Your first two requirements do not require a central repository. They merely require that one repository be designated as "official". It would be backed up rigorously, and would be the source for official builds.
Distributed RCS systems offer at least two approaches to solve your write/audit concern. Some packages offer one or the other, and some offer both:
1. Use of a "patch manager" queue process. Developers submit their patches into the queue, and the patches are verified before actually being committed into that repository. The patch manager might require that all patches be signed by an authorized developer, for example.
2. Use of a "pull" model instead of a "push" model. Every developer can publish their own repository, and the official repository can pull changes directly from those sources. Systems like arch, ArX and darcs that allow any http server to host a read-only repository make this especially easy.
Also, with some systems, every patch is signed by the author, so you have a full audit trail available. Note that this audit information acutally follows the patch around, rather than merely providing protection to a single server.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds