www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: Writable github repos?
Date Fri, 27 Jun 2014 21:04:20 GMT
On Fri, Jun 27, 2014 at 4:50 PM, Mark Struberg <struberg@yahoo.de> wrote:
> as stated tons of times already.
>
> There is imo one huge blocker: how to make sure that a pull request which subsequently
contains e.g. a commit from ke4qqq@apache.org is REALLY from you?
>
> EVERYONE can create such a commit on github! There is NO authorization required! just
git-config the email and name. There is no GPG for commits in git, only for tags.
>
> People pulling in changes will likely see 'oh a commit from David, fine' and will pull
that in.
>
> How to prevent that?
>
> I asked this 4 years ago and there is still no good answer to it afaik. Without this
solved we CANNOT SUFFICIENTLY TRACK OUR CODE PROVENANCE!
>
> Or did I miss something?
>
>
> ... and sorry for yelling ;)
>
>

No need to be sorry.
I acknowledge that's a problem. It's also a problem we have today. We
accept pull requests from github already, have scores of projects
doing so today. It's also a problem with our normal patch submission
methods as well. I could send an email with a patch to any number of
lists as struberg@apache.org as well, and assuming I did my homework,
I could probably emulate the person relatively easily. Accepting
patches via email has no authentication either. At a minimum, we at
least see the github account that is associated with making the pull
request - perhaps we can even improve on the provenance situation by
requiring multi-factor authentication for folks with access to the
github writable repo, that would give us even better records of
provenance than email patch submission.

--David

Mime
View raw message