cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: [DISCUSS] Automate signed icla to git commits
Date Mon, 28 Apr 2014 19:05:09 GMT
On Mon, Apr 28, 2014 at 9:20 AM, Andrew Grieve <> wrote:
> Interesting! Going by this description, it sounds like we wound't need
> ICLAs for the majority of pull requests since pull requests details get
> forwarded to the mailing-list.

Legally, the party making the pull request implicitly asserts that they have
the right to contribute the commits under the ALv2 section 5.

However, if a release with infringing material escapes out into the wild,
having somebody to blame will be cold comfort.  Should the original copyright
owner request that we cease distributing the offending release, Cordova's
users are going to be in a bad situation regardless.

> New proposal: don't worry about CLAs at release time.

The key here is that the Cordova PMC needs to be vigilant with every pull
request from somebody who has not signed a CLA or is otherwise well-known to
be submitting clean IP.  The Cordova committer who accepts the pull request
and pushes to the ASF repo is the first line of defense.  However, the rest of
the PMC is also collectively responsible for reviewing all commits.

So the question is, how confident are you in the existing review process?  If
it's working as intended, then there's indeed no need to perform an additional
audit at release time.  On the other hand if it's porous, then building in
more checks might be wise.

Marvin Humphrey

View raw message