www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject Re: Writable github repos?
Date Fri, 27 Jun 2014 21:18:53 GMT
On Fri, Jun 27, 2014 at 4:50 PM, Mark Struberg <struberg@yahoo.de> wrote:

> as stated tons of times already.
>
> There is imo one huge blocker: how to make sure that a pull request which
> subsequently contains e.g. a commit from ke4qqq@apache.org is REALLY from
> you?
>
> EVERYONE can create such a commit on github! There is NO authorization
> required! just git-config the email and name. There is no GPG for commits
> in git, only for tags.
>
> People pulling in changes will likely see 'oh a commit from David, fine'
> and will pull that in.
>
> How to prevent that?
>
> I asked this 4 years ago and there is still no good answer to it afaik.
> Without this solved we CANNOT SUFFICIENTLY TRACK OUR CODE PROVENANCE!
>
> Or did I miss something?
>


I've got a couple of questions related to that concern:

- If that concern is a blocker then doesn't it mean we cannot accept ANY
code from GitHub at all?

- How does our current best practice for GitHub -> ASF Git integration
address that concern?

- If that concern is a blocker then how can other open source
organizations, who are just as sensitive to IP issues as we are, allow
GitHub hosting?

I don't think we can have a technical solution to the problem of vetting
incoming code. Some committer has to check the incoming changes as best
they can, commit-by-commit and line-by-line, no matter whether it comes
from GitHub or a DIFF patch. If there is some mis-representation (or other
form of evil) in the code, it's the accepting committers job to recognize
that and reject it. I don't see how GitHub is any worse than accepting DIFF
patches in that respect.

- Dave

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message