On Sunday, February 16, 2014 04:03:24 PM Shawn Wells wrote: > As the SSG development community grows, so does the need for matured > tools and workflow. There's been some discussion of moving to GitHub. > > On the pro side: > * Easier to signup and request commit access
Why is this a good thing? Do you really want _anybody_ able to commit? There has to be strict sign-off or review before committing code in any security sensitive project. > * Most committers likely to have GitHub account for other projects > anyway > * Easier for community to fork SSG code (e.g. gitmachines project) Again, why is this a good thing? Don't we want everyone making a common core of code better? Or do you want one group to fork the code and do it better and not even tell you there are problems? Keeping everyone in the same boat and rowing in the same direction is better all around. > * Dramatically better ticketing system > - labels > - user-friendly GUI > - git commit hooks (put ticket # in patch title, auto > resolves ticket) > - multi-developer collaboration on tickets easier through > @name calls > * "Pull Request" concept: Patches centrally managed and merged, > ensures no missed patches on mailing list > * Simplified branching (e.g. allows a -stable and -dev branch). > Possible on FedoraHosted, not as intuitive > * Increased reliability of infrastructure (especially latency of > git pulls) > > On the cons: > * Slight developer hassle to migrate SSH keys > * "Not hosted by RedHat" -- concern from some that migrating from a > redhat/fedora hosted URL will diminish project brand. How good is github? Its got a reputation for code that is anonymously dumped and not maintained. Another con, github has been hacked...Fedorahosted, not: https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation I personally think code provenance and supply chain assurance should trump everything else. -Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
