www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: Writable github repos?
Date Sat, 28 Jun 2014 01:56:29 GMT
On Fri, Jun 27, 2014 at 9:54 PM, Joe Schaefer
<joe_schaefer@yahoo.com.invalid> wrote:
> Two things Benson: first your ICLA is really about third-party contributions and your
acceptance and incorporation thereof.  It doesn't spell out precisely your due-diligence requirements,
but the gist of it is that you are confident you have the legal rights necessary to include
the contribution.  If you aren't that confident, then we ask that you request an ICLA from
the contributor.

Understood. If I have a point, it's that the quality of the execution
of these responsibility varies on a scale of something to Mark.

> Second, there is nothing stopping a well-funded "evil" organization from securing a PMC
post on a project with a bogus ICLA, so the idea that we need to fear only third party contributions
is nonsense.  There are a number of ways to game the system.  As you say it boils down to
reasonable assurances based on the likelihood and potential impact of harm.
> On Friday, June 27, 2014 8:49 PM, Benson Margulies <bimargulies@gmail.com> wrote:
> On Fri, Jun 27, 2014 at 7:58 PM, Joseph Schaefer
> <joe_schaefer@yahoo.com.invalid> wrote:
>> I think that is the point of an icla for committers, because otherwise the apache
license suffices.
>> Sent from my iPhone
>>> On Jun 27, 2014, at 5:25 PM, Mark Struberg <struberg@yahoo.de> wrote:
>>>> On Friday, 27 June 2014, 23:17, Joseph Schaefer <joe_schaefer@yahoo.com.INVALID>
>>>> We might simply ask github to provide push records to us.
>>> This would at least solve the problem with who pushed what.
>>> Are you talking about pushes to an ASF project repo on github or to all github
commits we pull in for a pull-request?
>>> And how to solve the problem that it's way too easy to pull foreign changes is
still not clear to me.
> I think that there is a gap between theory and practice.
> First, many, perhaps most, commits are by committers. As an
> organization, we trust committers. Full stop. While there's a theory
> of PMC review, how many PMC members are pretending to be
> mechanical-turk Black Ducks carefully vetting commits?
> For non-committer patches, the safety comes from social interaction.
> Someone emails in a patch. We don't really know that it's their own
> work. When something looks really fishy, a committer might take
> notice. But mostly we trust. I think that Mark is exceptional. OK, a
> github commit can have a fake source. How often to we get JIRAs,
> patches, or pull requests that come with zero social interaction?
> Generally, if someone posts a JIRA, or a PR, or whatever, there's a
> trail of discussion. For one thing, this makes faking the git email
> address fairly moot. If the commit says Fred but all the email says
> George, well, that's a question. If all we have is a PR, we can always
> demand some mailing list interaction. Eventually, a sufficiently
> energetic fraud will get away with it, and as an organization, we long
> ago decided that this was legally tolerable.
>>> LieGrue,
>>> strub

View raw message