Git write access for podlings

["John D. Ament" <jo...@apache.org>]

Hi,

So something Jan and I ran into on the infra list, does anyone know
definitively what the access rights given to a podling's git repo are, if
they request one (instead of a svn directory)?

If nothing else we should document it somewhere on the incubator site
indicating the permission sets for both svn and git.  My current
understanding is that svn sites are typically incubator wide, svn repos are
confined to a specific list, and git repos are incubator wide.  The git one
in particular because we don't create ldap groups for podlings and I've
heard that we only do groups in git (not individual lists).

John

Re: Git write access for podlings

[Benson Margulies <bi...@gmail.com>]

Every PMC member of a running PMC has a responsibility to keep an eye
out for crazy commits. Once this is reflected in the doc, it's good
practice for PPMC members.

On Wed, Dec 31, 2014 at 3:56 PM, Ted Dunning <te...@gmail.com> wrote:
> On Wed, Dec 31, 2014 at 12:27 PM, John D. Ament <jo...@apache.org>
> wrote:
>
>> On Wed Dec 31 2014 at 2:45:48 PM David Nalley <da...@gnsa.us> wrote:
>>
>> > On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament <jo...@apache.org>
>> > wrote:
>> > > On Wed Dec 31 2014 at 2:24:36 PM David Nalley <da...@gnsa.us> wrote:
>> > >
>> > >> On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <
>> johndament@apache.org>
>> > >> wrote:
>> > >> > Hi,
>> > >> >
>> > >> > So something Jan and I ran into on the infra list, does anyone know
>> > >> > definitively what the access rights given to a podling's git repo
>> > are, if
>> > >> > they request one (instead of a svn directory)?
>> > >> >
>> > >> > If nothing else we should document it somewhere on the incubator
>> site
>> > >> > indicating the permission sets for both svn and git.  My current
>> > >> > understanding is that svn sites are typically incubator wide, svn
>> > repos
>> > >> are
>> > >> > confined to a specific list, and git repos are incubator wide.  The
>> > git
>> > >> one
>> > >> > in particular because we don't create ldap groups for podlings and
>> > I've
>> > >> > heard that we only do groups in git (not individual lists).
>> > >> >
>> > >>
>> > >> git is tied to LDAP, and all podling repos are writable by anyone in
>> > >> the incubator LDAP group. (there are no podling LDAP groups)
>> > >>
>> > >
>> > > Got it thanks.  I'll update the docs to reflect this as the permission
>> > > scheme.
>> > >
>> > > And here I think will come in Jan's bigger question - do we really want
>> > all
>> > > podling committers to be able to commit to all other podlings?
>> > >
>> >
>> > My question is: What problem are you trying to solve? And has it
>> > really proven to be a problem?
>> > I don't think anyone has abused their ability to commit to all
>> > projects, and it's been this way as long as git has been available.
>> >
>>
>> I'm not sure that there will be an issue.  It could just be a couple of
>> IPMC members being a little more cautious that needed.  It's more than
>> likely no one's going to care.
>>
>> To date, we have always told podlings that the initial committers and your
>> mentors are the ones who have write access.  Now we're saying if you're
>> using git, it's any of the 1k + (i might be way off) members of the
>> incubator group.
>>
>> Would it be much harder to create the ldap group up front when the
>> podling's created, and shuffle people in/out at graduation?
>
>
>
> If it ain't broke ...
>
> Is there even a problem?  I haven't ever heard of it.
>
> If there isn't a problem, why are you worried about it?

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[Branko Čibej <br...@apache.org>]

On 02.01.2015 11:36, Stian Soiland-Reyes wrote:
> Apache Commons has already given write access to *all* ASF committers

So did Subversion, quite a while ago.

If you get rogue commits from someone, the solution is not extra tooling
but community management. Even more so in the case of the Incubator,
where access is restricted to IPMC members and podling committers — all
of whom should be well aware that you can't just go messing in some code
without checking with the project community first.

