[Freeipa-devel] "Commit comments log" functionality in IPA

[Dmitri Pal]

> To be able to search for dates or user could have benefits with respect to:
> - - Configuration management: if something broke and I knew it works a
> week ago, I can search for changes happen during last week and with the
> comments I can hopefully see which change broke my system.
>   

If something broke you rollback. That is why we will have a quick 
rollback mechanism.
And then you pull the  commit comment and see the history. You will not 
see the changes.



> - - Security/Audit: if the account of an administration was compromised I
> can check what changes were made under this account
>
>   

In this case audit is your tool. Commit comments would not help much.


May be the use case is still not clear. The comments are need only in 
the big companies that have a "paper" process of approving any changes.
In such companies the administrators do not have flexibility of just 
changing something. Any change goes through the lengthy review and 
approval process.
Trust me there are tons of those companies. The commit comment is the 
link between the event of applying or rolling back the change and this 
process.
The contents of the comment can't be enforced by software but usually 
mandated by the company policies.
It becomes extremely important in case of fire when something went 
seriously wrong and CIO is on the quest for heads.
It will provide fast and convenient way to find the guilty party that 
authorized the change.
This is why this data becomes really critical. If it is glued to the 
object it is related too it is easier to extract (in UI) and it is more 
trustable.
One can still argue that audit would be a  better place for it. I see 
the point but I do not believe that audit will have enough search 
capabilities to deal with this data. May it will. I am thinking about it.
We will see.  

Thanks
Dmitri