www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <joe_schae...@yahoo.com.INVALID>
Subject Re: Writable github repos?
Date Sat, 28 Jun 2014 01:54:23 GMT
Two things Benson: first your ICLA is really about third-party contributions and your acceptance
and incorporation thereof.  It doesn't spell out precisely your due-diligence requirements,
but the gist of it is that you are confident you have the legal rights necessary to include
the contribution.  If you aren't that confident, then we ask that you request an ICLA from
the contributor.

Second, there is nothing stopping a well-funded "evil" organization from securing a PMC post
on a project with a bogus ICLA, so the idea that we need to fear only third party contributions
is nonsense.  There are a number of ways to game the system.  As you say it boils down to
reasonable assurances based on the likelihood and potential impact of harm.

On Friday, June 27, 2014 8:49 PM, Benson Margulies <bimargulies@gmail.com> wrote:

On Fri, Jun 27, 2014 at 7:58 PM, Joseph Schaefer
<joe_schaefer@yahoo.com.invalid> wrote:
> I think that is the point of an icla for committers, because otherwise the apache license
> Sent from my iPhone
>> On Jun 27, 2014, at 5:25 PM, Mark Struberg <struberg@yahoo.de> wrote:
>>> On Friday, 27 June 2014, 23:17, Joseph Schaefer <joe_schaefer@yahoo.com.INVALID>
>>> We might simply ask github to provide push records to us.
>> This would at least solve the problem with who pushed what.
>> Are you talking about pushes to an ASF project repo on github or to all github commits
we pull in for a pull-request?
>> And how to solve the problem that it's way too easy to pull foreign changes is still
not clear to me.

I think that there is a gap between theory and practice.

First, many, perhaps most, commits are by committers. As an
organization, we trust committers. Full stop. While there's a theory
of PMC review, how many PMC members are pretending to be
mechanical-turk Black Ducks carefully vetting commits?

For non-committer patches, the safety comes from social interaction.
Someone emails in a patch. We don't really know that it's their own
work. When something looks really fishy, a committer might take
notice. But mostly we trust. I think that Mark is exceptional. OK, a
github commit can have a fake source. How often to we get JIRAs,
patches, or pull requests that come with zero social interaction?
Generally, if someone posts a JIRA, or a PR, or whatever, there's a
trail of discussion. For one thing, this makes faking the git email
address fairly moot. If the commit says Fred but all the email says
George, well, that's a question. If all we have is a PR, we can always
demand some mailing list interaction. Eventually, a sufficiently
energetic fraud will get away with it, and as an organization, we long
ago decided that this was legally tolerable.

>> LieGrue,
>> strub
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message