www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@intertwingly.net>
Subject Re: Git, history, protection, and other topics
Date Wed, 04 Nov 2015 13:37:50 GMT
On Wed, Nov 4, 2015 at 8:21 AM, Kristian Rosenvold
<krosenvold@apache.org> wrote:
> Just an example, taken from github:
>
> git clone https://github.com/apache/commons-lang.git
> cd commons-lang
>
> < You now have a "complete" commons-lang repo, which you can inspect
> with gitk --all or similar>
>
> git config --add remote.origin.fetch
> "+refs/pull/*/head:refs/remotes/origin/pull/*"
> git fetch
>
> <Watch the fireworks>
>
> Using gitk --all, you'll now see that the "complete" github repo
> contains all the pull requests too, github just did not tell us about
> them on the initial clone. In the same manner, all historic refs could
> be stored.

The information that is missing is: "who did the push".

Pushes to the ASF respository can only be done by individuals who
authenticate and have an ICLA on file.  They have agreed to follow #7
in the agreement:

https://www.apache.org/licenses/icla.txt

That traceability is important for legal reasons.  With git, is is
quite possible for the person to do the push to be neither the
'author' nor the 'committer'.

With ASF repositories, we have hooks in place to log who did the push.
GitHub provides webhooks that can give us that same information.  I've
got a JIRA in place to allow ASF committers to 'claim' a GitHub id:

https://issues.apache.org/jira/browse/INFRA-10704

You can see work in progress here: https://id.apache.org/ where you
can fill in one (or more!) github ids.

It is even possible for the push log to be stored in the git
repository itself as notes:

http://git-scm.com/docs/git-notes

This will allow this information to be more easily queryable.

> Kristian

- Sam Ruby

Mime
View raw message