Understanding the concept of "community over code" and how to
collaborate is a requirement for new committers and triply so for IPMC
members.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[David Nalley <da...@gnsa.us>]

On Fri, Jan 2, 2015 at 11:52 AM, Andy Seaborne <an...@apache.org> wrote:
> On 02/01/15 16:40, David Nalley wrote:
>>
>> On Fri, Jan 2, 2015 at 5:36 AM, Stian Soiland-Reyes <st...@apache.org>
>> wrote:
>>>
>>> Git allows you to commit as "whoever you want" - e.g. like in SMTP
>>> email, the headers are decided by the sender. SVN on the other hand
>>> will show the authenticated user in the commit log. So - speaking as a
>>> former sysadmin - it sounds a bit daring to let anyone new to Apache
>>> from a fresh Incubator proposal to also get instant write access to
>>> all Incubator projects, including those that are just about to
>>> graduate.
>>
>>
>>
>>  From a git commit log perspective, this is true, but we also retain
>> push records that show us the user authenticated as, as well as the IP
>> Address they are pushing commits from. In example:
>> https://git-wip-us.apache.org/logs/asf/incubator-nifi.git
>
>
> I looked at Jena's log and until Dec 2 this year, the IP address was always
>
> @http.192.168.0.58
>
> and since 2014-12-03 there are likely looking true IP addresses but of the
> NAT gateway used.
>

Indeed - originally git-wip-us was directly exposed to the internet.
That changed a couple of years back and we had a SSL terminator host
(which had the internal address of 192.168.0.58, because we failed to
enable the forwarded IP address.) That's since been dealt with, but
history is what it is. The generally, more useful item is that someone
authenticated (successfully) as $user and pushed a commit.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[Andy Seaborne <an...@apache.org>]

On 02/01/15 16:40, David Nalley wrote:
> On Fri, Jan 2, 2015 at 5:36 AM, Stian Soiland-Reyes <st...@apache.org> wrote:
>> Git allows you to commit as "whoever you want" - e.g. like in SMTP
>> email, the headers are decided by the sender. SVN on the other hand
>> will show the authenticated user in the commit log. So - speaking as a
>> former sysadmin - it sounds a bit daring to let anyone new to Apache
>> from a fresh Incubator proposal to also get instant write access to
>> all Incubator projects, including those that are just about to
>> graduate.
>
>
>  From a git commit log perspective, this is true, but we also retain
> push records that show us the user authenticated as, as well as the IP
> Address they are pushing commits from. In example:
> https://git-wip-us.apache.org/logs/asf/incubator-nifi.git

I looked at Jena's log and until Dec 2 this year, the IP address was always

@http.192.168.0.58

and since 2014-12-03 there are likely looking true IP addresses but of 
the NAT gateway used.

	Andy


>
>
>
>>
>> That said - assuming there has not been any reported abuse of this
>> global write access - then it is a very good sign of all the new
>> committers being responsible people - or perhaps they just didn't know
>> they had that write access to begin with :). It's a trust-thing - I
>> remember when I started my first proper sysadmin job, and on day one
>> received the root passwords for systems running web and email for
>> 30.000 students. "Don't mess it up" was implicit.
>>
>> Apache Commons has already given write access to *all* ASF committers
>> [1] - which would presumably include any incubator committers.  If
>> it's good enough for for Commons, it should be good enough for
>> Incubator. Part of moving to Apache is also to trust all your
>> committers.
>>
>> [1] https://mail-archives.apache.org/mod_mbox/commons-dev/201412.mbox/%3CCAB917RJy57Z-4PnwThvR9tUq7Y3td8USG8jCmhVDThALwhoBHg@mail.gmail.com%3E
>>
>>
>> Even with the danger of introducing a bigger temptation by explicitly
>> documenting the incubator-wide write policy - I would still +1 to
>> document this so you are aware and don't accidentally push back (as
>> git workflow is to commit locally and it is a bit easy to accidentally
>> do "git push") - with a clause that this does not mean you have
>> formally become a committer on the other incubator projects.
>>
>>
>> I would propose to also improve documentation at
>>
>> http://wiki.apache.org/general/GitAtApache
>> http://www.apache.org/dev/git.html
>> http://www.apache.org/dev/writable-git
>>
>> so it does not give impression you have to use SVN-with-git-mriroring
>> or that writeable GIT is "experimental". I don't know enough about the
>> particular setup at git.apache.org yet to do it myself.
>
>
> <sigh> I thought we had removed all of the experimental labels.
> Thanks for finding these.
>
> --David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[David Nalley <da...@gnsa.us>]

On Fri, Jan 2, 2015 at 5:36 AM, Stian Soiland-Reyes <st...@apache.org> wrote:
> Git allows you to commit as "whoever you want" - e.g. like in SMTP
> email, the headers are decided by the sender. SVN on the other hand
> will show the authenticated user in the commit log. So - speaking as a
> former sysadmin - it sounds a bit daring to let anyone new to Apache
> from a fresh Incubator proposal to also get instant write access to
> all Incubator projects, including those that are just about to
> graduate.


