Stephen Daniel's response already answered the bulk of your question.
However it is worth nothing that most of the time an ICLA is not required not due to clause 5 of the Apache License: http://apache.org/licenses/LICENSE-2.0.html#contributions "Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions." It is pretty clear that opening a Pull Request counts as "intentionally submitted" so an ICLA is not necessary. ICLAs are only required for people who can commit directly to the ASF repository. It doesn't necessarily matter if the ID is not known as the ASF maintains push records for audit purposes so even if the committer ID in the repository is not known to Apache they can still trace who the Apache committer was who pushed the commits into the ASF repository (as only Apache committers can push code to the ASF repositories). Rob On 09/02/2015 07:00, "Stephen Mallette" <[email protected]> wrote: >Mentors, I had some questions as to how we proceed when we receive a pull >request: > >1. If the PR is from someone we know to have signed an ICLA, then it's >easy >to go ahead and merge, but how do we verify github users submitting PRs >whom we don't know by their ID? I found this page: >http://people.apache.org/committer-index.html which seems to be a public >listing of people who have signed....do we just use that to verify such >things? > >2. Just to clarify, a person who signs an ICLA for Apache is covered for >all Apache projects. It's not like they sign an ICLA for each project >they >commit to. Is that right? > >Thanks, > >Stephen
