forget pulls from github. Everyone can create a commit which is allegedly from you (email and name) and others will have no whatever chance to verify that! Now combine that with complex scenarios where you pull in more than a simple change which you can track manually and you have the perfect way for someone to introduce backdoors.
By having the authorisation plus authentication on an ASF server and always verifying it on a push (and keeping the push logs) we can at least verify a chain. LieGrue, strub ----- Original Message ----- > From: Jesse Glick <jgl...@cloudbees.com> > To: dev@maven.apache.org > Cc: > Sent: Thursday, September 6, 2012 9:35 PM > Subject: Re: [VOTE] Move Maven projects sources to git > > On 09/05/2012 08:39 AM, Olivier Lamy wrote: >> I'm a bit curious to see if that will increase externals contributions. > > I think plain Git is only marginally more friendly for external contributors > than Subversion. Yes you can create a local branch and update it against > trunk > changes, but you still need to manually attach patches to JIRA; reviewing and > updating patches this way is painful. > > It is GitHub, principally pull requests but also the ability to comment on > individual diff lines in any published revision, which is far and away better > for collaboration. If Maven and satellite projects are moved to Git hosted on > Apache servers only, I do not see contributions being much easier. The better > approach to my mind would be to use GitHub-hosted repositories for all > collaboration and ongoing development, and just mirror to Apache clones if > necessary for legal reasons. Is that possible? If not, GitHub mirrors could > still be used for pull requests, but the committer would have to do some > manual > synchronization. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
