|Sam Ruby||Oct 13, 2016 1:27 pm|
|Greg Stein||Oct 13, 2016 10:31 pm|
|Mark Struberg||Oct 13, 2016 11:15 pm|
|Sam Ruby||Oct 14, 2016 3:29 am|
|John D. Ament||Oct 14, 2016 3:50 am|
|Felix Meschberger||Oct 14, 2016 4:52 am|
|Mark Struberg||Oct 14, 2016 6:37 am|
|Felix Meschberger||Oct 14, 2016 7:16 am|
|Greg Stein||Oct 14, 2016 7:26 am|
|Mark Struberg||Oct 14, 2016 7:51 am|
|Mark Struberg||Oct 14, 2016 8:00 am|
|Jim Jagielski||Oct 17, 2016 8:30 am|
|Sam Ruby||Oct 17, 2016 8:48 am|
|Isabel Drost-Fromm||Oct 19, 2016 3:58 am|
|Subject:||Re: [discuss] Apache OpenWhisk Incubator Proposal|
|From:||Greg Stein (gst...@gmail.com)|
|Date:||Oct 14, 2016 7:26:23 am|
On Fri, Oct 14, 2016 at 8:37 AM, Mark Struberg <stru...@yahoo.de.invalid> wrote:
The problem with github is that we (ASF) cannot give any guarantees if the main stuff doesn't originate from our own hardware.
Git repositories are effectively cryptographically-signed (weak/strong, immaterial to this discussion), so a readonly mirror on ASF hardware is equivalent to a read/write repository living on GitHub.
Not whether the ticket system doesn't loose all tickets (didn't that happen in the past?) nor whether really only IP clean stuff got committed.
All commits, issues, PRs, etc will/must be sent to ASF mailing lists for archival. Some projects do/have used third party systems. The ASF doesn't mind, as long as we capture that work into our archives.
You e.g. have no clue if someone else uses your email and name in a commit and pushes it. Everyone else can create a commit with your email and name in GIT, there is no check. And when pulling in changes, a faked one might get piggy packed and introduce a backdoor. I know this might be close to paranoid but it is theoretically possible.
We require that anybody committing to a GitHub repository authenticates with BOTH: GitHub, and the ASF. No commits without that multiple authentication. (this is based on our current experiments with Whimsy and Traffic Server; same rules would apply to this podling)
The workflow with git hosted @ASF is btw pretty much exactly the same for committers. And a PR integration does exist as well. So I don't see what you miss?
ASF repositories mirrored to GitHub cannot merge/close PRs. They cannot manage issues. They cannot use labels. There is a large amount of GitHub tooling that is not available to ASF-based projects/workflows. The Github repository is a simple mirror. ... OpenWhisk proposes to continue using their GitHub workflows and tooling during incubation. At the *end* of incubation, the Foundation will allow them to stay (as we'll be allowing other projects to similarly change their focal point of development), or they will be required to shift their focal point to ASF-based workflows (as we require today).