Jonathan Revusky wrote: > I revert to my statement that a version repository makes it > quite easy > to restore the code to any point it was at in the past. > > In any case, consider some potential bad consequence of letting just > about anybody commit: > > 1. On occasion, people start committing all kinds of bad code > and it's a > lot of work for you to start sorting it out. (This very > rarely happens > because new people are typically very timid in their initial commits, > and don't do drastic things, their cokmmits are small and > localized and > could be rolled back easily.) > > 2. Once in a very long while, let's say 10 or 20 years, somebody with > sociopathic tendencies comes along and... I dunno... starts > introducing > bugs deliberately. (But c'mon, this just about never happens.) > > Now, let's consider the consequences of making it very hard, nigh > impossible, for new people to get involved. > > A talented, energetic person who has a fire in his belly to do some > stuff is given the runaround. You drive that person away. You > lose all > the contributions he would have made. Moreover, that energy gets > invested in the competing project (in our conceptual > experiment above) > with low barriers to entry. > > Which is going to be the bigger negative for a project, the > above point, > or points 1 and 2 above?
There are other potential bad consequences than the two listed above. Consider 3. Subtle errors and exploitable security holes get introduced, either inadvertantly or intentionally. While a revision control system allows backing out changes, each change must be carefully considered. A security hole or other error may not be the result of a single change, but of multiple changes made in multiple locations and, perhaps, at multiple times. While open source allows a large number of eyes to see the code, it's not that easy to review code in depth and spot such problems. Much trust is placed on the skill, attention, and thoroughness of the committers. Consider the C2 Wiki and Wikipedia as analogies. Yes, it's easy to delete obviously false information. It's just as easy to reintroduce it. Keeping the worst of the cruft out is pretty much a full-time job for volunteers who take on the task, and there's not even agreement between them which is the cruft. Subtle or infrequently viewed incorrect information can, and does, remain for long periods of time. Spectacular failures occur that make headlines in the mass news media. I, for one, would never recommend to any business enterprise that they use Struts for important applications if the source was not vetted and controlled by a small, trusted committee. Your needs may not have such requirements for trustworthiness. But if businesses were to abandon use of Struts for important applications, would that be a reasonable trade-off for the contributions of your talented, energetic person? Or would the loss of talented, careful people, who needed a framework for business use where large sums of money are at risk, be a larger negative for the project? - George Dinwiddie http://www.idiacomputing.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
