Re: Git write access for podlings
On 02.01.2015 11:36, Stian Soiland-Reyes wrote: Apache Commons has already given write access to *all* ASF committers So did Subversion, quite a while ago. If you get rogue commits from someone, the solution is not extra tooling but community management. Even more so in the case of the Incubator, where access is restricted to IPMC members and podling committers — all of whom should be well aware that you can't just go messing in some code without checking with the project community first. Understanding the concept of community over code and how to collaborate is a requirement for new committers and triply so for IPMC members. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On 02/01/15 16:40, David Nalley wrote: On Fri, Jan 2, 2015 at 5:36 AM, Stian Soiland-Reyes st...@apache.org wrote: Git allows you to commit as whoever you want - e.g. like in SMTP email, the headers are decided by the sender. SVN on the other hand will show the authenticated user in the commit log. So - speaking as a former sysadmin - it sounds a bit daring to let anyone new to Apache from a fresh Incubator proposal to also get instant write access to all Incubator projects, including those that are just about to graduate. From a git commit log perspective, this is true, but we also retain push records that show us the user authenticated as, as well as the IP Address they are pushing commits from. In example: https://git-wip-us.apache.org/logs/asf/incubator-nifi.git I looked at Jena's log and until Dec 2 this year, the IP address was always @http.192.168.0.58 and since 2014-12-03 there are likely looking true IP addresses but of the NAT gateway used. Andy That said - assuming there has not been any reported abuse of this global write access - then it is a very good sign of all the new committers being responsible people - or perhaps they just didn't know they had that write access to begin with :). It's a trust-thing - I remember when I started my first proper sysadmin job, and on day one received the root passwords for systems running web and email for 30.000 students. Don't mess it up was implicit. Apache Commons has already given write access to *all* ASF committers [1] - which would presumably include any incubator committers. If it's good enough for for Commons, it should be good enough for Incubator. Part of moving to Apache is also to trust all your committers. [1] https://mail-archives.apache.org/mod_mbox/commons-dev/201412.mbox/%3ccab917rjy57z-4pnwthvr9tuq7y3td8usg8jcmhvdthalwho...@mail.gmail.com%3E Even with the danger of introducing a bigger temptation by explicitly documenting the incubator-wide write policy - I would still +1 to document this so you are aware and don't accidentally push back (as git workflow is to commit locally and it is a bit easy to accidentally do git push) - with a clause that this does not mean you have formally become a committer on the other incubator projects. I would propose to also improve documentation at http://wiki.apache.org/general/GitAtApache http://www.apache.org/dev/git.html http://www.apache.org/dev/writable-git so it does not give impression you have to use SVN-with-git-mriroring or that writeable GIT is experimental. I don't know enough about the particular setup at git.apache.org yet to do it myself. sigh I thought we had removed all of the experimental labels. Thanks for finding these. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On Fri, Jan 2, 2015 at 5:36 AM, Stian Soiland-Reyes st...@apache.org wrote: Git allows you to commit as whoever you want - e.g. like in SMTP email, the headers are decided by the sender. SVN on the other hand will show the authenticated user in the commit log. So - speaking as a former sysadmin - it sounds a bit daring to let anyone new to Apache from a fresh Incubator proposal to also get instant write access to all Incubator projects, including those that are just about to graduate. From a git commit log perspective, this is true, but we also retain push records that show us the user authenticated as, as well as the IP Address they are pushing commits from. In example: https://git-wip-us.apache.org/logs/asf/incubator-nifi.git That said - assuming there has not been any reported abuse of this global write access - then it is a very good sign of all the new committers being responsible people - or perhaps they just didn't know they had that write access to begin with :). It's a trust-thing - I remember when I started my first proper sysadmin job, and on day one received the root passwords for systems running web and email for 30.000 students. Don't mess it up was implicit. Apache Commons has already given write access to *all* ASF committers [1] - which would presumably include any incubator committers. If it's good enough for for Commons, it should be good enough for Incubator. Part of moving to Apache is also to trust all your committers. [1] https://mail-archives.apache.org/mod_mbox/commons-dev/201412.mbox/%3ccab917rjy57z-4pnwthvr9tuq7y3td8usg8jcmhvdthalwho...@mail.gmail.com%3E Even with the danger of introducing a bigger temptation by explicitly documenting the incubator-wide write policy - I would still +1 to document this so you are aware and don't accidentally push back (as git workflow is to commit locally and it is a bit easy to accidentally do git push) - with a clause that this does not mean you have formally become a committer on the other incubator projects. I would propose to also improve documentation at http://wiki.apache.org/general/GitAtApache http://www.apache.org/dev/git.html http://www.apache.org/dev/writable-git so it does not give impression you have to use SVN-with-git-mriroring or that writeable GIT is experimental. I don't know enough about the particular setup at git.apache.org yet to do it myself. sigh I thought we had removed all of the experimental labels. Thanks for finding these. