Re: [PHP-DEV] CVS Account Request From: Sterling Hughes (Sterling.Hughes <email protected>)
Date: 11/15/00

At 11:19 PM 11/15/2000 +0200, Zeev Suraski wrote:
>At 23:08 15/11/2000, Sterling Hughes wrote:
>
>>Also I think we should be a little more careful of who we give cvs access
>>to on the code root. Right now I could probably get a fake e-mail and
>>such from yahoo and obtain a nice ol' cvs account, from which I could
>>then (if I was bad) commit some harmful code, which since it would not be
>>a part of standard/ or main/ would not be given due attention (especially
>>if it was a nice harmful one line bit) and then hurt users who use it.
>
>I can't tell you how I'm happy I am you say that. I was beginning to
>think I was being paranoid, but I think that considering the popularity of
>PHP, someone joining the dev team as a silent 'trojan horse' isn't
>unlikely at all.

I was thinking I was paranoid too, glad to here its not only

Then again, I was planning that whole fake cvs thing too (the people at
Pentap can verify it ;), I just got too busy (author review, moving to
italy, technical reviews, so on and so forth) so I didn't want to open up
that can of worms... Maybe we're both a bit paranoid (and imho that's a
good thing :)

>> Now while one of the reasons many people contribute to PHP is because
>> it is so easy to get involved with the development, really most of the
>> commits are only made by a handful of people (PHP Group and a 10-20
>> others, if even). Most of the users could simply send patches. Patches
>> make sure the code is qa'ed, and then, if the patches are approved (by a
>> committer) then they would be committed, after a while if the user is
>> someone who is constantly sending (good) patches he would then obtain a
>> cvs account to commit to the code repository (documentation could be
>> given less security).
>
>
>Sounds interesting, albeit a bit difficult to implement

Not really. Just be selective on who you give cvs access to and everything
else will pretty much fall into place (people realizing woah darn I can't
commit will send a patch)...

Another option is to have a two-person commit system for all code and all
committers, where one person writes the code and then someone trusted, who
volunteers for the job commits the code for that area of php (thus giving
responsibility to two people, and hopefully, assuring that the code has
been qa'ed).

-Sterling 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>