commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <>
Subject Re: [discuss] Vote to git it?
Date Wed, 10 Sep 2014 16:22:51 GMT
On 10 September 2014 11:26, Gilles <> wrote:
> On Wed, 10 Sep 2014 12:00:12 +0200, Stefan Bodewig wrote:
>> [on the original topic: I personally like git but would leave the
>> decision to move on to the components]
>> On 2014-09-10, Gilles wrote:
>>> [The advantages of "git" must be somewhere else.]
>> Not sure about "the advantage", but let me show you an example where a
>> DVCS (any DVCS) would have been really useful.
>> Back in 2012 there was some minor security issue in Compress.  Apache
>> policy says the fix for a security issue should be a single commit -
>> this is for the benefit of packagers who may want to backport the fix to
>> their older versions.  The policy also says the fix should be developed
>> in private and only be committed when ready shortly before building the
>> release so potential attackers watching the commits don't get too much
>> of a head-start.
>> I didn't know about the policy at that time (pure ignorance) and created
>> more than a dozen svn commits experimenting and exploring the fix as it
>> wasn't easy.  All visible to the public.
>> My point now is, even if I had known about the policy I would have
>> needed some sort of SCM to explore the problem without too much fear. I
>> personally rely on the safety net offered by an SCM and don't like to
>> develop bigger chunks of code without safepoint commits.
>> With a DVCS like git I can do so in a private branch that I can share
>> with my peers without committing to the ASF git server (have them pull
>> from my private repository) - so we can agree on the patch in private.
>> Once the patch is ready I can rebase my branch and squash all commits to
>> a single one that I can then merge to master and push to the ASF server.
>> I guess what I'm trying to say is a DVCS makes it easier to experiment
>> in a controlled manner and for security issues it offers big advantages.
> That is quite convincing! Such a use case could be the basis for Apache
> to _force_ all projects to switch to "git"...

I disagree that this is convincing.

There are PMC-only SVN repos which can be used for collaborative
development of security fixes.
These are better than sharing a private repo, because commits are
automatically mailed to the PMC mailing list.

And not everyone has the ability to share their private Git repos.

In any case, a private Git repo can still be used for local
development, even if the offical repo is SVN.

> Thanks,
> Gilles
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message