[Kde-scm-interest] accountability

[Thomas Zander]

As the meeting minutes show a TODO list I'd like to suggest we look at the 
'accountability' thread I started with a mail on 31.07.2008 15.07 
"Accountability, concrete suggestion" and not let that one slip through the 
cracks.

We need someone to research essentially if we can easily trace who made a 
push. As you may know, git allows me to commit under any email address.
For example if evilHaxor makes a commit as ettrich and pushes it to a 
feature branch of kdebase which enhances kwin and 2 months (and 60 commits) 
later that gets merged into the main tree can we still track who exactly 
pushed this? And 3 years from now?
Can we still track it after that the feature branch has been removed by the 
owner ?
How hard is it to track it 3 years from now in the unfortunate event that 
gitorious,org is no longer available?

We talked a bit on IRC about this and the current solution seems to be to 
use the push info that gitorious now records. They record in a sql database 
that I pushed certain commits (sha1s) and they record that it was my ssh key 
that did it.
The suggestion is to make sure we get periodic backups that the e.v. would 
own so even if gitorious goes under we have them.
I see several problems with that; the easiest is already identified. We have 
to get permission from the user for gitorious to share this info with the 
e.v. As Ingo and Ian mentioned in another thread.
Makes me wonder what happens when I get a patch from a 3rd party and I push 
it.  That 3rd party never ok-ed to the opt-in and his email address is still 
in the commit.  Is that not a violation?
Or what if I start a koffice-plugin as a separate repo and get some friends to 
help out.  Is it possible KDE would forbid me to merge that because one of 
them doesn't want to ok to the opt-in?

I hate to bring up these pesky legal and accountability issues but I think 
they should be fixed before we start working on this new platform at-large. I 
hope you agree.
-- 
Thomas Zander