1 |
On Tue, Jul 27, 2021 at 9:09 PM Joonas Niilola <juippis@g.o> wrote: |
2 |
|
3 |
> Summary: |
4 |
> Make it clearer that a sign-off to a git commit is only required from |
5 |
> the committer, not from the author. It's only encouraged for the |
6 |
> authors. |
7 |
> |
8 |
|
9 |
> Rationale: |
10 |
> 1. We're actively rejecting contributions from people who do not wish to |
11 |
> have their real name shown in public, or link it to their Git* |
12 |
> accounts. |
13 |
|
14 |
|
15 |
So contribution rejection is a thing. 100% agree we could / should make |
16 |
this better so we don't have to reject as many commits. |
17 |
|
18 |
|
19 |
> |
20 |
> 2. We have no way of knowing or confirming whether the given name is |
21 |
> "legal". I'd rather not have the sign-off from the author in the first |
22 |
> place than see clearly made up names in there, with a fresh-made Git* |
23 |
> account with no prior activity. |
24 |
> |
25 |
|
26 |
So I want to be clear here. We require a real name; but we don't verify it. |
27 |
This is a risk to us, that people will lie. When they lie it's fraud |
28 |
(misrepresentation.) |
29 |
I entirely expect some amount of fraud; this is the real world and people |
30 |
do fraud from time to time. The point of policy is not to have no fraud. |
31 |
|
32 |
This is part of the struggle I perceive where people want a "clear binary |
33 |
world" where none exists. "Give me a list of rules to apply and I will |
34 |
apply them" (but see below for more on this.) |
35 |
|
36 |
|
37 |
> |
38 |
> 3. Recently we've had a couple of cases where our long-standing |
39 |
> contributors, with ~300 commits in total, reveal they've been using |
40 |
> pseudonyms. I'm sure there are many others. AFAIK all their commits |
41 |
> should then be revoked, and possibly future contributions rejected |
42 |
> due to trust issues? |
43 |
> |
44 |
|
45 |
Like the recent LKML incident; I suspect we may need to review their |
46 |
contributions to see if they were otherwise acceptable. |
47 |
|
48 |
|
49 |
> |
50 |
> 4. As said, there are already devs committing work from people we |
51 |
> know to have made-up names. And/or there are devs committing patches |
52 |
> without the sign-off to begin with. |
53 |
> |
54 |
|
55 |
As discussed on IRC (in #gentoo-trustees) I think we could do with more |
56 |
guidelines here. I suspect many of the patches are OK to merge regardless |
57 |
of the name in the SOB line and we could drop the contributor SOB line in |
58 |
some cases. |
59 |
This is true today (some developers don't require an SOB line from a |
60 |
contributor) and so we should review when this is acceptable and clarify |
61 |
the policy. |
62 |
|
63 |
|
64 |
> |
65 |
> 5. The infra git-hooks currently only check for a matching sign-off |
66 |
> from the committer anyway. |
67 |
> |
68 |
|
69 |
When we accept a git commit, many judgments must be made. Some judgements |
70 |
are automated (and we can reject commits that do not pass these judgments). |
71 |
Some of them are not automatable, and we rely on committers to make that |
72 |
judgement with their mind. Not all committers will judge things the same |
73 |
way and that is OK; it's a risk they take on (as a committer) and that the |
74 |
organization takes on (as, in the case above, we may need to audit |
75 |
contributions from time to time.) I'm not certain it's a sane argument to |
76 |
simply say "well this judgement is not automatable so we shouldn't have |
77 |
that judgement at all." |
78 |
|
79 |
The judgements are the value you bring (as a human committer.) If I could |
80 |
automate your work then I would; then I wouldn't need committers anymore. |
81 |
However I do not think this is possible in practice. This is my point |
82 |
relating to the rules above. If there were a set of codified rules I could |
83 |
program a computer to do them (make them automated judgements.) I'm |
84 |
suggesting this is not the case and again you as a committer need to |
85 |
exercise your own judgement when accepting a commit. There is still the |
86 |
distinction of "how do I as a committer make good judgements" and it's |
87 |
clear we are struggling in this area. |
88 |
|
89 |
|
90 |
|
91 |
> |
92 |
> Final words: |
93 |
> So currently, this GLEP can be interpreted in two different ways: the |
94 |
> sign-off is and isn't required from the author. This does harm |
95 |
> towards contributors who work with devs who do require the sign-off |
96 |
> from the author, and thus the GLEP needs to be updated and enforced |
97 |
> one way or the other. I vote what benefits our contributors, and |
98 |
> therefore us, better. |
99 |
> |
100 |
|
101 |
I suspect whether you need an SOB from the author will continue to vary; |
102 |
but I'm happy to change the policy to have clearer guidelines. |
103 |
|
104 |
-A |
105 |
|
106 |
|
107 |
> |
108 |
> Signed-off-by: Joonas Niilola <juippis@g.o> |
109 |
> --- |
110 |
> glep-0076.rst | 15 +++++++++++---- |
111 |
> 1 file changed, 11 insertions(+), 4 deletions(-) |
112 |
> |
113 |
> diff --git a/glep-0076.rst b/glep-0076.rst |
114 |
> index 4aa5ee5..faa760d 100644 |
115 |
> --- a/glep-0076.rst |
116 |
> +++ b/glep-0076.rst |
117 |
> @@ -8,10 +8,11 @@ Author: Richard Freeman <rich0@g.o>, |
118 |
> Michał Górny <mgorny@g.o> |
119 |
> Type: Informational |
120 |
> Status: Active |
121 |
> -Version: 1.1 |
122 |
> +Version: 1.2 |
123 |
> Created: 2013-04-23 |
124 |
> -Last-Modified: 2018-12-09 |
125 |
> -Post-History: 2018-06-10, 2018-06-19, 2018-08-31, 2018-09-26 |
126 |
> +Last-Modified: 2021-07-28 |
127 |
> +Post-History: 2018-06-10, 2018-06-19, 2018-08-31, 2018-09-26, |
128 |
> + 2021-07-28 |
129 |
> Content-Type: text/x-rst |
130 |
> --- |
131 |
> |
132 |
> @@ -138,7 +139,10 @@ the Certificate of Origin by adding :: |
133 |
> |
134 |
> to the commit message as a separate line. The sign-off must contain |
135 |
> the committer's legal name as a natural person, i.e., the name that |
136 |
> -would appear in a government issued document. |
137 |
> +would appear in a government issued document. It's strongly encouraged |
138 |
> +that the original contribution author also adds their sign-off, to at |
139 |
> +least indicate they are aware of this GLEP. But it's required only |
140 |
> +from the committer. |
141 |
> |
142 |
> The following is the current Gentoo Certificate of Origin, revision 1: |
143 |
> |
144 |
> @@ -301,6 +305,9 @@ iv. The original point (d) has been transformed into |
145 |
> a stand-alone |
146 |
> v. The term "open source" has been replaced by "free software" |
147 |
> throughout. |
148 |
> |
149 |
> +vi. Clarify that a sign-off is only strictly required from the |
150 |
> + committer, not from the author. |
151 |
> + |
152 |
> The new point was deemed necessary to allow committing license files |
153 |
> into the Gentoo repository, since those files usually do not permit |
154 |
> modification. It has been established that adding a clear provision |
155 |
> -- |
156 |
> 2.31.1 |
157 |
> |
158 |
> |
159 |
> |