Hi, On Mon, Jun 14, 2010 at 5:25 PM, Simone Gianni <[email protected]> wrote: > Regarding the git part, except for bylaws where "svn repository" should be > replaced with "any apache repository", what are the legal differences in > using git as opposed to svn?
The main issue with Git is that it doesn't give us a reliable audit log of changes that we can tie back to the ICLAs that we have on file. As long as you have write access to a repository, you can push in commits that are practically indistinguishable from commits made by someone else. For example, unless you do an explicit sign-off of changes you've pulled in from a contributor, there's nothing in the repository to reliably indicate who actually wrote the changes and who approved them for inclusion in the Apache project. It's even possible for someone to rewrite the entire history of a project or a branch and simply push such changes to a repository like any normal commits. Basically, if someone comes and asks how a particular piece of IP ended up in a Git repository, Git itself can't answer that question. All it gives you is the change itself and the associated commit metadata that can be pretty much anything. > While I understand the technical differences (and difficulties), what are the > problems you expect to find and eventually solve if any? There are a few ways to add a reliable audit trail to a Git repository. The way Gerrit does it is by taking away direct write access to the underlying Git repository and by enforcing that all incoming commits have explicitly been signed off by an authenticated user. This works fine in theory, but I'd like to see how well Gerrit integrates with Apache workflows in practice. For example, could/should we give all Jira/Bugzilla users access to upload patches for review in the Gerrit instance? How do we best integrate Gerrit with our existing svn/ldap account system? Does this setup give us the audit trail we need? What kind of email notifications should be set up? What end user documentation do we need? etc. etc. These are the kinds of issues I'm hoping to at least start sorting out while working on the proposed lab. BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