>From a git commit log perspective, this is true, but we also retain
push records that show us the user authenticated as, as well as the IP
Address they are pushing commits from. In example:
https://git-wip-us.apache.org/logs/asf/incubator-nifi.git



>
> That said - assuming there has not been any reported abuse of this
> global write access - then it is a very good sign of all the new
> committers being responsible people - or perhaps they just didn't know
> they had that write access to begin with :). It's a trust-thing - I
> remember when I started my first proper sysadmin job, and on day one
> received the root passwords for systems running web and email for
> 30.000 students. "Don't mess it up" was implicit.
>
> Apache Commons has already given write access to *all* ASF committers
> [1] - which would presumably include any incubator committers.  If
> it's good enough for for Commons, it should be good enough for
> Incubator. Part of moving to Apache is also to trust all your
> committers.
>
> [1] https://mail-archives.apache.org/mod_mbox/commons-dev/201412.mbox/%3CCAB917RJy57Z-4PnwThvR9tUq7Y3td8USG8jCmhVDThALwhoBHg@mail.gmail.com%3E
>
>
> Even with the danger of introducing a bigger temptation by explicitly
> documenting the incubator-wide write policy - I would still +1 to
> document this so you are aware and don't accidentally push back (as
> git workflow is to commit locally and it is a bit easy to accidentally
> do "git push") - with a clause that this does not mean you have
> formally become a committer on the other incubator projects.
>
>
> I would propose to also improve documentation at
>
> http://wiki.apache.org/general/GitAtApache
> http://www.apache.org/dev/git.html
> http://www.apache.org/dev/writable-git
>
> so it does not give impression you have to use SVN-with-git-mriroring
> or that writeable GIT is "experimental". I don't know enough about the
> particular setup at git.apache.org yet to do it myself.


<sigh> I thought we had removed all of the experimental labels.
Thanks for finding these.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[Stian Soiland-Reyes <st...@apache.org>]

Git allows you to commit as "whoever you want" - e.g. like in SMTP
email, the headers are decided by the sender. SVN on the other hand
will show the authenticated user in the commit log. So - speaking as a
former sysadmin - it sounds a bit daring to let anyone new to Apache
from a fresh Incubator proposal to also get instant write access to
all Incubator projects, including those that are just about to
graduate.

That said - assuming there has not been any reported abuse of this
global write access - then it is a very good sign of all the new
committers being responsible people - or perhaps they just didn't know
they had that write access to begin with :). It's a trust-thing - I
remember when I started my first proper sysadmin job, and on day one
received the root passwords for systems running web and email for
30.000 students. "Don't mess it up" was implicit.

Apache Commons has already given write access to *all* ASF committers
[1] - which would presumably include any incubator committers.  If
it's good enough for for Commons, it should be good enough for
Incubator. Part of moving to Apache is also to trust all your
committers.

[1] https://mail-archives.apache.org/mod_mbox/commons-dev/201412.mbox/%3CCAB917RJy57Z-4PnwThvR9tUq7Y3td8USG8jCmhVDThALwhoBHg@mail.gmail.com%3E


Even with the danger of introducing a bigger temptation by explicitly
documenting the incubator-wide write policy - I would still +1 to
document this so you are aware and don't accidentally push back (as
git workflow is to commit locally and it is a bit easy to accidentally
do "git push") - with a clause that this does not mean you have
formally become a committer on the other incubator projects.


I would propose to also improve documentation at

http://wiki.apache.org/general/GitAtApache
http://www.apache.org/dev/git.html
http://www.apache.org/dev/writable-git

so it does not give impression you have to use SVN-with-git-mriroring
or that writeable GIT is "experimental". I don't know enough about the
particular setup at git.apache.org yet to do it myself.

