> In Git (and I'd presume any Git-like DVCS) anything but the push logs > can be spoofed. Having a record of who actually pushed to the repo > is one of the requirement from ASF's standpoint to track chain of custody > for the code that lands in out projects.
Understood. That's the very reason why we modified our process to its present state when we began incubation. As stated before in this thread, the push logs aren't played with- it is always a committer that actually pushes a contribution to the ASF, with their account, and not a robot or proxy, in our current workflow. The push logs still record a valid chain of custody. The analogous situation in the case David was describing, if I am understanding it correctly, is that ASF doesn't know of an uncommitted/unverified contribution that may lie in Gerrit's review queue, possibly pending commit. Unless there's something I am missing, I don't understand how that's any more or less recorded or visible than a contribution that lies in a personal fork in Github, before it has a pull request submitted and merged. -Ian On Wed, Jul 15, 2015 at 1:02 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote: > On Wed, Jul 15, 2015 at 3:13 AM, Ian Maxon <ima...@uci.edu> wrote: >>> 2. The ASF has no record of any contributions that are happening on >>> the Gerrit instance at UCI, until a committer decides to push code to >>> the ASF repo. >> >> I'm afraid I don't understand this point. How is this different than >> any other distributed version control system? In github, nobody is >> aware of a contribution in a fork until a pull request is made. How's >> that any different than what's going on here? > > In Git (and I'd presume any Git-like DVCS) anything but the push logs > can be spoofed. Having a record of who actually pushed to the repo > is one of the requirement from ASF's standpoint to track chain of custody > for the code that lands in out projects. > > Do realize that this unique requirement comes from the fact that > we're a foundation, not just a code hosting site. > > Thanks, > Roman. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
