incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Maxon <ima...@uci.edu>
Subject Re: Podling request: Gerrit
Date Wed, 15 Jul 2015 20:22:07 GMT
> In Git (and I'd presume any Git-like DVCS) anything but the push logs
> can be spoofed. Having a record of who actually pushed to the repo
> is one of the requirement from ASF's standpoint to track chain of custody
> for the code that lands in out projects.

Understood. That's the very reason why we modified our process to its
present state when we began incubation. As stated before in this
thread, the push logs aren't played with- it is always a committer
that actually pushes a contribution to the ASF, with their account,
and not a robot or proxy, in our current workflow. The push logs still
record a valid chain of custody.

The analogous situation in the case David was describing, if I am
understanding it correctly, is that ASF doesn't know of an
uncommitted/unverified contribution that may lie in Gerrit's review
queue, possibly pending commit. Unless there's something I am missing,
I don't understand how that's any more or less recorded or visible
than a contribution that lies in a personal fork in Github, before it
has a pull request submitted and merged.

-Ian

On Wed, Jul 15, 2015 at 1:02 PM, Roman Shaposhnik <roman@shaposhnik.org> wrote:
> On Wed, Jul 15, 2015 at 3:13 AM, Ian Maxon <imaxon@uci.edu> wrote:
>>> 2. The ASF has no record of any contributions that are happening on
>>> the Gerrit instance at UCI, until a committer decides to push code to
>>> the ASF repo.
>>
>> I'm afraid I don't understand this point. How is this different than
>> any other distributed version control system? In github, nobody is
>> aware of a contribution in a fork until a pull request is made. How's
>> that any different than what's going on here?
>
> In Git (and I'd presume any Git-like DVCS) anything but the push logs
> can be spoofed. Having a record of who actually pushed to the repo
> is one of the requirement from ASF's standpoint to track chain of custody
> for the code that lands in out projects.
>
> Do realize that this unique requirement comes from the fact that
> we're a foundation, not just a code hosting site.
>
> Thanks,
> Roman.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message