Hi, > The main issue with Git is that it doesn't give us a reliable audit > log of changes that we can tie back to the ICLAs that we have on file. > As long as you have write access to a repository, you can push in > commits that are practically indistinguishable from commits made by > someone else. For example, unless you do an explicit sign-off of > changes you've pulled in from a contributor, there's nothing in the > repository to reliably indicate who actually wrote the changes and who > approved them for inclusion in the Apache project. It's even possible > for someone to rewrite the entire history of a project or a branch and > simply push such changes to a repository like any normal commits. > > Basically, if someone comes and asks how a particular piece of IP > ended up in a Git repository, Git itself can't answer that question. > All it gives you is the change itself and the associated commit > metadata that can be pretty much anything.
This is an interesting point - as linux kernel devs will also have to be sure of IP (see SCO). I guess the workaround is that there is a codified process that isn't enforced by the software per se but is enforced by the lieutenants > There are a few ways to add a reliable audit trail to a Git > repository. The way Gerrit does it is by taking away direct write > access to the underlying Git repository and by enforcing that all > incoming commits have explicitly been signed off by an authenticated > user. > > This works fine in theory, but I'd like to see how well Gerrit > integrates with Apache workflows in practice. For example, > could/should we give all Jira/Bugzilla users access to upload patches > for review in the Gerrit instance? How do we best integrate Gerrit > with our existing svn/ldap account system? Does this setup give us the > audit trail we need? What kind of email notifications should be set > up? What end user documentation do we need? etc. etc. These are the > kinds of issues I'm hoping to at least start sorting out while working > on the proposed lab. Gerrit itself is probably worthy of a lab wrt if it would be possible to fit into our structure/'way' and what we can learn from it - I personally detest JIRA and am happy for there to be experiments in this area +1 Kev --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
