From general-return-50224-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Wed Jul 15 20:24:15 2015 Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5276B1897D for ; Wed, 15 Jul 2015 20:24:15 +0000 (UTC) Received: (qmail 65737 invoked by uid 500); 15 Jul 2015 20:24:14 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 65557 invoked by uid 500); 15 Jul 2015 20:24:14 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 65546 invoked by uid 99); 15 Jul 2015 20:24:14 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Jul 2015 20:24:14 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id DE57DD4D99 for ; Wed, 15 Jul 2015 20:24:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.001 X-Spam-Level: * X-Spam-Status: No, score=1.001 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id kKiA-oGI-B7g for ; Wed, 15 Jul 2015 20:24:05 +0000 (UTC) Received: from mail-vn0-f53.google.com (mail-vn0-f53.google.com [209.85.216.53]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id B045C211A3 for ; Wed, 15 Jul 2015 20:24:04 +0000 (UTC) Received: by vnbf62 with SMTP id f62so5812916vnb.9 for ; Wed, 15 Jul 2015 13:22:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=a/5FepGufm27xfPy3AVpe2G/tAv+r1fDC+hqf+Of8WQ=; b=Vxsan5QX7ZJEgx7pFF/92GhFZYcAdd1LVGrI8eCtvSZhxFKXTMPMih9Opz9sMMK9k6 CWplfEaI/MHds3O1wR5i8wCA1GDuh3pB3fMyPZJHAPyREbymLuPG41kcxF1ei6Yth7jY Kuc9szkCHe8Rjv789mxHHg6MWH+1kao9Heg4MiW0BNg313y9oQ/itlzHjoQMH4XzjFi9 DnZeICUVZnvLWrd8I3L/eHVPQyICacaMeQu/4hbqrGIaN3cBGzZhFOUzl8NPJVxgBiJT 1qrS3hAwaeNLOEk/+Q9LiTrsXM7a96JFQcCHMAW0Rnut002E1rytgYRTteXc2PoBUEym hdHg== X-Gm-Message-State: ALoCoQmQa2u24BBiPqTXH179M6fPTC9aQr2lp12WuQ0STOIm324fsOsf2Glvd2IsD+b8rajY79Gi X-Received: by 10.52.252.74 with SMTP id zq10mr6408189vdc.18.1436991747421; Wed, 15 Jul 2015 13:22:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.131.14 with HTTP; Wed, 15 Jul 2015 13:22:07 -0700 (PDT) In-Reply-To: References: From: Ian Maxon Date: Wed, 15 Jul 2015 13:22:07 -0700 Message-ID: Subject: Re: Podling request: Gerrit To: general@incubator.apache.org Content-Type: text/plain; charset=UTF-8 > In Git (and I'd presume any Git-like DVCS) anything but the push logs > can be spoofed. Having a record of who actually pushed to the repo > is one of the requirement from ASF's standpoint to track chain of custody > for the code that lands in out projects. Understood. That's the very reason why we modified our process to its present state when we began incubation. As stated before in this thread, the push logs aren't played with- it is always a committer that actually pushes a contribution to the ASF, with their account, and not a robot or proxy, in our current workflow. The push logs still record a valid chain of custody. The analogous situation in the case David was describing, if I am understanding it correctly, is that ASF doesn't know of an uncommitted/unverified contribution that may lie in Gerrit's review queue, possibly pending commit. Unless there's something I am missing, I don't understand how that's any more or less recorded or visible than a contribution that lies in a personal fork in Github, before it has a pull request submitted and merged. -Ian On Wed, Jul 15, 2015 at 1:02 PM, Roman Shaposhnik wrote: > On Wed, Jul 15, 2015 at 3:13 AM, Ian Maxon wrote: >>> 2. The ASF has no record of any contributions that are happening on >>> the Gerrit instance at UCI, until a committer decides to push code to >>> the ASF repo. >> >> I'm afraid I don't understand this point. How is this different than >> any other distributed version control system? In github, nobody is >> aware of a contribution in a fork until a pull request is made. How's >> that any different than what's going on here? > > In Git (and I'd presume any Git-like DVCS) anything but the push logs > can be spoofed. Having a record of who actually pushed to the repo > is one of the requirement from ASF's standpoint to track chain of custody > for the code that lands in out projects. > > Do realize that this unique requirement comes from the fact that > we're a foundation, not just a code hosting site. > > Thanks, > Roman. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > For additional commands, e-mail: general-help@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org