[Kde-scm-interest] Accountability, concrete suggestion

Thomas Zander zander at kde.org
Fri Aug 1 10:08:50 CEST 2008


On Thursday 31. July 2008 20:54:59 Patrick Aljord wrote:
> There is another solution than creating a special "logging branch" and
> doing risky auto merge [] or
Note that I never suggested to do server-side merging ;)

> using gpg (not user friendly).

Note how gpg is not required to be used at all for the majority of the 
usecases.

> This other solution is IMO more in the spirit of Git. This is also
> what we suggested with GitoriousKDE:
>
> Everybody is free to create an account on gitorious but by default
> people can't commit to the KDE repositories, they can only clone them.
> This is how it would work:

[snip]

You seem to solve the problem by sidestepping it ;)  There are several cases 
in your scenario where a malicious user can introduce commits that look like 
they come from any contributor and make it impossible to trace who actually 
made that commit.

I too believe that KDE is a group that is well adjusted and should be able to 
live without a police-state like system.  But experience shows that the main 
reason desperate people don't slip over the edge is because it would be 
noticed immediately. Making all your steps public keeps people honest. There 
is nothing wrong with that :)

In the gitorious setup Dean can easily pull the changes from Carla and modify 
some of them before pushing them to the kde-server. Making a modification 
Dean made look like they came from Carla. And nobody would ever be able to 
detect it was Dean who made that change.

Gitorious works fine for small groups of people collaborating. Really the only 
problem I have with the software is that the website doesn't show on the home 
or about page that gitorious is open source ;)

But for larger comminities the idea that we can have an absolute reference 
about who pushed which commits (and thus who takes responsibility for them) 
is something I think would make an excellent addition to gitorious.

Thanks for your ideas!
-- 
Thomas Zander
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/kde-scm-interest/attachments/20080801/13a94aed/attachment.pgp 


More information about the Kde-scm-interest mailing list