From kde-scm-interest Sat Nov 14 22:55:30 2009 From: argonel Date: Sat, 14 Nov 2009 22:55:30 +0000 To: kde-scm-interest Subject: Re: [Kde-scm-interest] accountability Message-Id: <28d9390d0911141455s69cd094fx8204632aa4a8a91f () mail ! gmail ! com> X-MARC-Message: https://marc.info/?l=kde-scm-interest&m=125823937000580 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============0660210129==" --===============0660210129== Content-Type: multipart/alternative; boundary=0016e6d9a2c75677b004785cac0f --0016e6d9a2c75677b004785cac0f Content-Type: text/plain; charset=ISO-8859-1 2009/11/14 Chani > On November 13, 2009 08:06:49 Jeff Mitchell wrote: > > Ian Monroe wrote: > > > Which is why I like my simple flat-file log idea (a log of commit > > > hash, user id, maybe time). It doesn't open up any privacy issues > > > (since the info is already public) and would solve the problem by > > > using the commit hash, which is a nice security feature of git. > > > > You still have an issue in that the user id is internal to Gitorious and > > is meaningless without also providing further information, like email > > address, name, public ssh key, or some such thing. > > > > All of those could be seen as potential privacy issues; for instance, > > you might think the email address would be obvious, but what if a person > > is committing under a different email address than what they've given to > > Gitorious? > > > > --Jeff > > > > I still don't understand why we need access to email addresses from some > gitorious database anyways. if you want to push to a kde repo, you have to > be > in the kde-developers group. we can require people to agree to whatever's > needed at the time they join that group. all we need is a log of which kde > developer pushed what, right? > everything else you can get from a git clone... > > The problem is that your email address according to Git and your kde-developers group membership are not necessarily related, so there is no guaranteed way to map the commit back to the person that commited. My suggestion is to have a pre-commit hook that compares the email address on the commit message to the list of subscribers to kde-cvs-announce (or bugzilla) and if it isn't found, reject the commit. We'll need a mechanism for syncing this list, but it should not be an unsurmountable hurdle. > -- > This message brought to you by eevil bananas and the number 3. > www.chani3.com > > _______________________________________________ > Kde-scm-interest mailing list > Kde-scm-interest@kde.org > https://mail.kde.org/mailman/listinfo/kde-scm-interest > > --0016e6d9a2c75677b004785cac0f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

2009/11/14 Chani <<= a href=3D"mailto:chanika@gmail.com">chanika@gmail.com>

On November 13, 2009 08:06:49 Jeff Mitche= ll wrote:
> Ian Monroe wrote:
> > Which is why I like my simple flat-file log idea (a log of commit=
> > hash, user id, maybe time). It doesn't open up any privacy is= sues
> > (since the info is already public) and would solve the problem by=
> > using the commit hash, which is a nice security feature of git. >
> You still have an issue in that the user id is internal to Gitorious a= nd
> is meaningless without also providing further information, like email<= br> > address, name, public ssh key, or some such thing.
>
> All of those could be seen as potential privacy issues; for instance,<= br> > you might think the email address would be obvious, but what if a pers= on
> is committing under a different email address than what they've gi= ven to
> Gitorious?
>
> --Jeff
>

I still don't understand why we need access to email addres= ses from some
gitorious database anyways. if you want to push to a kde repo, you have to = be
in the kde-developers group. we can require people to agree to whatever'= ;s
needed at the time they join that group. all we need is a log of which kde<= br> developer pushed what, right?
everything else you can get from a git clone...

The problem is tha= t your email address according to Git and your kde-developers group members= hip are not necessarily related, so there is no guaranteed way to map the c= ommit back to the person that commited.

My suggestion is to have a pre-commit hook that compares the email addr= ess on the commit message to the list of subscribers to kde-cvs-announce (o= r bugzilla) and if it isn't found, reject the commit. We'll need a = mechanism for syncing this list, but it should not be an unsurmountable hur= dle.
=A0

--
This message brought to you by eevil bananas and the number 3.
www.chani3.com

_______________________________________________
Kde-scm-interest mailing list
Kde-scm-interest@kde.org https://mail.kde.org/mailman/listinfo/kde-scm-interest

--0016e6d9a2c75677b004785cac0f-- --===============0660210129== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kde-scm-interest mailing list Kde-scm-interest@kde.org https://mail.kde.org/mailman/listinfo/kde-scm-interest --===============0660210129==--