Gerrit prevents upstreaming patches from others

Paul Menzel pmenzel+libreoffice at molgen.mpg.de
Mon Feb 6 11:26:50 UTC 2017


Dear Christian,


On 02/06/17 12:17, Christian Lohmaier wrote:

> On Mon, Feb 6, 2017 at 11:08 AM, Paul Menzel
> <pmenzel+libreoffice at molgen.mpg.de> wrote:
>> On 02/06/17 10:55, Christian Lohmaier wrote:
>>> On Thu, Feb 2, 2017 at 1:05 PM, Paul Menzel wrote:
>>>
>>> It is to prevent people from impersonating somebody else.
>>>
>>> Think about someone trying your email to introduce a backdoor ...
>>
>> In my opinion that’s highly hypothetical.
>
> It is exaggerating to illustrate the point. It doesn't matter what
> actual impact that change has.
>
>> And if that happens, it’ll be
>> figured out in no time from the Gerrit log, that it wasn’t really the
>> impersonated person.
>
> How would you be able to tell?
> You might be able to tell that the email address is not matching what
> the user has configured. But you cannot tell whether the user he was
> claiming to be actually was involved.
>
> Let's say there was no such limitation, and I'd commit something as
> "Donald J Trump <potus at whitehouse.gov>" and claim "I talked to him, he
> did that patch" - how would you know that'd be the case? And how would
> you know he'd be fine with our licencing requirements?
> Again exaggerated example.
>
>> The coreboot project doesn’t have these restrictions, and in the past there
>> hasn’t been any problems.
>
> So far nobody stole anything from my car, but I still lock it up.

Sorry, car theft is a reality.

Somebody could shoot me on the street, so I shoot them first? Preventive 
strikes …?

> If there were a way to impersonate as somebody else, then checking for
> the licence agreements and other stuff just becomes too hard/you'll
> run into the problem of deniability.

Sorry, using the email address as verification is fundamentally flawed. 
That’s why GPG exists.

I just register `chris.lohmaier` at any free provider, and send in 
commits for you, without any error from Gerrit.

So, to close my participation in this thread, the current restriction 
make it hard for people wanting to upstream patches from colleagues.

The LibreOffice people should really think about it again, as from the 
current arguments, the restriction *cannot by design* enforce the policy 
it was made for.


Kind regards,

Paul


More information about the LibreOffice mailing list