[Spread-users] CVS access to Spread

Jon Stevens jon at latchkey.com
Thu Aug 23 00:56:40 EDT 2001 

on 8/22/01 6:59 PM, "Theo E. Schlossnagle" <jesus at omniti.com> wrote:

> Jon Stevens wrote:
>> Nope. However, I will assert that truly successful OSS projects with lots of
>> committers do have anonymous CVS access.
> 
> Agreed.  But, until the committing base for Spread grows, I think we can
> safely separate "successful" and "lots of committers" as being unrelated.  As
> the project grow, policies can change.

Agreed.

> With something like Spread you have a situation like postgres.  Many of the
> pieces are _very very_ complicated and need to be reviewed by an "expert in
> the field" to assure they don't break gauranteed semantics.  So, the
> maintainer must play a deep and involved roll on patch approval.

That is why I'm surprised that Michal sent out an email saying that anyone
who wants commit access can just send him an email and they would get it.

> Apache is very different.  The Apache software "product" is much much larger.
> It has many components in the same CVS.  Like APR: not too many people touch
> that other than Ryan.  I would think that having a large number of committers
> could/would jeopardize the integrity of Spread's operation.

I agree. I'm not suggesting that commit access be given out at all. I'm
simply suggesting that someone honor the request (weeks ago) that anon
access be given.

> It eliminates the use of pserver.  So you have less services to worry about on
> your system.  If there is an exploit against the pserver code it will not
> effect overall system security.  Basically, just to reduce the number of
> things the system administrator must maintain.
>
> It also provides a more "user transparent" mechanism of running different
> remote cvs roots of the same machine (on different ports).

I guess that I subscribe to the "if the ASF does it, everyone else can as
well". I personally have been running CVS :pserver: on highly visible
machines for 5 years. No problems yet.

Red herrings are a waste of time.
 
>> Simple solution (that the ASF employees):
>> Contributions are required to be under the ASF License (in your case,
>> Spread's License) and copyright to the ASF (in your case, the same copyright
>> that Spread is under).
>> I just saw the other message from Yair confirming this...
> 
> My only point was that this was not formally dictate anywhere.  Now that it
> is, there problem is solved :-)

Right...we need to drive more solutions to the existing problems...

If people don't speak up about what they want, then how will they know what
they need to provide?

> The forking comment -- mothing more, nothing less :-)  Perhaps I
> misinterpreted.  I would not generally consider such a comment productive for
> a project that has _just_ opened its doors.  It wouldn't imagine it would give
> the maintainers a warm fuzzy feeling, at least it didn't give me one.

It was a sarcastic joke. Clearly my humor is not conveyed well.

-jon

More information about the Spread-users mailing list