[Kde-scm-interest] Distributed model VS accountability

Johannes Sixt j.sixt at viscovery.net
Fri Nov 23 16:40:43 CET 2007 

Thiago Macieira schrieb:
> Here's an example:
> 
> $ cd kdelibs
> $ git pull
> $ [add questionable code]
> $ GIT_COMMITTER_NAME="Thomas Zander" \
>   GIT_COMMITTER_EMAIL=zander at kde.org \
>   GIT_AUTHOR_NAME="Thomas Zander" \
>   GIT_AUTHOR_EMAIL=zander at kde.org \
>   git commit -m "Questionable commit"
> 
> $ git cat-file -p HEAD
> tree 17e9962ec1e7a483d95b295739dcc2d5a24fadac
> parent e4313d5f83056b15d432bbb3c7a964e1741fd444
> author Thomas Zander <zander at kde.org> 1195830248 +0100
> committer Thomas Zander <zander at kde.org> 1195830248 +0100
> 
> Questionable commit
> $ git push
> 
> After that push, how can one tell that it was I who sent the questionable 
> commit, not Thomas?

Distributed development needs a network of trust.

For small projects, things are very simple: There's (say) one person, and 
that person reviews all incoming changes, and publishes (pushes) the result 
to a known location. Users need only trust that single point of 
distribution. If someone else publishes a different version of the same 
project, it's the user's problem to trust that someone else.

For a larger project things become more involved. It starts by a single 
point of distribution, which only one or few people have push access to. 
Those people must be trustworthy. Let's call them BD. (Of course, nobody is 
forced to trust them.)

But since it cannot be expected that they can review all incoming changes, 
they need other people, "lieutenants", whom they in turn trust. That is, BD 
will pull changes from the lieutenants without detailed review and push them 
out to the single point of distribution.

The lieutenants themselves are possibly again backed by "major contributors" 
whom they trust. (At this point the fields of responsibility are likely 
small enough that incoming changes can be reviews in detail by the 
lieutenant or major contributors.)

At the infrastructure level, you need means that the chains of trust cannot 
be broken.

At the lowest level, git provides a chain of trust by the SHA1 signatures.

At a higher level, trust must be implemented such that each person can 
change (basically) only his own repository. For this reason, it is good that 
in your earlier proposal access rights to certain repositories were very 
limited. BD and lieutenants will only pull from such restricted repositories.

Major contributors will review all incoming changes and push to their own 
trustable repositories and ask the lieutenants to propagate the changes 
upstream. In this context, "incoming" will mean mostly changes pushed to the 
publically accessible repository tree by random contributors, and the users' 
repositories.

To come back to your example: I will trust *you*. And will blindly pull from 
*your* repository, no matter whose name the commit carries.

-- Hannes

More information about the Kde-scm-interest mailing list