[Zope-dev] We need to change how code ownership works.

Lennart Regebro regebro at gmail.com
Mon Aug 20 07:19:21 UTC 2012 

On Mon, Aug 20, 2012 at 9:07 AM, Jens Vagelpohl <jens at dataflake.org> wrote:
> Maintaining the chain of custody doesn't just consist of selecting pull requests or patches coming from somewhere. It also means verifying the contributor - be it the one who is creating the patch or pull request or the one who is merging new code into the repository - is who he claims to be. In the current setup the verification of the merging contributor is done using unique SSH logins with keys for every contributor, which works very well.

Once again I have to say that I think it's beyond any reasonable doubt
that whoever is using a github account is the owner of that account.
Somebody could steal an SSH key as well. I'm pretty sure that the
claim "I know it says that Jens did the checkin, but in fact it was
me, I had stolen his account, so therefore I own the copyright" is
hardly a claim that will hold up in a court of law.

> - Read access for everyone including anonymous viewers

Github: Check.

> - Write access for signed contributors only

Github: Check.

> - Signed contributors must be able to create new repositories themselves (current analogy: A contributor adds a new project on svn.zope.org)

Github: Check.

> - Good verification that a login to the chosen system represents a specific person/contributor (current example: access via unique SSH logins with keys)

Github: Check.

> - Only ZF-appointed contributor admins may open access for contributors after receiving and verifying signed  contributor agreements (currently Andreas Jung as officially appointed contributor committee member and Christian Theune as board member and contributor committee member handle this job)

Github: I don't know. I took the liberty of adding you to one of my
repos as collaborator, but I didn't find any way to change your
privileges so that you also could add collaborators, so someone else
have to answer that more closely. (I removed you as a collaborator
again, but just FYI: If anyone wants write access to my github repos
you'll probably get it. :-) )

> - Only ZF-appointed contributor admins (see above) may change or revoke access privileges for contributors

Same thing, no?

> - a reasonably convenient web view onto the repositories/projects for visitors and contributors

Github: Check

> - a reasonably convenient way (e.g. web admin capabilities) for the ZF contributor adminstration to do their job

Github: Check


The discussion is not github or nothing, but almost. Github makes open
source easier. I got angry when Plone moved to github with basically
no discussion, but there is no doubt that it was the right decision.

//Lennart

More information about the Zope-Dev mailing list