate uploads (maybe)
We should update the CI code and then update the AWS policies to enforce CI is only creating new objects, not overwriting old ones. See docs here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-writes-enforce.html
That would deliver part of the security benefit from #355 (comment), where we prevent accidental or intentional overwrites of already created objects -- making it noisy if someone e.g. queues up writes from a try build to a different try build or similar, rather than silently succeeding in both builds (as would happen today). It's not a complete fix since it's time dependent, but for auto merges it's already fully sufficient (those never run concurrently) and for try builds it at least helps somewhat.
For the cases where we expect writers to only write once -- probably at least:
We should update the CI code and then update the AWS policies to enforce CI is only creating new objects, not overwriting old ones. See docs here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-writes-enforce.html
That would deliver part of the security benefit from #355 (comment), where we prevent accidental or intentional overwrites of already created objects -- making it noisy if someone e.g. queues up writes from a try build to a different try build or similar, rather than silently succeeding in both builds (as would happen today). It's not a complete fix since it's time dependent, but for auto merges it's already fully sufficient (those never run concurrently) and for try builds it at least helps somewhat.