On 31 December 2014 at 14:56, Ted Dunning <te...@gmail.com> wrote:
> On Wed, Dec 31, 2014 at 12:27 PM, John D. Ament <jo...@apache.org>
> wrote:
>
>> On Wed Dec 31 2014 at 2:45:48 PM David Nalley <da...@gnsa.us> wrote:
>>
>> > On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament <jo...@apache.org>
>> > wrote:
>> > > On Wed Dec 31 2014 at 2:24:36 PM David Nalley <da...@gnsa.us> wrote:
>> > >
>> > >> On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <
>> johndament@apache.org>
>> > >> wrote:
>> > >> > Hi,
>> > >> >
>> > >> > So something Jan and I ran into on the infra list, does anyone know
>> > >> > definitively what the access rights given to a podling's git repo
>> > are, if
>> > >> > they request one (instead of a svn directory)?
>> > >> >
>> > >> > If nothing else we should document it somewhere on the incubator
>> site
>> > >> > indicating the permission sets for both svn and git.  My current
>> > >> > understanding is that svn sites are typically incubator wide, svn
>> > repos
>> > >> are
>> > >> > confined to a specific list, and git repos are incubator wide.  The
>> > git
>> > >> one
>> > >> > in particular because we don't create ldap groups for podlings and
>> > I've
>> > >> > heard that we only do groups in git (not individual lists).
>> > >> >
>> > >>
>> > >> git is tied to LDAP, and all podling repos are writable by anyone in
>> > >> the incubator LDAP group. (there are no podling LDAP groups)
>> > >>
>> > >
>> > > Got it thanks.  I'll update the docs to reflect this as the permission
>> > > scheme.
>> > >
>> > > And here I think will come in Jan's bigger question - do we really want
>> > all
>> > > podling committers to be able to commit to all other podlings?
>> > >
>> >
>> > My question is: What problem are you trying to solve? And has it
>> > really proven to be a problem?
>> > I don't think anyone has abused their ability to commit to all
>> > projects, and it's been this way as long as git has been available.
>> >
>>
>> I'm not sure that there will be an issue.  It could just be a couple of
>> IPMC members being a little more cautious that needed.  It's more than
>> likely no one's going to care.
>>
>> To date, we have always told podlings that the initial committers and your
>> mentors are the ones who have write access.  Now we're saying if you're
>> using git, it's any of the 1k + (i might be way off) members of the
>> incubator group.
>>
>> Would it be much harder to create the ldap group up front when the
>> podling's created, and shuffle people in/out at graduation?
>
>
>
> If it ain't broke ...
>
> Is there even a problem?  I haven't ever heard of it.
>
> If there isn't a problem, why are you worried about it?



-- 
Stian Soiland-Reyes
Apache Taverna (incubating)
http://orcid.org/0000-0001-9842-9718

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[Ted Dunning <te...@gmail.com>]

On Wed, Dec 31, 2014 at 12:27 PM, John D. Ament <jo...@apache.org>
wrote:

> On Wed Dec 31 2014 at 2:45:48 PM David Nalley <da...@gnsa.us> wrote:
>
> > On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament <jo...@apache.org>
> > wrote:
> > > On Wed Dec 31 2014 at 2:24:36 PM David Nalley <da...@gnsa.us> wrote:
> > >
> > >> On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <
> johndament@apache.org>
> > >> wrote:
> > >> > Hi,
> > >> >
> > >> > So something Jan and I ran into on the infra list, does anyone know
> > >> > definitively what the access rights given to a podling's git repo
> > are, if
> > >> > they request one (instead of a svn directory)?
> > >> >
> > >> > If nothing else we should document it somewhere on the incubator
> site
> > >> > indicating the permission sets for both svn and git.  My current
> > >> > understanding is that svn sites are typically incubator wide, svn
> > repos
> > >> are
> > >> > confined to a specific list, and git repos are incubator wide.  The
> > git
> > >> one
> > >> > in particular because we don't create ldap groups for podlings and
> > I've
> > >> > heard that we only do groups in git (not individual lists).
> > >> >
> > >>
> > >> git is tied to LDAP, and all podling repos are writable by anyone in
> > >> the incubator LDAP group. (there are no podling LDAP groups)
> > >>
> > >
> > > Got it thanks.  I'll update the docs to reflect this as the permission
> > > scheme.
> > >
> > > And here I think will come in Jan's bigger question - do we really want
> > all
> > > podling committers to be able to commit to all other podlings?
> > >
> >
> > My question is: What problem are you trying to solve? And has it
> > really proven to be a problem?
> > I don't think anyone has abused their ability to commit to all
> > projects, and it's been this way as long as git has been available.
> >
>
> I'm not sure that there will be an issue.  It could just be a couple of
> IPMC members being a little more cautious that needed.  It's more than
> likely no one's going to care.
>
> To date, we have always told podlings that the initial committers and your
> mentors are the ones who have write access.  Now we're saying if you're
> using git, it's any of the 1k + (i might be way off) members of the
> incubator group.
>
> Would it be much harder to create the ldap group up front when the
> podling's created, and shuffle people in/out at graduation?



