[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-scm-interest
Subject: Re: [Kde-scm-interest] accountability
From: argonel <argonel () gmail ! com>
Date: 2009-11-14 22:55:30
Message-ID: 28d9390d0911141455s69cd094fx8204632aa4a8a91f () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
2009/11/14 Chani <chanika@gmail.com>
> On November 13, 2009 08:06:49 Jeff Mitchell wrote:
> > Ian Monroe wrote:
> > > Which is why I like my simple flat-file log idea (a log of commit
> > > hash, user id, maybe time). It doesn't open up any privacy issues
> > > (since the info is already public) and would solve the problem by
> > > using the commit hash, which is a nice security feature of git.
> >
> > You still have an issue in that the user id is internal to Gitorious and
> > is meaningless without also providing further information, like email
> > address, name, public ssh key, or some such thing.
> >
> > All of those could be seen as potential privacy issues; for instance,
> > you might think the email address would be obvious, but what if a person
> > is committing under a different email address than what they've given to
> > Gitorious?
> >
> > --Jeff
> >
>
> I still don't understand why we need access to email addresses from some
> gitorious database anyways. if you want to push to a kde repo, you have to
> be
> in the kde-developers group. we can require people to agree to whatever's
> needed at the time they join that group. all we need is a log of which kde
> developer pushed what, right?
> everything else you can get from a git clone...
>
>
The problem is that your email address according to Git and your
kde-developers group membership are not necessarily related, so there is no
guaranteed way to map the commit back to the person that commited.
My suggestion is to have a pre-commit hook that compares the email address
on the commit message to the list of subscribers to kde-cvs-announce (or
bugzilla) and if it isn't found, reject the commit. We'll need a mechanism
for syncing this list, but it should not be an unsurmountable hurdle.
> --
> This message brought to you by eevil bananas and the number 3.
> www.chani3.com
>
> _______________________________________________
> Kde-scm-interest mailing list
> Kde-scm-interest@kde.org
> https://mail.kde.org/mailman/listinfo/kde-scm-interest
>
>
[Attachment #5 (text/html)]
<br><br><div class="gmail_quote">2009/11/14 Chani <span dir="ltr"><<a \
href="mailto:chanika@gmail.com">chanika@gmail.com</a>></span><br><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;"> <div><div></div><div class="h5">On November 13, 2009 \
08:06:49 Jeff Mitchell wrote:<br> > Ian Monroe wrote:<br>
> > Which is why I like my simple flat-file log idea (a log of commit<br>
> > hash, user id, maybe time). It doesn't open up any privacy issues<br>
> > (since the info is already public) and would solve the problem by<br>
> > using the commit hash, which is a nice security feature of git.<br>
><br>
> You still have an issue in that the user id is internal to Gitorious and<br>
> is meaningless without also providing further information, like email<br>
> address, name, public ssh key, or some such thing.<br>
><br>
> All of those could be seen as potential privacy issues; for instance,<br>
> you might think the email address would be obvious, but what if a person<br>
> is committing under a different email address than what they've given to<br>
> Gitorious?<br>
><br>
> --Jeff<br>
><br>
<br>
</div></div>I still don't understand why we need access to email addresses from \
some<br> gitorious database anyways. if you want to push to a kde repo, you have to \
be<br> in the kde-developers group. we can require people to agree to \
whatever's<br> needed at the time they join that group. all we need is a log of \
which kde<br> developer pushed what, right?<br>
everything else you can get from a git clone...<br>
<font color="#888888"><br></font></blockquote><div><br>The problem is that your email \
address according to Git and your kde-developers group membership are not necessarily \
related, so there is no guaranteed way to map the commit back to the person that \
commited.<br> <br>My suggestion is to have a pre-commit hook that compares the email \
address on the commit message to the list of subscribers to kde-cvs-announce (or \
bugzilla) and if it isn't found, reject the commit. We'll need a mechanism \
for syncing this list, but it should not be an unsurmountable hurdle.<br> \
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><font \
color="#888888">
--<br>
This message brought to you by eevil bananas and the number 3.<br>
<a href="http://www.chani3.com" target="_blank">www.chani3.com</a><br>
</font><br>_______________________________________________<br>
Kde-scm-interest mailing list<br>
<a href="mailto:Kde-scm-interest@kde.org">Kde-scm-interest@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/kde-scm-interest" \
target="_blank">https://mail.kde.org/mailman/listinfo/kde-scm-interest</a><br> \
<br></blockquote></div><br>
_______________________________________________
Kde-scm-interest mailing list
Kde-scm-interest@kde.org
https://mail.kde.org/mailman/listinfo/kde-scm-interest
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic