[TYPO3-dev] Contribution to community extensions

Jigal van Hemert jigal.van.hemert at typo3.org
Sun Aug 17 20:01:21 CEST 2014 

Hi,

On 17-8-2014 17:38, Xavier Perseguers wrote:
>> - impossible to correct the code in a pull request before merging it
>> (other than by the author of the pull request)
>
> Partially wrong. You can't from the web interface but you can if you
> merge the pull request using command line.

Good to know! Thanks for clearing it up. The fact that it can only be 
done using the command line explains that quite a few people mention the 
problem.

>> - no control over code by security team
>
> Don't get this point. Does the security team really monitor something on
> community extensions? What I understand is that, in case of a problem,
> they will maybe provide the patch, but will not merge it automatically.
> I don't see a difference between an extension being hosted on the TYPO3
> infra, on GitHub or having no (public) repository.

Most of the time the author will update the code, remove problematic 
tags / branches and publish a new version in TER. The security team will 
remove affected versions from TER.

With repositories on TYPO3 infrastructure it would be possible to remove 
/ disable abandoned repositories with insecure code.
On github there will be a dozen or more forks that even the extension 
author cannot control.

I think it's quite important for integrators to have extensions 
available at a single location. Since they are the main source of bug 
reports it would also help them if they don't have to go to an unrelated 
site to file a bug report.

 From the responses so fare it seems that systems like Gerrit are useful 
for larger groups of developers who need features like voting, 
backporting, and more. Systems like github (the fork/pull request kind) 
are more suitable for small groups who prefer more outside contributions 
and use reviews by a single person.
Wouldn't it be possible to have such a system on t3o infrastructure too:

- svn (old situation)
- git (conversion possible from svn)
   * only repository
   * gerrit on top
   * PR-based tool on top
- git to TER publish
- travis-like tools
- ...

-- 
Jigal van Hemert
TYPO3 CMS Active Contributor

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-dev mailing list