> Well, not a contradiction at all. Taking "what works" is helped by placing some (not all) trust in audit trails/traceability.
> Anyhow, I think in general commit spoofing is not a well lit complication of using Git, which did not exist with e.g. SVN. https://eu01.z.antigena.com/l/GnaFdkimCry-aqbohHxEtHbdEtrdWQZKi6yeLnvLsM2Dw6rphNVV7u1cKACbL~F7VEt6Q6xNOJ6o9a0mLF77eGzcgqVcK3DDJ4Rtqj_SeXhVq0bsnuPRMDxktFxV~FJOm6h2nxu6OJb4DqCy6RWfl9bHxXnEx-nM-RAgMwwiB~skqriGbbOHPmEq5t30lzw_84MHmkdPPLZPnojt8l23rr > And while these guys haven't made many friends in OSS, I think they did highlight very important risks. https://eu01.z.antigena.com/l/5UqAwcvQL66zNl8fFeOxusJmUM35w1O4Sw-_LvSAL1a7hr1qBWMND8al-jJJxS1C-SEy5avXu-4n7ZgTfpGS3BgSsErXnSYyrDuHRsTjVrfU4VpClkfSFAQC3BqPLBiXCISpFNLAMUKbmdnHGVBIevUA~buZD852znrZnE1ytNMIB62CI2csovJ_Bs2 > But I will admit, the first doesn't really matter much if you systemically squash. Rebasing is another story though. Precise traceability of who wrote which exact portions code isn't of any critical importance in open source projects, authorship is. You have projects such as Postgres where people submit .patch files and the committer who makes the merge request can change the actual code as much as they want before merging it into the main git branch. Open source projects are not an enterprise, this level of traceability is unnecessary. If there is some problem with a piece of code, it's more critical that we can cleanly revert it/apply fixes rather than knowing precisely who wrote what which is not really relevant. Likewise for any kind of legal ramifications of perfect traceability is a non concern since that's the whole point of the CLA/Apache Foundation, one of its main goals is to actually to protect individuals. On Mon, Nov 7, 2022 at 2:27 PM Jean-Luc Deprez <[email protected]> wrote: > > > > That's not correct AFAIK. Usually, the PR *opener* (not merger) is > > listed as the git author and Github is listed as the committer. This > > is a gotcha that bit us before when a PR had to be reworked and > > recommitted from another person, and then was finally squashed. > > > > Any chance that that behaviour depends on a) if there's one or multiple > commits, b) one or multiple authors of those commits? > > Because your statement doesn't seem to align with my experience on that > matter. Except when squashing a single commit, which is transferred > unmodified other than the commit comment. > > Following feature update seems to indicate that what I'm saying is not > complete nonsense. > > https://eu01.z.antigena.com/l/ZPKH0brX88pLCsquG6vX0uCynARbqDiwBjc1fy6ZILjBye2RHkhletlC82fl3R63qI~x7oC6OlWwIUwNFcntvOyya1IKlpRq1ffKHkgdA~iSuT6fZGGxBHhzn4fm55lNl1mx3jR6bOtrjwF6euz3xpdUrtC-oe9cWEpAkNI9OIRJpnctetAjdNOcqwxvGQaxyqte4IwJJuDoYa06-GOzgvs2GeXFmn > > > > > > Unfortunately not, it only testifies that Github created the commit. > > In the best case (relying on Github's rules that may or may not change > > in the future), we could say it testifies who the creator of the PR > > was which still does not say anything about the contents of the commit > > (or even through which PR it was merged). Most of this information can > > be accessed through the GH UI but it's not recorded in the commit. > > It's a common problem when doing code archeology to trace back how and > > where things have originated... > > > > > It sure seems like there an element of surprise to the matter > > https://eu01.z.antigena.com/l/3UV-AVqlA77upaVL7epN_VAhs7aNi~2WS017-RgS3BRZ6H-6M6Eedhy46~pOGc~DCHvj-hUucTPPZKcasNDYVzVRcSK8Rb0f_3YPEZ7NiwjNKqNUGxrax7e9gXPfABXrrO1GMUuGAXggyEDN1i0mqYHB_0W3Bm6L9I > > > > > > From my experience, OS is often more strict and principled about these > > things than enterprises which often take whatever works as long as > > there's some progress ;) > > > > > Well, not a contradiction at all. Taking "what works" is helped by placing > some (not all) trust in audit trails/traceability. > > Anyhow, I think in general commit spoofing is not a well lit complication > of using Git, which did not exist with e.g. SVN. > > https://eu01.z.antigena.com/l/GnaFdkimCry-aqbohHxEtHbdEtrdWQZKi6yeLnvLsM2Dw6rphNVV7u1cKACbL~F7VEt6Q6xNOJ6o9a0mLF77eGzcgqVcK3DDJ4Rtqj_SeXhVq0bsnuPRMDxktFxV~FJOm6h2nxu6OJb4DqCy6RWfl9bHxXnEx-nM-RAgMwwiB~skqriGbbOHPmEq5t30lzw_84MHmkdPPLZPnojt8l23rr > > And while these guys haven't made many friends in OSS, I think they did > highlight very important risks. > > https://eu01.z.antigena.com/l/5UqAwcvQL66zNl8fFeOxusJmUM35w1O4Sw-_LvSAL1a7hr1qBWMND8al-jJJxS1C-SEy5avXu-4n7ZgTfpGS3BgSsErXnSYyrDuHRsTjVrfU4VpClkfSFAQC3BqPLBiXCISpFNLAMUKbmdnHGVBIevUA~buZD852znrZnE1ytNMIB62CI2csovJ_Bs2 > > But I will admit, the first doesn't really matter much if you systemically > squash. Rebasing is another story though. > -- Matthew de Detrich *Aiven Deutschland GmbH* Immanuelkirchstraße 26, 10405 Berlin Amtsgericht Charlottenburg, HRB 209739 B Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen *m:* +491603708037 *w:* aiven.io *e:* [email protected]
