On Sunday 15 November 2009 10:41:43 Thiago Macieira wrote: > Em Sábado 14. Novembro 2009, às 23.55.30, argonel escreveu: > > My suggestion is to have a pre-commit hook that compares the email > > address on the commit message to the list of subscribers to > > kde-cvs-announce (or bugzilla) and if it isn't found, reject the commit. > > We'll need a mechanism for syncing this list, but it should not be an > > unsurmountable hurdle. > > Won't work. What if I merge a patch from someone else, who isn't a KDE > developer? >
Mmh... but this is a problem also with SVN, no? And, I think we're a bit missing the point when these thread contiunue to go on. What is the exact reason of needing accountability? What will be the consequences taken if we find a malicious commit? What if the person just sent that patch and then disapperared? What if the evil guy also used a malicious --author? I think that what Ian proposes: [I was thinking of asking Gitorious if they could keep a simple log of commit hashs and the user name or id that pushed it. Since commit hashs are completely unique this would be enough information.] is indeed what is needed. One can always say "I merged this patch from someone else" (unless the patch is blatantly malicious, with own name and email in the commit) and we can never be perfectly sure of the path that code followed before coming to our repo, because people are free(tm) to do (almost)what they want with it, and contributions can come from wherever! Unless we forbid cloning the repo, or distributing KDE's source code. Bye, -Riccardo _______________________________________________ Kde-scm-interest mailing list Kde-scm-interest@kde.org https://mail.kde.org/mailman/listinfo/kde-scm-interest
