commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [discuss] Vote to git it?
Date Wed, 10 Sep 2014 16:22:51 GMT
On 10 September 2014 11:26, Gilles <gilles@harfang.homelinux.org> wrote:
> On Wed, 10 Sep 2014 12:00:12 +0200, Stefan Bodewig wrote:
>>
>> [on the original topic: I personally like git but would leave the
>> decision to move on to the components]
>>
>> On 2014-09-10, Gilles wrote:
>>
>>> [The advantages of "git" must be somewhere else.]
>>
>>
>> Not sure about "the advantage", but let me show you an example where a
>> DVCS (any DVCS) would have been really useful.
>>
>> Back in 2012 there was some minor security issue in Compress.  Apache
>> policy says the fix for a security issue should be a single commit -
>> this is for the benefit of packagers who may want to backport the fix to
>> their older versions.  The policy also says the fix should be developed
>> in private and only be committed when ready shortly before building the
>> release so potential attackers watching the commits don't get too much
>> of a head-start.
>>
>> I didn't know about the policy at that time (pure ignorance) and created
>> more than a dozen svn commits experimenting and exploring the fix as it
>> wasn't easy.  All visible to the public.
>>
>> My point now is, even if I had known about the policy I would have
>> needed some sort of SCM to explore the problem without too much fear. I
>> personally rely on the safety net offered by an SCM and don't like to
>> develop bigger chunks of code without safepoint commits.
>>
>> With a DVCS like git I can do so in a private branch that I can share
>> with my peers without committing to the ASF git server (have them pull
>> from my private repository) - so we can agree on the patch in private.
>> Once the patch is ready I can rebase my branch and squash all commits to
>> a single one that I can then merge to master and push to the ASF server.
>>
>> I guess what I'm trying to say is a DVCS makes it easier to experiment
>> in a controlled manner and for security issues it offers big advantages.
>>
>
> That is quite convincing! Such a use case could be the basis for Apache
> to _force_ all projects to switch to "git"...

I disagree that this is convincing.

There are PMC-only SVN repos which can be used for collaborative
development of security fixes.
These are better than sharing a private repo, because commits are
automatically mailed to the PMC mailing list.

And not everyone has the ability to share their private Git repos.

In any case, a private Git repo can still be used for local
development, even if the offical repo is SVN.

> Thanks,
> Gilles
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message