1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gubatron@gmail.com>) id 1XKuZG-0006Sx-RS
for bitcoin-development@lists.sourceforge.net;
Fri, 22 Aug 2014 19:32:10 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.216.180 as permitted sender)
client-ip=209.85.216.180; envelope-from=gubatron@gmail.com;
helo=mail-qc0-f180.google.com;
Received: from mail-qc0-f180.google.com ([209.85.216.180])
by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1XKuZF-0005uN-Gg
for bitcoin-development@lists.sourceforge.net;
Fri, 22 Aug 2014 19:32:10 +0000
Received: by mail-qc0-f180.google.com with SMTP id l6so11200771qcy.25
for <bitcoin-development@lists.sourceforge.net>;
Fri, 22 Aug 2014 12:32:04 -0700 (PDT)
X-Received: by 10.229.65.135 with SMTP id j7mr11090543qci.22.1408735924080;
Fri, 22 Aug 2014 12:32:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.86.37 with HTTP; Fri, 22 Aug 2014 12:31:43 -0700 (PDT)
In-Reply-To: <2302927.fMx0I5lQth@1337h4x0r>
References: <CAJHLa0NXAYh9HzazN6gArUV8y7J8_G0oqkZqPBgibpW0wRNxKQ@mail.gmail.com>
<2302927.fMx0I5lQth@1337h4x0r>
From: Angel Leon <gubatron@gmail.com>
Date: Fri, 22 Aug 2014 15:31:43 -0400
Message-ID: <CADZB0_ahqNZE93Eb44ba18EteAnF5O5i3dEaAqKeDfbOKZLRDw@mail.gmail.com>
To: xor@freenetproject.org
Content-Type: multipart/alternative; boundary=001a11339d225655ab05013ce4ec
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(gubatron[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1XKuZF-0005uN-Gg
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Reconsidering github
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Fri, 22 Aug 2014 19:32:11 -0000
--001a11339d225655ab05013ce4ec
Content-Type: text/plain; charset=UTF-8
+1000. Don't fix it if it ain't broken. Don't kill community support. I for
instance wouldn't have contributed or forked if the project hadn't been on
github.
"Bitcoin has currently 4132 forks on Github. This means that you can get
contributions by pull requests from 4132 developers. That is a HUGE amount,
and you shouldn't ditch that due to not using all features of git :)
To get a grasp of how much that is: When you search projects with more than
4100 forks, there are only 32 of them!
You are one of the top open source projects, and you should be grateful for
that and keep Github up so the other people can send you pull requests with
their improvements :) Volunteer contributions need to be honored and made as
easy as possible, for people are investing their personal time.
Greetings and thanks for your work,
xor, one developer of https://freenetproject.org"
http://twitter.com/gubatron
On Fri, Aug 22, 2014 at 3:20 PM, xor <xor@freenetproject.org> wrote:
> On Tuesday, August 19, 2014 08:02:37 AM Jeff Garzik wrote:
> > It would be nice if the issues and git repo for Bitcoin Core were not
> > on such a centralized service as github, nice and convenient as it is.
>
> Assuming there is a problem with that usually is caused by using Git the
> wrong
> way or not knowing its capabilities. Nobody can modify / insert a commit
> before a GnuPG signed commit / tag without breaking the signature.
> More detail at the bottom at [1], I am sparing you this here because I
> suspect
> you already know it and there is something more important I want to stress:
>
> Bitcoin has currently 4132 forks on Github. This means that you can get
> contributions by pull requests from 4132 developers. That is a HUGE amount,
> and you shouldn't ditch that due to not using all features of git :)
> To get a grasp of how much that is: When you search projects with more than
> 4100 forks, there are only 32 of them!
> You are one of the top open source projects, and you should be grateful for
> that and keep Github up so the other people can send you pull requests with
> their improvements :) Volunteer contributions need to be honored and made
> as
> easy as possible, for people are investing their personal time.
