Fixing Code Reviews
Laszlo Papp
lpapp at kde.org
Sat Apr 14 15:52:49 UTC 2012
Hi Martin,
Thank you for sharing that link with us.
> There was recently a discussion about it on plasma-devel. The short summary is
> that gerrit would introduce security wholes into kde's infrastructure and due
> to that is an absolute no-go.
>From the Ben's email:
"- Gerrit operates with the assumption it has permission to push to the
master repositories, providing a security vulnerability to our
infrastructure."
Could someone please ellaborate on that a little bit more ? I am
unsure what "master repositories" means, but:
1) Master (or essentially any other) branch(es): push does not mean
the change is already inside the repository (master branch for
instance). Only the trusted KDE developers would be able to actually
merge that. It would probably be relevant to the KDE developer account
or so (little bit different thing this way than the approver concept
in Qt, but it should be discussed).
2) If you mean that by "master repositories" KDE SC and Extragear,
then I would say we also have playground projects in the qt project (I
have been mostly involved with QtSerialPort and QtAudio3D) which can
be handled distinctly from permission point of view.
It would be nice to get a more thorough explanation. Perhaps, it is
just me, but it is nebulous to me yet. Thank you in advance! :-)
Best Regards,
Laszlo Papp
PS.: "- Gerrit is a Java application, and past experience with them
indicate that are very resource intensive." -> Jenkins (ie.:
build.kde.org) is also written in Java.
More information about the Kde-testing
mailing list