On Mon, Aug 20, 2012 at 9:07 AM, Jens Vagelpohl <j...@dataflake.org> wrote: > Maintaining the chain of custody doesn't just consist of selecting pull > requests or patches coming from somewhere. It also means verifying the > contributor - be it the one who is creating the patch or pull request or the > one who is merging new code into the repository - is who he claims to be. In > the current setup the verification of the merging contributor is done using > unique SSH logins with keys for every contributor, which works very well.
Once again I have to say that I think it's beyond any reasonable doubt that whoever is using a github account is the owner of that account. Somebody could steal an SSH key as well. I'm pretty sure that the claim "I know it says that Jens did the checkin, but in fact it was me, I had stolen his account, so therefore I own the copyright" is hardly a claim that will hold up in a court of law. > - Read access for everyone including anonymous viewers Github: Check. > - Write access for signed contributors only Github: Check. > - Signed contributors must be able to create new repositories themselves > (current analogy: A contributor adds a new project on svn.zope.org) Github: Check. > - Good verification that a login to the chosen system represents a specific > person/contributor (current example: access via unique SSH logins with keys) Github: Check. > - Only ZF-appointed contributor admins may open access for contributors after > receiving and verifying signed contributor agreements (currently Andreas > Jung as officially appointed contributor committee member and Christian > Theune as board member and contributor committee member handle this job) Github: I don't know. I took the liberty of adding you to one of my repos as collaborator, but I didn't find any way to change your privileges so that you also could add collaborators, so someone else have to answer that more closely. (I removed you as a collaborator again, but just FYI: If anyone wants write access to my github repos you'll probably get it. :-) ) > - Only ZF-appointed contributor admins (see above) may change or revoke > access privileges for contributors Same thing, no? > - a reasonably convenient web view onto the repositories/projects for > visitors and contributors Github: Check > - a reasonably convenient way (e.g. web admin capabilities) for the ZF > contributor adminstration to do their job Github: Check The discussion is not github or nothing, but almost. Github makes open source easier. I got angry when Plone moved to github with basically no discussion, but there is no doubt that it was the right decision. //Lennart _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
