www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davor Bonaci <da...@google.com.INVALID>
Subject Re: Tool for automated merges into an ASF repository (Mergebot)
Date Tue, 26 Apr 2016 20:29:09 GMT
This is what we hoped for -- the statement this has nothing to do with the
legal process. I'll comment on the Infra-related concerns separately.

Thank you!

On Tue, Apr 26, 2016 at 12:50 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> ASF internal legal questions should be addressed to legal-internal. Legal
> discuss is for general discussion of licensing issues. But, to save time...
> To clarify, IIRC, Infra is suggesting that allowing a bot to merge changes
> into our version control does not provide sufficient proof of intent to
> contribute because the Apache committer has not been authenticated as part
> of that process, which means we have not tied it to a specific ICLA and
> verified that only authenticated users can cause the bot to proceed.
> I submit that this is a judgement call that can be assessed by infra or
> the board as they see fit. It has nothing to do with legal process or
> licensing, since that is handled when the code is submitted to the ASF (not
> when it is committed to version control via git) and when a decision to
> release is made. Hence, this would be an infra mechanism, not a legal one.
> ....Roy
> > On Apr 26, 2016, at 11:10 AM, Davor Bonaci <davor@google.com.INVALID>
> wrote:
> >
> > Hi legal-discuss,
> >
> > Apache Beam (incubating) project would like to develop and use a tool
> for (somewhat) automated merges of pull requests into our ASF repository.
> We’d like to hear your opinion, and address any legal issues that may come
> up.
> >
> > In Beam, we already strictly use a review-then-commit workflow -- please
> see our Contribution Guide for details [1]. All proposed code goes through
> a detailed, manual review by a project’s committer.
> >
> > Once the committer is happy with the proposed changes, the committer
> must manually merge the changes into the ASF repository. We’d like to
> automate this part of the process, which is completely manual and
> error-prone. A computer could do a much better job than a human on this,
> manual part of the process.
> >
> > Instead of manually merging a pull request branch onto the target branch
> in another repository, potentially re-basing, potentially squashing
> commits, re-testing and pushing the changes, a committer can issue a
> command to the tool to do the same job instead.
> >
> > This would be hugely beneficial for our productivity. This manual
> process takes a lot of time, with zero benefit back to the project. We have
> heard feedback from some committers that it is hard to learn and get
> started with. It is error-prone -- we have had many unintentional pushes,
> resulting in convoluted history that is hard to reason about.
> >
> > This process is something that is widespread in the industry. For
> example, here at Google, we sometimes use such a process. In a non-ASF
> GitHub workflow, there’s a button that does it.
> >
> > We believe this has zero legal implications, because nothing is really
> changing:
> >
> > * Architecturally, this is very clean. We don’t need any special access
> that we currently don’t have.
> > * The process is the same as before. A committer does all the work, and
> makes all the decisions. No code can be committed without a committer
> blessing it.
> > * -- This is the key part -- The only difference is that the committer
> issues a command to the tool to perform the job, instead of typing each
> command separately.
> > * At the end of the day, nobody can tell whether a committer or the tool
> did the job.
> >
> > Do you see anything problematic from a legal perspective? If so, please
> let us know and we’ll try to address it.
> >
> > If not, the last open question is which ASF account would the tool run
> under. Realistically, we could run a tool under one of our own accounts
> already -- we don’t need any special access whatsoever. However, it would
> be slightly nicer to have a dedicated mergebot account for this.
> >
> > We have posed the same question to the ASF Infra [2]. Technically, they
> think a separate account is fine, but they’d like to have Legal guidance to
> make sure they aren’t opening a can of worms here.
> >
> > Thanks for your consideration.
> >
> > On behalf of Apache Beam,
> > Davor Bonaci and JB Onofre.
> >
> > [1] https://beam.incubator.apache.org/contribution-guide
> > [2] https://issues.apache.org/jira/browse/INFRA-11644

View raw message