Re: Gerrit prevents upstreaming patches from others

Hi Paul,

On Mon, Feb 6, 2017 at 11:08 AM, Paul Menzel
<pmenzel+libreoffice@molgen.mpg.de> wrote:
> On 02/06/17 10:55, Christian Lohmaier wrote:
> > On Thu, Feb 2, 2017 at 1:05 PM, Paul Menzel wrote:
> >
> > It is to prevent people from impersonating somebody else.
> >
> > Think about someone trying your email to introduce a backdoor ...
>
> In my opinion that’s highly hypothetical.

It is exaggerating to illustrate the point. It doesn't matter what
actual impact that change has.

> And if that happens, it’ll be
> figured out in no time from the Gerrit log, that it wasn’t really the
> impersonated person.

How would you be able to tell?
You might be able to tell that the email address is not matching what
the user has configured. But you cannot tell whether the user he was
claiming to be actually was involved.

Let's say there was no such limitation, and I'd commit something as
"Donald J Trump <potus@whitehouse.gov>" and claim "I talked to him, he
did that patch" - how would you know that'd be the case? And how would
you know he'd be fine with our licencing requirements?
Again exaggerated example.

> The coreboot project doesn’t have these restrictions, and in the past there
> hasn’t been any problems.

So far nobody stole anything from my car, but I still lock it up.

If there were a way to impersonate as somebody else, then checking for
the licence agreements and other stuff just becomes too hard/you'll
run into the problem of deniability.

ciao
Christian