[oe] Getting patches committed
Richard Purdie
rpurdie at rpsys.net
Fri Jan 22 00:40:25 UTC 2010
On Fri, 2010-01-22 at 01:13 +0100, Stanislav Brabec wrote:
> Rolf Leggewie wrote:
> > funny thing. I was discussing something like this with RP just when you
> > sent this mail. It's not as straightforward as it may sound, though.
> > First of all, I think we'd need several, possibly unlimited number of
> > FFA branches. Second, RP and I agreed that security implications are a
> > concern if we allow commit access completely uninhibited.
>
> Security in world of open source is is always based on web of trust.
[...]
> Watching this would probably require professional team subscribed to
> vendor-sec, and backporting fixes to stable branches.
Lets live in the real world here. Allowing what amounts to anonymous
access to an account on the server is not what I'd call sensible. No, OE
isn't perfect about security fixes but thats totally unrelated to
whether we'd like the main server to be secure.
Yes, there are ways of restricting access to the commands anonymous
access could run but we don't have a full time team of admins looking
after it and I don't like the idea of painting a target on the machine.
I would be perfectly happy to see a repo that anyone can request access
to and maintain branches in of their patches. This would make it easier
to review and for devs to pull from. If an enterprising person starts
collating patches and does a good job they stand a good chance of
getting .dev access - the subsystem maintainer model of the Linux kernel
works well.
There is a new gitosis replacement available that allows branch level
access control and I'd like us to start using it.
Cheers,
Richard
More information about the Openembedded-devel
mailing list