[Kde-scm-interest] Accountability (was: svn, git, bzr)

Thiago Macieira thiago at kde.org
Sat Jul 26 14:42:02 CEST 2008 

Friedrich W. H. Kossebau wrote:
>I am especially interested how accountability (or what the term is) will
> be treated if some code is developed off the central repository system.
> With the current central system every commit is bound to one account,
> checked by password. But how to handle the merge of a branch in another
> repository with perhaps local accounts, not given by the KDE admins?
> How should copyright assignment be handled? BTW, doesn't the same
> problem already arise with subversion today when svnmerge is used, as
> done e.g. in the merging of the PIM enterprise branch, which are
> commited by one person and have no clear authorship (thus copyright
> ownership) registered with the system, IIUC. Is this alright?

I posted on a thread on this subject a while ago. Obviously I can't find 
it anymore. So I'm going to try and reproduce here what I remember:

The scenario is the following:
1) contributor Thiago Macieira has a DVCS checkout of a KDE repository. He 
does the equivalent of:

	git commit --author "Aaron Seigo"
	git push

How can we, after the fact, determine that it was Thiago who made that 
commit, not Aaron?

Or, a more complex scenario:
1) contributor Thiago Macieira has a lot of his own commits as well as 
merges from other people, but among them he did:

	git commit --author "Aaron Seigo"

2) Thiago tricks contributor Friedrich Kossebau into merging from his 
branch

3) contributor Friedrich pushes upstream

How can we, after the fact, determine that Aaron was not involved in the 
process?


For Git, the answer is: we can't. The whole accountability with Git rests 
not on the tool, but on the social network and the trust between the 
parties. In other words, you can't detect it later, but the structure of 
the project should detect it before it happens.

The first suggestion I came up with was to ensure that, every push you 
make to the server contains only commits whose author and committer are 
you, yourself. That way, you can't impersonate others.

The problem with that suggestion is that it completely prevents merges 
from other people's code. That is, I can't take your ingenious code, 
merge into my main tree and push to the server.

So the second suggestion is to require only the committer name to be 
yours, but let author float free. That will however impose problems with 
commit rewritings, the need to rebase or use git-am, whereas a much 
simpler pull (merge) would be far easier.

The third suggestion I came up with was to require every push to end in an 
annotated tag, whose author is you. In other words, you take 
responsibility for the integrity of every single commit between the last 
tag and yours.

The problem arising with that is that someone could fake such a tag under 
your name, then add a trivial commit later and his own tag. After the 
fact, you see questionable changes from one author and trivial changes 
from another.

We can make the suggestion then of using GPG-signed tags, for every single 
push. That way, the tags cannot be faked and you guarantee that, if the 
key verification succeeds, it comes from the right person.

The obvious drawback is that setting up GnuPG and having trusted keys is a 
lot of work to require from contributors.

A fifth suggestion is then to have the server log every push and include 
the account name of whoever did the push. This could even be done in the 
repository, by way of tagging every push. With clever hooks, the server 
can prevent your pushing of tags that would make the log ambiguous.

Of course, this boils down to trusting the server administrators, which we 
have to do right now anyways.

Then I have to ask: how paranoid are we? What's our objective here? To 
give credit where credit is due? Or to wash our hands of any guilt should 
something catastrophic happen in the future (e.g., copyrighted, patented 
code is found on KDE in 2015 and someone wants to assign blame)?

-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/kde-scm-interest/attachments/20080726/7c773e45/attachment.pgp

More information about the Kde-scm-interest mailing list