>
> Greetings and thanks for your work,
> xor, one developer of https://freenetproject.org
>
>
> [1] If you GPG-sign a commit / tag, you sign its hash, including the hash
> of
> the previous commit. So is a chain of hashes and thus of trust from all
> commits up to what is signed. It's pretty similar to the blockchain
> actually
> :)
> So Github cannot modify anything. If they did, the head of the hash-chain
> would change, and thus the signature would break. Git would notify people
> about that when they pull.
> Of course people can still ignore that warning and let Github rewrite their
> Git history. But people who aren't educated about this shouldn't be release
> managers. They should not even have push access to your main repository,
> they
> should only be sending pull requests. Thats is where the decentralization
> of
> Git is: In the pull-requests. The people who deal with them should verify
> tag
> and possibly even commit signatures carefully, and not accept anything
> which
> is not signed. Also, before deploying a binary, the very same commit which
> is
> going to become a binary has to be given a signed tag by the release
> manager,
> and by everyone who reviews the code. The person who deploys the actual
> binary
> needs to verify that signature.
> There is an article which elaborates on some of the ways you have to ensure
> Github doesn't insert malicious code - but please read it with care, some
> of
> its recommendations are bad, especially the part where its about rebasing
> because that DOES rewrite history which is what you want to prevent:
> http://mikegerwitz.com/papers/git-horror-story
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
--001a11339d225655ab05013ce4ec
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">+1000. Don't fix it if it ain't broken. Don't =
kill community support. I for instance wouldn't have contributed or for=
ked if the project hadn't been on github.<br><br>"<span style=3D"f=
ont-family:arial,sans-serif;font-size:13px">Bitcoin has currently 4132 fork=
s on Github. This means that you can get</span><br style=3D"font-family:ari=
al,sans-serif;font-size:13px">
<span style=3D"font-family:arial,sans-serif;font-size:13px">contributions b=
y pull requests from 4132 developers. That is a HUGE amount,</span><br styl=
e=3D"font-family:arial,sans-serif;font-size:13px"><span style=3D"font-famil=
y:arial,sans-serif;font-size:13px">and you shouldn't ditch that due to =
not using all features of git :)</span><br style=3D"font-family:arial,sans-=
serif;font-size:13px">
<span style=3D"font-family:arial,sans-serif;font-size:13px">To get a grasp =
of how much that is: When you search projects with more than</span><br styl=
e=3D"font-family:arial,sans-serif;font-size:13px"><span style=3D"font-famil=
y:arial,sans-serif;font-size:13px">4100 forks, there are only 32 of them!</=
span><br style=3D"font-family:arial,sans-serif;font-size:13px">
<span style=3D"font-family:arial,sans-serif;font-size:13px">You are one of =
the top open source projects, and you should be grateful for</span><br styl=
e=3D"font-family:arial,sans-serif;font-size:13px"><span style=3D"font-famil=
y:arial,sans-serif;font-size:13px">that and keep Github up so the other peo=
ple can send you pull requests with</span><br style=3D"font-family:arial,sa=
ns-serif;font-size:13px">
<span style=3D"font-family:arial,sans-serif;font-size:13px">their improveme=
nts :) Volunteer contributions need to be honored and made as</span><br sty=
le=3D"font-family:arial,sans-serif;font-size:13px"><span style=3D"font-fami=
ly:arial,sans-serif;font-size:13px">easy as possible, for people are invest=
ing their personal time.</span><br style=3D"font-family:arial,sans-serif;fo=
nt-size:13px">
<br style=3D"font-family:arial,sans-serif;font-size:13px"><span style=3D"fo=
nt-family:arial,sans-serif;font-size:13px">Greetings and thanks for your wo=
rk,</span><br style=3D"font-family:arial,sans-serif;font-size:13px"><span s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 xor, one developer of=C2=A0</span><a href=3D"https://freenetproject.=
