This page collects the guidelines established in the git experiment.

This is a work in progress.

ASF GIT repositories are currently hosted at

For understanding the technical aspects of GIT and SVN please read SVNvsGIT. This will help you to grok the design decissions

GIT at the ASF is currently an experiment. We have defined criteria under which this experiment should be considered successful.


Canonical GIT repositories for Apache projects must be hosted on ASF hardware, under full control of the ASF infrastructure. This has quite a few reasons:

  1. Our Source Code Repositories are there for one reason: helping the community. This can best be supported by having one single canonical repository. Projects having multiple equitable repository clones tend to split the community.
  2. UserIDs outside of are not relyable! We can only guarantee a fully trusted authentication for servers we host ourselfs!
  3. Authentication can later be extended to support login via ssh keys uploaded to (we need to drop this as infra ticket)

  4. Relying on external infrastructure for our own core business is frankly spoken pretty unwise. This would not only split the community but also would us make loose our independence. We would have no access to the underlying hardware, thus no way to handle threats if someone tries to taint our repositories.

Project Structure

  1. Each project has at least one GIT repository which contains the main project and is read/writable for all committers.
  2. Each project can optionally have a separated PMC-private GIT repository which conains confidential legal stuff like trademark contracts, creds for community accounts like twitter, etc
  3. Some projects might need additional GIT repositories containing project parts which have a completely separated lifecycle from the main project. This can be various build-tools (checkstyle-rules, project specific maven-plugins which are needed to build the project) or the project site. This is needed because a GIT branch and tag always affects the whole repository

GIT Hooks

We need to apply some hooks to the GIT repos to prevent the user from changing a few things.

  1. It must not be possible to change the history of a project or delete certain branches. Any sha1 in master or any productive branch must not be allowed to get changed!
  2. git-rebase, git-stash and stashing via git-merge --interactive is only allowed if the history of external contributions remains preserved.
  3. It must not be possible to delete release tags.

Non-ASF repository collaboration

  1. Doing a test feature branch in private or in a forked github repository is perfectly fine. But committers should push to the canonical ASF repository early and often to prevent a fragmentation of the community development effort.
  2. Even if GIT supports the additional author information, the established policy that committers should apply their commits to the canonical repository themself remains intact.
  3. Committers pushing changes to the canonical repository must make sure that the committerIds and authorIds in the changes they submit are trustworthy (authenticated and iCLA on file).
  4. Pulling from some external (non hosted) repository must only happen if all the respective commits are done by a person which has an iCLA on file and if the diff of the pull-request is preserved on some ASF server. This can be done by extending JIRA to automatically download the diffs of a pull-request.The project shall not hesitate to animate people to sign our iCLA.
  5. Incorporating changes from other contributors (no iCLA on file) must only be handled via JIRA attached patches because of legal reasons (the 'grant inclusion under ALv2' flag in JIRA).
  6. The project documentation and project site shall mention the based GIT repo as the canonical source location.

Cutting Releases with GIT

Apache Maven supports the usage of GIT with the maven-scm-providers-git since 2008.

Be aware that the branch created by a release with GIT always covers the whole repository.

Release Tags with GIT

[Proposal, not yet coordinated]: Since a Tag in GIT is just a name for an existing sha1 commit, we can treat release tags much more elegant than with SVN where this is technically a 'svn copy'.

While doing the release candidate we give it a {projectName}-{versionNr}-rcX tag. After all the voting passes we can now easily apply the final tag name {projectName}-{versionNr} to this commit since tags are just a 'name' for a given sha1 commit, and the sha1 does not change at all when tagging. If a vote fails, we can just assign a new '-rc2', etc tag.

Do not tag a release until the vote has passed.

Apache does not issue release candidates in the same way that other projects do. When most users see a release candidate, they think of it as an officially sanctioned version of the software. If we tag our release artefacts (which may be prepared by anyone, at any time) as release candidates while we vote on them, we are sending the wrong message to anyone who finds that tag in the repository.

Even if we avoid calling them release candidates, all tags live in the same namespace, so we risk confusing our users if we tag the release artefacts we are voting on, as well as the release artefacts we have actually released. Deleting tags that correspond to failed votes will not help, because Git does not reliably propagate tag deletion to downstream repositories.

In answer to these concerns, vote emails must reference the tree-ish used to prepare the release. Only when the vote passes must you tag that tree-ish. Preferably using the version number alone, as each Git repository corresponds to exactly one project. The resulting tag list in Git is a clean list of every official release, and every downstream repository will be eventually consistent.