[Kde-scm-interest] accountability
Riccardo Iaconelli
riccardo at kde.org
Wed Nov 18 07:31:50 CET 2009
On Sunday 15 November 2009 10:41:43 Thiago Macieira wrote:
> Em Sábado 14. Novembro 2009, às 23.55.30, argonel escreveu:
> > My suggestion is to have a pre-commit hook that compares the email
> > address on the commit message to the list of subscribers to
> > kde-cvs-announce (or bugzilla) and if it isn't found, reject the commit.
> > We'll need a mechanism for syncing this list, but it should not be an
> > unsurmountable hurdle.
>
> Won't work. What if I merge a patch from someone else, who isn't a KDE
> developer?
>
Mmh... but this is a problem also with SVN, no?
And, I think we're a bit missing the point when these thread contiunue to go
on. What is the exact reason of needing accountability? What will be the
consequences taken if we find a malicious commit? What if the person just sent
that patch and then disapperared? What if the evil guy also used a malicious
--author?
I think that what Ian proposes:
[I was thinking of asking Gitorious if they could keep a simple log of
commit hashs and the user name or id that pushed it. Since commit
hashs are completely unique this would be enough information.]
is indeed what is needed.
One can always say "I merged this patch from someone else" (unless the patch
is blatantly malicious, with own name and email in the commit) and we can
never be perfectly sure of the path that code followed before coming to our
repo, because people are free(tm) to do (almost)what they want with it, and
contributions can come from wherever!
Unless we forbid cloning the repo, or distributing KDE's source code.
Bye,
-Riccardo
More information about the Kde-scm-interest
mailing list