Hi, Right now our git workflow uses Gerrit as a means to facilitate code review and verification of patches. The way we have it set up is that the code must be reviewed, and must have 'mvn verify' pass on our Jenkins server (or have that overridden by manual testing, but this shouldn't happen normally). Patches get submitted to Gerrit first, and then when merged into Gerrit's internal master after review, they get pushed to "official" repositories that folks fetch changes from normally.
I was reading about how to alter this workflow a bit to instead now use ASF's git repository (instead of Google code) as a new upstream from our Gerrit server, and I came across this document: https://www.apache.org/dev/writable-git . The concerning part to me, was this: "The ASF repo must be the canonical master repo that all committers push changes to." In the explanation of this rule, this page( http://www.sunstarsys.com/essays/git-and-non-repudiation) is linked, and it goes on to explain the concept of push records. If I understand the two above pages correctly, the situation is that only a committer (i.e. , not a robot authorized by a committer ) can actually log into the ASF git repo to push new changes. Is this indeed correct? If so what options might we have, for a git workflow similar to the one we have now? The reason we deployed Gerrit and Jenkins was to have better gatekeeping over what commits got into master, so I think any tool chain that would achieve that end could be worth discussing. Do Github pull requests work on ASF mirrored repos, the same as they do on normal Github repos? Thanks, - Ian
