www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: Writable github repos?
Date Sat, 28 Jun 2014 00:49:15 GMT
On Fri, Jun 27, 2014 at 7:58 PM, Joseph Schaefer
<joe_schaefer@yahoo.com.invalid> wrote:
> I think that is the point of an icla for committers, because otherwise the apache license
suffices.
>
> Sent from my iPhone
>
>> On Jun 27, 2014, at 5:25 PM, Mark Struberg <struberg@yahoo.de> wrote:
>>
>>> On Friday, 27 June 2014, 23:17, Joseph Schaefer <joe_schaefer@yahoo.com.INVALID>
wrote:
>>> We might simply ask github to provide push records to us.
>>
>>
>> This would at least solve the problem with who pushed what.
>> Are you talking about pushes to an ASF project repo on github or to all github commits
we pull in for a pull-request?
>>
>> And how to solve the problem that it's way too easy to pull foreign changes is still
not clear to me.

I think that there is a gap between theory and practice.

First, many, perhaps most, commits are by committers. As an
organization, we trust committers. Full stop. While there's a theory
of PMC review, how many PMC members are pretending to be
mechanical-turk Black Ducks carefully vetting commits?

For non-committer patches, the safety comes from social interaction.
Someone emails in a patch. We don't really know that it's their own
work. When something looks really fishy, a committer might take
notice. But mostly we trust. I think that Mark is exceptional. OK, a
github commit can have a fake source. How often to we get JIRAs,
patches, or pull requests that come with zero social interaction?
Generally, if someone posts a JIRA, or a PR, or whatever, there's a
trail of discussion. For one thing, this makes faking the git email
address fairly moot. If the commit says Fred but all the email says
George, well, that's a question. If all we have is a PR, we can always
demand some mailing list interaction. Eventually, a sufficiently
energetic fraud will get away with it, and as an organization, we long
ago decided that this was legally tolerable.


>>
>> LieGrue,
>> strub
>>

Mime
View raw message