If it ain't broke ...

Is there even a problem?  I haven't ever heard of it.

If there isn't a problem, why are you worried about it?

Re: Git write access for podlings

["John D. Ament" <jo...@apache.org>]

On Wed Dec 31 2014 at 2:45:48 PM David Nalley <da...@gnsa.us> wrote:

> On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament <jo...@apache.org>
> wrote:
> > On Wed Dec 31 2014 at 2:24:36 PM David Nalley <da...@gnsa.us> wrote:
> >
> >> On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <jo...@apache.org>
> >> wrote:
> >> > Hi,
> >> >
> >> > So something Jan and I ran into on the infra list, does anyone know
> >> > definitively what the access rights given to a podling's git repo
> are, if
> >> > they request one (instead of a svn directory)?
> >> >
> >> > If nothing else we should document it somewhere on the incubator site
> >> > indicating the permission sets for both svn and git.  My current
> >> > understanding is that svn sites are typically incubator wide, svn
> repos
> >> are
> >> > confined to a specific list, and git repos are incubator wide.  The
> git
> >> one
> >> > in particular because we don't create ldap groups for podlings and
> I've
> >> > heard that we only do groups in git (not individual lists).
> >> >
> >>
> >> git is tied to LDAP, and all podling repos are writable by anyone in
> >> the incubator LDAP group. (there are no podling LDAP groups)
> >>
> >
> > Got it thanks.  I'll update the docs to reflect this as the permission
> > scheme.
> >
> > And here I think will come in Jan's bigger question - do we really want
> all
> > podling committers to be able to commit to all other podlings?
> >
>
> My question is: What problem are you trying to solve? And has it
> really proven to be a problem?
> I don't think anyone has abused their ability to commit to all
> projects, and it's been this way as long as git has been available.
>

I'm not sure that there will be an issue.  It could just be a couple of
IPMC members being a little more cautious that needed.  It's more than
likely no one's going to care.

To date, we have always told podlings that the initial committers and your
mentors are the ones who have write access.  Now we're saying if you're
using git, it's any of the 1k + (i might be way off) members of the
incubator group.

Would it be much harder to create the ldap group up front when the
podling's created, and shuffle people in/out at graduation?

John


>
> --David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

RE: Git write access for podlings

["Dennis E. Hamilton" <de...@acm.org>]

+1

-----Original Message-----
From: David Nalley [mailto:david@gnsa.us] 
Sent: Wednesday, December 31, 2014 11:44
To: general@incubator.apache.org
Subject: Re: Git write access for podlings

[ ... ]
>> git is tied to LDAP, and all podling repos are writable by anyone in
>> the incubator LDAP group. (there are no podling LDAP groups)
>>
>
> Got it thanks.  I'll update the docs to reflect this as the permission
> scheme.
>
> And here I think will come in Jan's bigger question - do we really want all
> podling committers to be able to commit to all other podlings?
>

My question is: What problem are you trying to solve? And has it
really proven to be a problem?
I don't think anyone has abused their ability to commit to all
projects, and it's been this way as long as git has been available.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[David Nalley <da...@gnsa.us>]

