[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-scm-interest
Subject:    Re: [Kde-scm-interest] accountability
From:       argonel <argonel () gmail ! com>
Date:       2009-11-14 22:55:30
Message-ID: 28d9390d0911141455s69cd094fx8204632aa4a8a91f () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


2009/11/14 Chani <chanika@gmail.com>

> On November 13, 2009 08:06:49 Jeff Mitchell wrote:
> > Ian Monroe wrote:
> > > Which is why I like my simple flat-file log idea (a log of commit
> > > hash, user id, maybe time). It doesn't open up any privacy issues
> > > (since the info is already public) and would solve the problem by
> > > using the commit hash, which is a nice security feature of git.
> >
> > You still have an issue in that the user id is internal to Gitorious and
> > is meaningless without also providing further information, like email
> > address, name, public ssh key, or some such thing.
> >
> > All of those could be seen as potential privacy issues; for instance,
> > you might think the email address would be obvious, but what if a person
> > is committing under a different email address than what they've given to
> > Gitorious?
> >
> > --Jeff
> >
>
> I still don't understand why we need access to email addresses from some
> gitorious database anyways. if you want to push to a kde repo, you have to
> be
> in the kde-developers group. we can require people to agree to whatever's
> needed at the time they join that group. all we need is a log of which kde
> developer pushed what, right?
> everything else you can get from a git clone...
>
>
The problem is that your email address according to Git and your
kde-developers group membership are not necessarily related, so there is no
guaranteed way to map the commit back to the person that commited.

My suggestion is to have a pre-commit hook that compares the email address
on the commit message to the list of subscribers to kde-cvs-announce (or
bugzilla) and if it isn't found, reject the commit. We'll need a mechanism
for syncing this list, but it should not be an unsurmountable hurdle.


> --
> This message brought to you by eevil bananas and the number 3.
> www.chani3.com
>
> _______________________________________________
> Kde-scm-interest mailing list
> Kde-scm-interest@kde.org
> https://mail.kde.org/mailman/listinfo/kde-scm-interest
>
>

[Attachment #5 (text/html)]

<br><br><div class="gmail_quote">2009/11/14 Chani <span dir="ltr">&lt;<a \
href="mailto:chanika@gmail.com">chanika@gmail.com</a>&gt;</span><br><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;"> <div><div></div><div class="h5">On November 13, 2009 \
08:06:49 Jeff Mitchell wrote:<br> &gt; Ian Monroe wrote:<br>
&gt; &gt; Which is why I like my simple flat-file log idea (a log of commit<br>
&gt; &gt; hash, user id, maybe time). It doesn&#39;t open up any privacy issues<br>
&gt; &gt; (since the info is already public) and would solve the problem by<br>
&gt; &gt; using the commit hash, which is a nice security feature of git.<br>
&gt;<br>
&gt; You still have an issue in that the user id is internal to Gitorious and<br>
&gt; is meaningless without also providing further information, like email<br>
&gt; address, name, public ssh key, or some such thing.<br>
&gt;<br>
&gt; All of those could be seen as potential privacy issues; for instance,<br>
&gt; you might think the email address would be obvious, but what if a person<br>
&gt; is committing under a different email address than what they&#39;ve given to<br>
&gt; Gitorious?<br>
&gt;<br>
&gt; --Jeff<br>
&gt;<br>
<br>
</div></div>I still don&#39;t understand why we need access to email addresses from \
some<br> gitorious database anyways. if you want to push to a kde repo, you have to \
be<br> in the kde-developers group. we can require people to agree to \
whatever&#39;s<br> needed at the time they join that group. all we need is a log of \
which kde<br> developer pushed what, right?<br>
everything else you can get from a git clone...<br>
<font color="#888888"><br></font></blockquote><div><br>The problem is that your email \
address according to Git and your kde-developers group membership are not necessarily \
related, so there is no guaranteed way to map the commit back to the person that \
commited.<br> <br>My suggestion is to have a pre-commit hook that compares the email \
address on the commit message to the list of subscribers to kde-cvs-announce (or \
bugzilla) and if it isn&#39;t found, reject the commit. We&#39;ll need a mechanism \
for syncing this list, but it should not be an unsurmountable hurdle.<br>  \
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
                204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><font \
                color="#888888">
--<br>
This message brought to you by eevil bananas and the number 3.<br>
<a href="http://www.chani3.com" target="_blank">www.chani3.com</a><br>
</font><br>_______________________________________________<br>
Kde-scm-interest mailing list<br>
<a href="mailto:Kde-scm-interest@kde.org">Kde-scm-interest@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/kde-scm-interest" \
target="_blank">https://mail.kde.org/mailman/listinfo/kde-scm-interest</a><br> \
<br></blockquote></div><br>



_______________________________________________
Kde-scm-interest mailing list
Kde-scm-interest@kde.org
https://mail.kde.org/mailman/listinfo/kde-scm-interest


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic