Patrice Clement posted on Mon, 02 Nov 2015 09:33:49 +0100 as excerpted: > [gerrit] > > Anyway, just my 2 cents on the topic. Have a look and you'll see in > terms of features, I think it's on a par with Github. And it's open > source. ;)
FWIW from previous gerrit suggestions... The problem there is ... java, along with the maintenance and security issues it brings when run on a publicly accessible server where java is otherwise unnecessary. (IIRC, at least one infra person said it's a hard no on java running on gentoo infra, period, as it simply cannot be done correctly and safely with the resources available. Tho I'm not 100% sure IRC on that one.) #2 problem, as with several code-review products, is the security issue of the huge stack of code (regardless of language) on a web server, with direct single-user write access to the tree. If it were a different user for each dev account so unconditional write access wasn't a monolithic grant... Now if a one-way repo sync is done to the tree gerrit accesses from gentoo-master, not reversed, sandboxing the tree gerrit has access too, the problem is lessened to some degree, but of course that dramatically lessens the usefulness as well, since the reviewed code must then be checked back into the main tree manually. Which would seem to be one potential positive for phabricator, since at least from the bit here in-thread, it appears to be review-only, no direct commit access, thereby eliminating at least that security threat. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
