www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <strub...@yahoo.de>
Subject Re: Writable github repos?
Date Fri, 27 Jun 2014 21:11:53 GMT
The scenario you mentioned is not valid

a.) I for one do NOT accept pull requests from github! I only apply single requests where
I also have a JIRA + diffs
b.) each ASF committer must commit his changes HIMSELF. Committing for others is disregarded.

If you send patches in my name to the list then I will speak up and catch that. And no one
will apply those patches, because of b.)
If a patch is tracked by mail + JIRA, then we at least have the remote IP and tons of other
stuff like the mx header logged.
In case of any later problem this very commit can be identified very easily.
The same for a pull request leaves no whatever way to even track which commits are in question
once the original repo got deleted from github.

Don't get it wrong. I like GIT a lot. I even wrote the initial parts of the german translation
for GIT (back in 2006 or so) and the first version of the maven-git-plugin back then. But
while I love GIT, I don't think we can use GIT without the push verification we have atm.
This is what makes all the difference between GIT projects hosted at the ASF and at somewhere
else (not only github).


On Friday, 27 June 2014, 23:04, David Nalley <david@gnsa.us> wrote:

>On Fri, Jun 27, 2014 at 4:50 PM, Mark Struberg <struberg@yahoo.de> wrote:
>> as stated tons of times already.
>> There is imo one huge blocker: how to make sure that a pull request which subsequently
contains e.g. a commit from ke4qqq@apache.org is REALLY from you?
>> EVERYONE can create such a commit on github! There is NO authorization required!
just git-config the email and name. There is no GPG for commits in git, only for tags.
>> People pulling in changes will likely see 'oh a commit from David, fine' and will
pull that in.
>> How to prevent that?
>> I asked this 4 years ago and there is still no good answer to it afaik. Without this
>> Or did I miss something?
>> ... and sorry for yelling ;)
>No need to be sorry.
>I acknowledge that's a problem. It's also a problem we have today. We
>accept pull requests from github already, have scores of projects
>doing so today. It's also a problem with our normal patch submission
>methods as well. I could send an email with a patch to any number of
>lists as struberg@apache.org as well, and assuming I did my homework,
>I could probably emulate the person relatively easily. Accepting
>patches via email has no authentication either. At a minimum, we at
>least see the github account that is associated with making the pull
>request - perhaps we can even improve on the provenance situation by
>requiring multi-factor authentication for folks with access to the
>github writable repo, that would give us even better records of
>provenance than email patch submission.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message