[Zope-dev] [Checkins] SVN: zc.buildout/ Moved to github

Lennart Regebro regebro at gmail.com
Sun Aug 19 08:17:14 UTC 2012


On Sun, Aug 19, 2012 at 8:49 AM, Jens Vagelpohl <jens at dataflake.org> wrote:
>
> On Aug 18, 2012, at 21:46 , Lennart Regebro <regebro at gmail.com> wrote:
>
>> Yes, but my question is why this changes with github.
>
> GitHub is a third party infrastructure run by other people. I cannot ascertain how well it enforces our requirement that all checkins must be from signed contributors only.

I have to say that I find it to be without any reasonable doubt
without question that you can only wrote to a repository if you have
write access. Questioning this is to me somewhat surprising, and we
might as well claim that we can't ascertain how well the current SVN
server enforces our requirements, as we don't know what undiscovered
security holes it might have.

> Furthermore, I cannot ascertain that private contributor data remains private (email addresses etc).

Is this really a requirement? Why is this a requirement? All you need
to enter at github is an email (which in practice is all we can verify
in ZF as well, as all communication is by email). Why does this email
address have to remain private?

> And since it becomes ever easier to accept code from unknown sources (e.g. pull requests) legal code ownership becomes an issue again.

And that returns me to my first question: Is it really legally
different for a contributor to accept a pull request from a
non-contributor compared with a contributor merging a patch from a
non-contributor?

//Lennart


More information about the Zope-Dev mailing list