> On Jul 16, 2015, at 1:21 AM, Roman Shaposhnik <ro...@shaposhnik.org> wrote: > > On Wed, Jul 15, 2015 at 4:17 PM, Till Westmann <ti...@apache.org > <mailto:ti...@apache.org>> wrote: >> >>> On Jul 15, 2015, at 10:02 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote: >>> >>> On Wed, Jul 15, 2015 at 3:13 AM, Ian Maxon <ima...@uci.edu> wrote: >>>>> 2. The ASF has no record of any contributions that are happening on >>>>> the Gerrit instance at UCI, until a committer decides to push code to >>>>> the ASF repo. >>>> >>>> I'm afraid I don't understand this point. How is this different than >>>> any other distributed version control system? In github, nobody is >>>> aware of a contribution in a fork until a pull request is made. How's >>>> that any different than what's going on here? >>> >>> In Git (and I'd presume any Git-like DVCS) anything but the push logs >>> can be spoofed. Having a record of who actually pushed to the repo >>> is one of the requirement from ASF's standpoint to track chain of custody >>> for the code that lands in out projects. >> >> But that’s seems to be the case here. The actual commit is pushed manually >> by an AsterixDB committer. > > Exactly! Which rewinds us all the way to back to my original reply on > this thread. > > As long as there's a human being in the loop reviewing what's going into the > repo I don't think I've got any issues with the process. > > But! Asking for an ASF-managed Gerrit instance will remove that human from > the loop. This is negotiable but would require INFRA having the same trust > in Gerrit logs as they have in their current Git push logs.
1) I think that we didn’t ask for an ASF hosted instance. But I also think that David’s concern that the absence of the service would disrupt the development of AsterixDB is valid. And thus it might make sense not to rely on an instance that is not hosted by the ASF. However, I think that the current instance has virtually no risk of disappearing soon and so this is not an urgent topic 2) I don’t see how the organization that hosts the Gerrit instance impacts the process. Independent of the organization that hosts the Gerrit instance, our process has an AsterixDB committer in the loop between Gerrit and the canonical project repository. Cheers, Till
