incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Re: Podling request: Gerrit
Date Wed, 15 Jul 2015 23:21:49 GMT
On Wed, Jul 15, 2015 at 4:17 PM, Till Westmann <tillw@apache.org> wrote:
>
>> On Jul 15, 2015, at 10:02 PM, Roman Shaposhnik <roman@shaposhnik.org> wrote:
>>
>> On Wed, Jul 15, 2015 at 3:13 AM, Ian Maxon <imaxon@uci.edu> wrote:
>>>> 2. The ASF has no record of any contributions that are happening on
>>>> the Gerrit instance at UCI, until a committer decides to push code to
>>>> the ASF repo.
>>>
>>> I'm afraid I don't understand this point. How is this different than
>>> any other distributed version control system? In github, nobody is
>>> aware of a contribution in a fork until a pull request is made. How's
>>> that any different than what's going on here?
>>
>> In Git (and I'd presume any Git-like DVCS) anything but the push logs
>> can be spoofed. Having a record of who actually pushed to the repo
>> is one of the requirement from ASF's standpoint to track chain of custody
>> for the code that lands in out projects.
>
> But that’s seems to be the case here. The actual commit is pushed manually
> by an AsterixDB committer.

Exactly! Which rewinds us all the way to back to my original reply on
this thread.

As long as there's a human being in the loop reviewing what's going into the
repo I don't think I've got any issues with the process.

But! Asking for an ASF-managed Gerrit instance will remove that human from
the loop. This is negotiable but would require INFRA having the same trust
in Gerrit logs as they have in their current Git push logs.

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message