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On Fri, Jan 2, 2015 at 11:52 AM, Andy Seaborne a...@apache.org wrote: On 02/01/15 16:40, David Nalley wrote: On Fri, Jan 2, 2015 at 5:36 AM, Stian Soiland-Reyes st...@apache.org wrote: Git allows you to commit as whoever you want - e.g. like in SMTP email, the headers are decided by the sender. SVN on the other hand will show the authenticated user in the commit log. So - speaking as a former sysadmin - it sounds a bit daring to let anyone new to Apache from a fresh Incubator proposal to also get instant write access to all Incubator projects, including those that are just about to graduate. From a git commit log perspective, this is true, but we also retain push records that show us the user authenticated as, as well as the IP Address they are pushing commits from. In example: https://git-wip-us.apache.org/logs/asf/incubator-nifi.git I looked at Jena's log and until Dec 2 this year, the IP address was always @http.192.168.0.58 and since 2014-12-03 there are likely looking true IP addresses but of the NAT gateway used. Indeed - originally git-wip-us was directly exposed to the internet. That changed a couple of years back and we had a SSL terminator host (which had the internal address of 192.168.0.58, because we failed to enable the forwarded IP address.) That's since been dealt with, but history is what it is. The generally, more useful item is that someone authenticated (successfully) as $user and pushed a commit. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
Git allows you to commit as whoever you want - e.g. like in SMTP email, the headers are decided by the sender. SVN on the other hand will show the authenticated user in the commit log. So - speaking as a former sysadmin - it sounds a bit daring to let anyone new to Apache from a fresh Incubator proposal to also get instant write access to all Incubator projects, including those that are just about to graduate. That said - assuming there has not been any reported abuse of this global write access - then it is a very good sign of all the new committers being responsible people - or perhaps they just didn't know they had that write access to begin with :). It's a trust-thing - I remember when I started my first proper sysadmin job, and on day one received the root passwords for systems running web and email for 30.000 students. Don't mess it up was implicit. Apache Commons has already given write access to *all* ASF committers [1] - which would presumably include any incubator committers. If it's good enough for for Commons, it should be good enough for Incubator. Part of moving to Apache is also to trust all your committers. [1] https://mail-archives.apache.org/mod_mbox/commons-dev/201412.mbox/%3ccab917rjy57z-4pnwthvr9tuq7y3td8usg8jcmhvdthalwho...@mail.gmail.com%3E Even with the danger of introducing a bigger temptation by explicitly documenting the incubator-wide write policy - I would still +1 to document this so you are aware and don't accidentally push back (as git workflow is to commit locally and it is a bit easy to accidentally do git push) - with a clause that this does not mean you have formally become a committer on the other incubator projects. I would propose to also improve documentation at http://wiki.apache.org/general/GitAtApache http://www.apache.org/dev/git.html http://www.apache.org/dev/writable-git so it does not give impression you have to use SVN-with-git-mriroring or that writeable GIT is experimental. I don't know enough about the particular setup at git.apache.org yet to do it myself. On 31 December 2014 at 14:56, Ted Dunning ted.dunn...@gmail.com wrote: On Wed, Dec 31, 2014 at 12:27 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:45:48 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:24:36 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? My question is: What problem are you trying to solve? And has it really proven to be a problem? I don't think anyone has abused their ability to commit to all projects, and it's been this way as long as git has been available. I'm not sure that there will be an issue. It could just be a couple of IPMC members being a little more cautious that needed. It's more than likely no one's going to care. To date, we have always told podlings that the initial committers and your mentors are the ones who have write access. Now we're saying if you're using git, it's any of the 1k + (i might be way off) members of the incubator group. Would it be much harder to create the ldap group up front when the podling's created, and shuffle people in/out at graduation? If it ain't broke ... Is there even a problem? I haven't ever heard of it. If there isn't a problem, why are you worried about it? -- Stian Soiland-Reyes Apache Taverna (incubating) http://orcid.org/-0001-9842-9718 - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On 31 December 2014 at 17:59, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). thanks john for moving this into a general discussion. Your description is correct. My view is that SVN sites should be incubator wide, but GIT and SVN podling repos should NOT be incubator wide. However I say this without knowing the technical implications so it is my hope that people like jfarrell will chime in. rgds jan i. John
Re: Git write access for podlings
