On 10 September 2014 11:26, Gilles <gil...@harfang.homelinux.org> wrote: > On Wed, 10 Sep 2014 12:00:12 +0200, Stefan Bodewig wrote: >> >> [on the original topic: I personally like git but would leave the >> decision to move on to the components] >> >> On 2014-09-10, Gilles wrote: >> >>> [The advantages of "git" must be somewhere else.] >> >> >> Not sure about "the advantage", but let me show you an example where a >> DVCS (any DVCS) would have been really useful. >> >> Back in 2012 there was some minor security issue in Compress. Apache >> policy says the fix for a security issue should be a single commit - >> this is for the benefit of packagers who may want to backport the fix to >> their older versions. The policy also says the fix should be developed >> in private and only be committed when ready shortly before building the >> release so potential attackers watching the commits don't get too much >> of a head-start. >> >> I didn't know about the policy at that time (pure ignorance) and created >> more than a dozen svn commits experimenting and exploring the fix as it >> wasn't easy. All visible to the public. >> >> My point now is, even if I had known about the policy I would have >> needed some sort of SCM to explore the problem without too much fear. I >> personally rely on the safety net offered by an SCM and don't like to >> develop bigger chunks of code without safepoint commits. >> >> With a DVCS like git I can do so in a private branch that I can share >> with my peers without committing to the ASF git server (have them pull >> from my private repository) - so we can agree on the patch in private. >> Once the patch is ready I can rebase my branch and squash all commits to >> a single one that I can then merge to master and push to the ASF server. >> >> I guess what I'm trying to say is a DVCS makes it easier to experiment >> in a controlled manner and for security issues it offers big advantages. >> > > That is quite convincing! Such a use case could be the basis for Apache > to _force_ all projects to switch to "git"...
I disagree that this is convincing. There are PMC-only SVN repos which can be used for collaborative development of security fixes. These are better than sharing a private repo, because commits are automatically mailed to the PMC mailing list. And not everyone has the ability to share their private Git repos. In any case, a private Git repo can still be used for local development, even if the offical repo is SVN. > Thanks, > Gilles > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
