El lun, 14-06-2010 a las 20:28 +0200, Jukka Zitting escribió: > Hi, > > On Mon, Jun 14, 2010 at 5:25 PM, Simone Gianni <[email protected]> wrote: > > Regarding the git part, except for bylaws where "svn repository" should be > > replaced with "any apache repository", what are the legal differences in > > using git as opposed to svn? > > The main issue with Git is that it doesn't give us a reliable audit > log of changes that we can tie back to the ICLAs that we have on file. > As long as you have write access to a repository, you can push in > commits that are practically indistinguishable from commits made by > someone else. For example, unless you do an explicit sign-off of > changes you've pulled in from a contributor, there's nothing in the > repository to reliably indicate who actually wrote the changes and who > approved them for inclusion in the Apache project. It's even possible > for someone to rewrite the entire history of a project or a branch and > simply push such changes to a repository like any normal commits. > > Basically, if someone comes and asks how a particular piece of IP > ended up in a Git repository, Git itself can't answer that question. > All it gives you is the change itself and the associated commit > metadata that can be pretty much anything. >
I don't completely understand what do you mean here. A subversion repository can be manipulated by an "insider" in pretty much the same way as a git one. There is a social understanding that the "central" repository is not manipulated except in exceptional circumstances (I've seen pruning of Apache CVS repositories after errors or corruption, etc.). Also that only authorised people (those having ssh accounts) can commit, and they, the ones that push, are responsible of pushing either their direct commits or commits with known provenance, say, for instance, those coming from bug tracker patches or similar... What prevents now code dumps under the name of a user? People is commiting stuff from jira, for instance... Re: the difference between Author and Committer, the people planning the migration from subversion to mercurial for python are considering the possibility to have a commit hook that checks the Author tags and make sure that all Authors or Committers in a changeset have filed a Contributor Agreement... We could do something similar, at least a warning might be a good idea. See PEP 385 ( http://www.python.org/dev/peps/pep-0385/ ), Hooks->Check Contributors. Regards Santiago > > While I understand the technical differences (and difficulties), what are > > the > > problems you expect to find and eventually solve if any? > > There are a few ways to add a reliable audit trail to a Git > repository. The way Gerrit does it is by taking away direct write > access to the underlying Git repository and by enforcing that all > incoming commits have explicitly been signed off by an authenticated > user. > > This works fine in theory, but I'd like to see how well Gerrit > integrates with Apache workflows in practice. For example, > could/should we give all Jira/Bugzilla users access to upload patches > for review in the Gerrit instance? How do we best integrate Gerrit > with our existing svn/ldap account system? Does this setup give us the > audit trail we need? What kind of email notifications should be set > up? What end user documentation do we need? etc. etc. These are the > kinds of issues I'm hoping to at least start sorting out while working > on the proposed lab. > > BR, > > Jukka Zitting > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