On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) svn is far more fine grained. By default (I think) if you don't create a podling group, anything under the Incubator's tree in SVN is writable by any member of the incubator. But you can certainly create a group and make it more restrictive. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On Wed Dec 31 2014 at 2:24:36 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? svn is far more fine grained. By default (I think) if you don't create a podling group, anything under the Incubator's tree in SVN is writable by any member of the incubator. But you can certainly create a group and make it more restrictive. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:24:36 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? My question is: What problem are you trying to solve? And has it really proven to be a problem? I don't think anyone has abused their ability to commit to all projects, and it's been this way as long as git has been available. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On Wed Dec 31 2014 at 2:45:48 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:24:36 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? My question is: What problem are you trying to solve? And has it really proven to be a problem? I don't think anyone has abused their ability to commit to all projects, and it's been this way as long as git has been available. I'm not sure that there will be an issue. It could just be a couple of IPMC members being a little more cautious that needed. It's more than likely no one's going to care. To date, we have always told podlings that the initial committers and your mentors are the ones who have write access. Now we're saying if you're using git, it's any of the 1k + (i might be way off) members of the incubator group. Would it be much harder to create the ldap group up front when the podling's created, and shuffle people in/out at graduation? John --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: Git write access for podlings
+1 -Original Message- From: David Nalley [mailto:da...@gnsa.us] Sent: Wednesday, December 31, 2014 11:44 To: general@incubator.apache.org Subject: Re: Git write access for podlings [ ... ] git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? My question is: What problem are you trying to solve? And has it really proven to be a problem? I don't think anyone has abused their ability to commit to all projects, and it's been this way as long as git has been available. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Git write access for podlings
On Wed, Dec 31, 2014 at 12:27 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:45:48 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:24:36 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? My question is: What problem are you trying to solve? And has it really proven to be a problem? I don't think anyone has abused their ability to commit to all projects, and it's been this way as long as git has been available. I'm not sure that there will be an issue. It could just be a couple of IPMC members being a little more cautious that needed. It's more than likely no one's going to care. To date, we have always told podlings that the initial committers and your mentors are the ones who have write access. Now we're saying if you're using git, it's any of the 1k + (i might be way off) members of the incubator group. Would it be much harder to create the ldap group up front when the podling's created, and shuffle people in/out at graduation? If it ain't broke ... Is there even a problem? I haven't ever heard of it. If there isn't a problem, why are you worried about it?
Re: Git write access for podlings
Every PMC member of a running PMC has a responsibility to keep an eye out for crazy commits. Once this is reflected in the doc, it's good practice for PPMC members. On Wed, Dec 31, 2014 at 3:56 PM, Ted Dunning ted.dunn...@gmail.com wrote: On Wed, Dec 31, 2014 at 12:27 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:45:48 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament johndam...@apache.org wrote: On Wed Dec 31 2014 at 2:24:36 PM David Nalley da...@gnsa.us wrote: On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament johndam...@apache.org wrote: Hi, So something Jan and I ran into on the infra list, does anyone know definitively what the access rights given to a podling's git repo are, if they request one (instead of a svn directory)? If nothing else we should document it somewhere on the incubator site indicating the permission sets for both svn and git. My current understanding is that svn sites are typically incubator wide, svn repos are confined to a specific list, and git repos are incubator wide. The git one in particular because we don't create ldap groups for podlings and I've heard that we only do groups in git (not individual lists). git is tied to LDAP, and all podling repos are writable by anyone in the incubator LDAP group. (there are no podling LDAP groups) Got it thanks. I'll update the docs to reflect this as the permission scheme. And here I think will come in Jan's bigger question - do we really want all podling committers to be able to commit to all other podlings? My question is: What problem are you trying to solve? And has it really proven to be a problem? I don't think anyone has abused their ability to commit to all projects, and it's been this way as long as git has been available. I'm not sure that there will be an issue. It could just be a couple of IPMC members being a little more cautious that needed. It's more than likely no one's going to care. To date, we have always told podlings that the initial committers and your mentors are the ones who have write access. Now we're saying if you're using git, it's any of the 1k + (i might be way off) members of the incubator group. Would it be much harder to create the ldap group up front when the podling's created, and shuffle people in/out at graduation? If it ain't broke ... Is there even a problem? I haven't ever heard of it. If there isn't a problem, why are you worried about it? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org