> > If you are concerned about the PR being updated without you noticing it > > (very unlikely), you can git pull it locally, review locally and git > > push on mainline, which with all modern Forges will automatically close > > the PR/MR/issue. > > Yes, that would also work. That's not what people using forges *actually > do*, though, which I believe was Ted's point. Nor do people advocate > forges because they're advocating that workflow; quite to the contrary, > people who want others to use forges generally want them to review MRs > directly on the forge for a host of other reasons.
Note that reviewing something and merging it as separate steps in the process. With Forges one can have track metadata for code submissions such as how many approvals it has had and whatnot. > > Using real git commits with SHA hashes, signatures, SSH key protected > > pulls and pushes, multiple server logs on who did what etc is easily > > more secure than using plaintext emails. > > Ted's workflow doesn't rule out signatures, SSH-key-protected pushes, and > other similar security properties. I suspect it usually terminates them at > Ted (the reviewer) rather than the original author, which has pluses and > minuses. ... > > The big question here you seem to avoid commenting on is what is the > > workflow you expect the next generation to seriously adopt? > > I didn't comment on that because I don't have an opinion on it. I only > commented about the security analysis that you did, which I believe is > wrong. There is no trace back to the original author, which is a major minus for e-mail submissions. I think anyone with some imagination can come up with multiple scenarios where an authorship attack via e-mail is much easier to both deliver and to evade audits on, but I won't go there now as it isn't the main point in the context of the new contributor experience. > There is a tendency in these discussions to assert that one's preferred > workflow is strictly better on every possible axis, there are no I have not asserted that. I wrote today very explicitly this, quoting myself: > I know a lot of veterans in the industry have very good e-mail setups > and are very efficient in reviewing patches by e-mail. I am not asking > you to abandon it. You should do what you want. The topic here is the new contributor experience. I don't feel your comments about e-mail submissions improving the security posture of the overall system convincing, nor does it seem to offer any solutions on what the Debian community can do to improve the new contributor experience.
