I'm fairly certain we are not switching the externals (other than maybe adding one) unless we switch to something non-git, so I think we won't run into this issue again.

 

Several reasons. The httplib2 repository we used was already a third-party one - httplib2 uses hg. Thus, some unknown third party could change/add/etc code, which is bad for several reasons: they could add malicious code or malicious SSL certificates, for example.

Secondly, having our own repository means it's easy to maintain patches - we track the original repository in a branch, so changes can be merged back to our master branch. For instance, we have a patch to add a more reasonable SSL certificate list and one that makes it possible to actually import the python2 httplib2.

 

What advantage would that have? Now we have a clear source repository, with easily tracable commits. This is much harder with patches. Oh, and we don't need patch.exe.

 

Anyone with +2 could do this, but there is a script on tool labs that can be run to do this automatically. It's not really an issue as the rate of development in httplib2 is fairly limited (last commit was in march). Basically: we have a branch 'origin' that can be pushed to without going through Gerrit (that would be annoying if there are multiple new commits). That branch directly follows the origin master branch, and we would merge from that branch to master - which would pass through Gerrit.

Merlijn