On Wed, Dec 31, 2014 at 2:40 PM, John D. Ament <jo...@apache.org> wrote:
> On Wed Dec 31 2014 at 2:24:36 PM David Nalley <da...@gnsa.us> wrote:
>
>> On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <jo...@apache.org>
>> wrote:
>> > Hi,
>> >
>> > So something Jan and I ran into on the infra list, does anyone know
>> > definitively what the access rights given to a podling's git repo are, if
>> > they request one (instead of a svn directory)?
>> >
>> > If nothing else we should document it somewhere on the incubator site
>> > indicating the permission sets for both svn and git.  My current
>> > understanding is that svn sites are typically incubator wide, svn repos
>> are
>> > confined to a specific list, and git repos are incubator wide.  The git
>> one
>> > in particular because we don't create ldap groups for podlings and I've
>> > heard that we only do groups in git (not individual lists).
>> >
>>
>> git is tied to LDAP, and all podling repos are writable by anyone in
>> the incubator LDAP group. (there are no podling LDAP groups)
>>
>
> Got it thanks.  I'll update the docs to reflect this as the permission
> scheme.
>
> And here I think will come in Jan's bigger question - do we really want all
> podling committers to be able to commit to all other podlings?
>

My question is: What problem are you trying to solve? And has it
really proven to be a problem?
I don't think anyone has abused their ability to commit to all
projects, and it's been this way as long as git has been available.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

["John D. Ament" <jo...@apache.org>]

On Wed Dec 31 2014 at 2:24:36 PM David Nalley <da...@gnsa.us> wrote:

> On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <jo...@apache.org>
> wrote:
> > Hi,
> >
> > So something Jan and I ran into on the infra list, does anyone know
> > definitively what the access rights given to a podling's git repo are, if
> > they request one (instead of a svn directory)?
> >
> > If nothing else we should document it somewhere on the incubator site
> > indicating the permission sets for both svn and git.  My current
> > understanding is that svn sites are typically incubator wide, svn repos
> are
> > confined to a specific list, and git repos are incubator wide.  The git
> one
> > in particular because we don't create ldap groups for podlings and I've
> > heard that we only do groups in git (not individual lists).
> >
>
> git is tied to LDAP, and all podling repos are writable by anyone in
> the incubator LDAP group. (there are no podling LDAP groups)
>

Got it thanks.  I'll update the docs to reflect this as the permission
scheme.

And here I think will come in Jan's bigger question - do we really want all
podling committers to be able to commit to all other podlings?


>
> svn is far more fine grained. By default (I think) if you don't create
> a podling group, anything under the Incubator's tree in SVN is
> writable by any member of the incubator. But you can certainly create
> a group and make it more restrictive.
>
> --David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Re: Git write access for podlings

[David Nalley <da...@gnsa.us>]

On Wed, Dec 31, 2014 at 11:59 AM, John D. Ament <jo...@apache.org> wrote:
> Hi,
>
> So something Jan and I ran into on the infra list, does anyone know
> definitively what the access rights given to a podling's git repo are, if
> they request one (instead of a svn directory)?
>
> If nothing else we should document it somewhere on the incubator site
> indicating the permission sets for both svn and git.  My current
> understanding is that svn sites are typically incubator wide, svn repos are
> confined to a specific list, and git repos are incubator wide.  The git one
> in particular because we don't create ldap groups for podlings and I've
> heard that we only do groups in git (not individual lists).
>

git is tied to LDAP, and all podling repos are writable by anyone in
the incubator LDAP group. (there are no podling LDAP groups)

svn is far more fine grained. By default (I think) if you don't create
a podling group, anything under the Incubator's tree in SVN is
writable by any member of the incubator. But you can certainly create
a group and make it more restrictive.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Git write access for podlings

[jan i <ja...@apache.org>]

On 31 December 2014 at 17:59, John D. Ament <jo...@apache.org> wrote:

> Hi,
>
> So something Jan and I ran into on the infra list, does anyone know
> definitively what the access rights given to a podling's git repo are, if
> they request one (instead of a svn directory)?
>
> If nothing else we should document it somewhere on the incubator site
> indicating the permission sets for both svn and git.  My current
> understanding is that svn sites are typically incubator wide, svn repos are
> confined to a specific list, and git repos are incubator wide.  The git one
> in particular because we don't create ldap groups for podlings and I've
> heard that we only do groups in git (not individual lists).
>

thanks john for moving this into a general discussion. Your description is
correct.

My view is that SVN sites should be incubator wide, but GIT and SVN podling
repos should NOT be incubator wide.

However I say this without knowing the technical implications so it is my
hope that people like jfarrell will chime in.

rgds
jan i.


>
> John
>