[Kde-scm-interest] accountability

Fri Nov 13 14:17:24 CET 2009

On Thu, Nov 12, 2009 at 5:54 PM, Thomas Zander <zander at kde.org> wrote:
> As the meeting minutes show a TODO list I'd like to suggest we look at the
> 'accountability' thread I started with a mail on 31.07.2008 15.07
> "Accountability, concrete suggestion" and not let that one slip through the
> cracks.
>
> We need someone to research essentially if we can easily trace who made a
> push. As you may know, git allows me to commit under any email address.
> For example if evilHaxor makes a commit as ettrich and pushes it to a
> feature branch of kdebase which enhances kwin and 2 months (and 60 commits)
> later that gets merged into the main tree can we still track who exactly
> pushed this? And 3 years from now?
> Can we still track it after that the feature branch has been removed by the
> owner ?
> How hard is it to track it 3 years from now in the unfortunate event that
> gitorious,org is no longer available?
>
> We talked a bit on IRC about this and the current solution seems to be to
> use the push info that gitorious now records. They record in a sql database
> that I pushed certain commits (sha1s) and they record that it was my ssh key
> that did it.
> The suggestion is to make sure we get periodic backups that the e.v. would
> own so even if gitorious goes under we have them.
> I see several problems with that; the easiest is already identified. We have
> to get permission from the user for gitorious to share this info with the
> e.v. As Ingo and Ian mentioned in another thread.
> Makes me wonder what happens when I get a patch from a 3rd party and I push
> it.  That 3rd party never ok-ed to the opt-in and his email address is still
> in the commit.  Is that not a violation?

Lets let Shortcut worry about that... one assumes information
available from a simple git log isn't going to be covered with extra
rules. I think your confusing 'git log' and the 'who merges what' that
Shortcut collects.

Mostly I suspect we need a privacy exemption since probably there's
lots of other information in the SQL database that isn't normally
public. And the issue there is having an exit strategy from Shortcut,
having the merge history is a side-effect.

> Or what if I start a koffice-plugin as a separate repo and get some friends to
> help out.  Is it possible KDE would forbid me to merge that because one of
> them doesn't want to ok to the opt-in?

Now its KDE forbidding? Lets keep discussions reality-based.

> I hate to bring up these pesky legal and accountability issues but I think
> they should be fixed before we start working on this new platform at-large. I
> hope you agree.

I was thinking of asking Gitorious if they could keep a simple log of
commit hashs and the user name or id that pushed it. Since commit
hashs are completely unique this would be enough information.

Ian