cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Jong <wjamesj...@gmail.com>
Subject Re: [DISCUSS] Automate signed icla to git commits
Date Wed, 30 Apr 2014 17:09:35 GMT
Agreed that it is working as intended.  It’s also good to know that although Cordova’s
been requiring CLA’s for it’s contributions, it isn’t a hard Apache requirement.  For
some contributions I’ve wanted to pull in, the CLA has been the holdup.  Thanks for the
clarification.

-James Jong

On Apr 28, 2014, at 10:40 PM, Andrew Grieve <agrieve@chromium.org> wrote:

> I'm pretty confident it's working as intended for now.
> 
> 
> On Mon, Apr 28, 2014 at 3:05 PM, Marvin Humphrey <marvin@rectangular.com>wrote:
> 
>> On Mon, Apr 28, 2014 at 9:20 AM, Andrew Grieve <agrieve@chromium.org>
>> wrote:
>>> Interesting! Going by this description, it sounds like we wound't need
>>> ICLAs for the majority of pull requests since pull requests details get
>>> forwarded to the mailing-list.
>> 
>> Legally, the party making the pull request implicitly asserts that they
>> have
>> the right to contribute the commits under the ALv2 section 5.
>> 
>> However, if a release with infringing material escapes out into the wild,
>> having somebody to blame will be cold comfort.  Should the original
>> copyright
>> owner request that we cease distributing the offending release, Cordova's
>> users are going to be in a bad situation regardless.
>> 
>>> New proposal: don't worry about CLAs at release time.
>> 
>> The key here is that the Cordova PMC needs to be vigilant with every pull
>> request from somebody who has not signed a CLA or is otherwise well-known
>> to
>> be submitting clean IP.  The Cordova committer who accepts the pull request
>> and pushes to the ASF repo is the first line of defense.  However, the
>> rest of
>> the PMC is also collectively responsible for reviewing all commits.
>> 
>> So the question is, how confident are you in the existing review process?
>> If
>> it's working as intended, then there's indeed no need to perform an
>> additional
>> audit at release time.  On the other hand if it's porous, then building in
>> more checks might be wise.
>> 
>> Marvin Humphrey
>> 


Mime
View raw message