org/" target=3D"_blank" style=3D"font-family:arial,sans-serif;font-size:13p=
x">https://freenetproject.org</a>"</div>
<div class=3D"gmail_extra"><br clear=3D"all"><div><a href=3D"http://twitter=
.com/gubatron" target=3D"_blank">http://twitter.com/gubatron</a><br></div>
<br><br><div class=3D"gmail_quote">On Fri, Aug 22, 2014 at 3:20 PM, xor <sp=
an dir=3D"ltr"><<a href=3D"mailto:xor@freenetproject.org" target=3D"_bla=
nk">xor@freenetproject.org</a>></span> wrote:<br><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
<div class=3D"">On Tuesday, August 19, 2014 08:02:37 AM Jeff Garzik wrote:<=
br>
> It would be nice if the issues and git repo for Bitcoin Core were not<=
br>
> on such a centralized service as github, nice and convenient as it is.=
<br>
<br>
</div>Assuming there is a problem with that usually is caused by using Git =
the wrong<br>
way or not knowing its capabilities. Nobody can modify / insert a commit<br=
>
before a GnuPG signed commit / tag without breaking the signature.<br>
More detail at the bottom at [1], I am sparing you this here because I susp=
ect<br>
you already know it and there is something more important I want to stress:=
<br>
<br>
Bitcoin has currently 4132 forks on Github. This means that you can get<br>
contributions by pull requests from 4132 developers. That is a HUGE amount,=
<br>
and you shouldn't ditch that due to not using all features of git :)<br=
>
To get a grasp of how much that is: When you search projects with more than=
<br>
4100 forks, there are only 32 of them!<br>
You are one of the top open source projects, and you should be grateful for=
<br>
that and keep Github up so the other people can send you pull requests with=
<br>
their improvements :) Volunteer contributions need to be honored and made a=
s<br>
easy as possible, for people are investing their personal time.<br>
<br>
Greetings and thanks for your work,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 xor, one developer of <a href=3D"https://freene=
tproject.org" target=3D"_blank">https://freenetproject.org</a><br>
<br>
<br>
[1] If you GPG-sign a commit / tag, you sign its hash, including the hash o=
f<br>
the previous commit. So is a chain of hashes and thus of trust from all<br>
commits up to what is signed. It's pretty similar to the blockchain act=
ually<br>
:)<br>
So Github cannot modify anything. If they did,=C2=A0 the head of the hash-c=
hain<br>
would change, and thus the signature would break. Git would notify people<b=
r>
about that when they pull.<br>
Of course people can still ignore that warning and let Github rewrite their=
<br>
Git history. But people who aren't educated about this shouldn't be=
release<br>
managers. They should not even have push access to your main repository, th=
ey<br>
should only be sending pull requests. Thats is where the decentralization o=
f<br>
Git is: In the pull-requests. The people who deal with them should verify t=
ag<br>
and possibly even commit signatures carefully, and not accept anything whic=
h<br>
is not signed. Also, before deploying a binary, the very same commit which =
is<br>
going to become a binary has to be given a signed tag by the release manage=
r,<br>
and by everyone who reviews the code. The person who deploys the actual bin=
ary<br>
needs to verify that signature.<br>
There is an article which elaborates on some of the ways you have to ensure=
<br>
Github doesn't insert malicious code - but please read it with care, so=
me of<br>
its recommendations are bad, especially the part where its about rebasing<b=
r>
because that DOES rewrite history which is what you want to prevent:<br>
<a href=3D"http://mikegerwitz.com/papers/git-horror-story" target=3D"_blank=
">http://mikegerwitz.com/papers/git-horror-story</a><br>
<br>
<br>
<br>-----------------------------------------------------------------------=
-------<br>
Slashdot TV.<br>
Video for Nerds.=C2=A0 Stuff that matters.<br>
<a href=3D"http://tv.slashdot.org/" target=3D"_blank">http://tv.slashdot.or=
g/</a><br>_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div>
--001a11339d225655ab05013ce4ec--
|
