* James Le Cuirot <ch...@gentoo.org> [150920 04:45]: > On Sat, 19 Sep 2015 20:12:06 -0400 > Michael Orlitzky <m...@gentoo.org> wrote: > > > Has anyone ever set up Gitlab or Gerrit, managed by a package manager, > > in a way that a small bug won't grant anonymous write access to every > > single repository? > > > > Web projects tend to assume that they're the only application/user on > > the server. And as far as security is concerned, that the server is > > in a locked closet with no internet connection. Most of them crash > > when you try to fix those assumptions. > > We use GitLab at work and I do like it but I don't know how it fares > for much larger projects. I know less about Gerrit but it is used by > high profile projects like CyanogenMod. We've also had it recommended > numerous times in #gentoo-java by zxiiro, who works for the Linux > Foundation and used to work for the Eclipse Foundation. I think it's > worth a try but no, I'm not volunteering. ;) Having said that, it is > written in Java and if we insist on installing these things through > Portage (I suppose we should eat our own dog food) then I would be > willing to make a push on getting it into the tree. It might be tricky > though, not least because it uses the Buck build system, which I've > never seen used anywhere else and isn't currently in the tree either. > > -- > James Le Cuirot (chewi) > Gentoo Linux Developer
For what it's worth, I set up Gerrit for my company (small startup so not experience with a big team, though I've heard of its use for large teams much more often) a year ago. I set it up once on Gentoo (manually using tools in the package or git tree) and didn't set up an ebuild or anything. I then set it up "for real" on an Ubuntu server (standard company internal server platform.) I'm about as far from a Java person as one can be (aside from having to dig around in Android) but it was relatively uneventful including getting Buck built and set up. It's certainly not been security vetted by more than a couple developers though as it's on an internal network (though of course we still try to make it as secure as possible.) We have it tied in with our bug tracking system (JIRA) so it can transition tasks once a review has been approved and link the two (JIRA ticket has links to the Gerrit review and vice versa.) We haven't had too many problems with it. Most of our problems seem to be with people having issues with git itself (it was new to almost everyone on the team) and not embracing a good workflow with it (or trying to only use git via Eclipse.) We have 80 or so Android repos and a much smaller handful of proprietary repos in use. Todd
