On Mon, Apr 28, 2014 at 9:20 AM, Andrew Grieve <[email protected]> wrote: > Interesting! Going by this description, it sounds like we wound't need > ICLAs for the majority of pull requests since pull requests details get > forwarded to the mailing-list.
Legally, the party making the pull request implicitly asserts that they have the right to contribute the commits under the ALv2 section 5. However, if a release with infringing material escapes out into the wild, having somebody to blame will be cold comfort. Should the original copyright owner request that we cease distributing the offending release, Cordova's users are going to be in a bad situation regardless. > New proposal: don't worry about CLAs at release time. The key here is that the Cordova PMC needs to be vigilant with every pull request from somebody who has not signed a CLA or is otherwise well-known to be submitting clean IP. The Cordova committer who accepts the pull request and pushes to the ASF repo is the first line of defense. However, the rest of the PMC is also collectively responsible for reviewing all commits. So the question is, how confident are you in the existing review process? If it's working as intended, then there's indeed no need to perform an additional audit at release time. On the other hand if it's porous, then building in more checks might be wise. Marvin Humphrey
