Pull requests can change while being reviewed. This makes it impossible to ensure that the code being merged is the same code that has been reviewed and discussed, which compromises integrity of the codebase.
If only Git had some sort of cryptographically secure token that would uniquely identify commits, and make tampering evident.
GitHub pull requests are tracked by a base and a head commit. Usually, base is master, and head is some feature branch. This allows the pull request on GitHub to pull in new changes to the commit as a discussion forms around it.
So in that sense, he is correct. There's no way to ensure that clicking the merge button is indeed merging what I think it's merging. Now that I type that, we could easily just include the latest SHA in the form and check that. Problem solved!
Alternatives to this are:
* Merge manually from the command line. This is typically what we do at GitHub.
* Request that people file pull requests with a SHA as the pull request head. This makes it impossible to update the pull request with future commits.
* Don't use pull requests.
Specifying the latest SHA as part of the merge would solve the trust problem. As other people have mentioned, allowing a final "review and fixup this patch" step before merging would also be useful for some workflows; this is what happens when you merge on the command line.
That leaves another major problem for us (the XS developers) which is that we actively encourage all development discussion and code review to be done on the mailing list where everyone involved sees it.
With GH pull requests this discussion gets fragmented into separate threads on the various pull requests.
Further, in my workflow, pulling in new changes to be committed into a pull request makes that pull request a new (version of) the original. See for example how Linux patches are discussed; you post an initial version, it gets discussed, you rework it, post a v2, and so on. At each point in time it is clear what exactly is being discussed.
Personally I have some other philosophical issues with GH that might be fun to discuss, get in touch by email if you're interested.
So GitHub pull requests point to the current head of a branch and not a specific commit? Tying a pull request to a specific commit (implicitly, not necessarily with new UI) seems like it would solve the problem.
That was my intention, I almost always merge from the command line, except for tiny & trivial pull requests, like documentation. Its hard to run the tests through the Github web UI.
For anyone that still cares, this has been tweaked. If you attempt to merge a pull request that has changed since you loaded the page, it'll require you to re-review the pull request.
The contribution and trademark policies of the ZeroMQ project were, as of March 2012, incompatible with our long-term goals.
Who is behind the fork?
The main work on the fork was done by two of the original developers of ZeroMQ, Martin Sustrik and Martin Lucina, with help and advice from other members of the ZeroMQ community.'''
As I understand it (as a regular on the ZeroMQ and Crossroads mailing lists), the reasons are as follows:
1) Trademark issues - the original developers of ZMQ have been prohibited from using the ZeroMQ trademark and, thus, from making official releases.
2) The new ZeroMQ contribution policy[1], in which pull requests are merged without review and then later reverted/enhanced if necessary, is seen as incompatible with the goals of some of the lead developers. These developers prefer a more rigorous review policy.
There are more reasons, but from what I can tell, those are the main ones that haven't fully been covered here.
"To grow such an ecosystem the project must be fully vendor neutral, and implement a liberal (e.g. Linux-style) trademark policy allowing use of the trademark for third party distributions of the software, as well as for plug-ins and extensions."
I'd say “personal differences” (regardless of the deal about trademarks and code review), but it still surprises me; I thought the zmq developers were a tight-knit bunch. Maybe the drama manifests itself in more extreme ways because they know each other so well, but it does seem dysfunctional.
I agree with you. When you fork a project, there better be a good reason. And when there is a good reason, there's no reason to be vague in the explanation. (and I can't think of a vaguer explanation than what they write)
Giving an example of a problem solved by the fork would help, though I'm not sure a solid example of a goal not possible within 0mq can be found based on the project goals.
That can't be it, as 0mq is also LGPL. From the footer of zeromq.org:
ØMQ is free software licensed under the LGPL
And in every source file:
0MQ is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
As I have some investment in the 0mq ecosystem, it would be nice to know what this means in the long run for that project.
Not exactly. The zmq library is already LGPL. It's the plugins and examples that are GPL. That might be a potential reason crossroads I/O was created -- to start an ecosystem of plugins that are LGPL too.
from reading the email thread it appears this is the main issue:
zeromq is looser about what ends up in master. They view master as sort of a global staging area, and what ends up in release branches is viewed as stable/vetted code. As a result, master can be quite unstable.
The people that forked wanted a more stable master, with lots of code reviews before patches end up in master.
The real question for me, since I very recently brought 0MQ into my project: should I stay with that or switch to Crossroads? I don't want to get stuck on the lagging branch.
Can someone please elaborate ? I very recently started an investigation (proof of concept) into zeromq for my team. What are the long term implications ?
Why do you not accept pull requests?
Pull requests can change while being reviewed. This makes it impossible to ensure that the code being merged is the same code that has been reviewed and discussed, which compromises integrity of the codebase.
If only Git had some sort of cryptographically secure token that would uniquely identify commits, and make tampering evident.