On Fri, 2010-01-22 at 01:13 +0100, Stanislav Brabec wrote: > Rolf Leggewie wrote: > > funny thing. I was discussing something like this with RP just when you > > sent this mail. It's not as straightforward as it may sound, though. > > First of all, I think we'd need several, possibly unlimited number of > > FFA branches. Second, RP and I agreed that security implications are a > > concern if we allow commit access completely uninhibited. > > Security in world of open source is is always based on web of trust. [...] > Watching this would probably require professional team subscribed to > vendor-sec, and backporting fixes to stable branches.
Lets live in the real world here. Allowing what amounts to anonymous access to an account on the server is not what I'd call sensible. No, OE isn't perfect about security fixes but thats totally unrelated to whether we'd like the main server to be secure. Yes, there are ways of restricting access to the commands anonymous access could run but we don't have a full time team of admins looking after it and I don't like the idea of painting a target on the machine. I would be perfectly happy to see a repo that anyone can request access to and maintain branches in of their patches. This would make it easier to review and for devs to pull from. If an enterprising person starts collating patches and does a good job they stand a good chance of getting .dev access - the subsystem maintainer model of the Linux kernel works well. There is a new gitosis replacement available that allows branch level access control and I'd like us to start using it. Cheers, Richard _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
