On Aug 20, 2012, at 8:18 , Wolfgang Schnerring <w...@gocept.com> wrote:
> a) Using Github is found to be quite attractive by lots of people.
> b) We need to be diligent in maintaining the chain of custody of code so
> the copyright situation is kept clean.
> As far as I understand it, the legal lynchpin is that using Github
> (strongly) encourages merging code contributions of people that did not
> sign a contributor agreement -- which is the same situation as if
> someone attaches a patch file to a bug tracker ticket, but will be much
> more frequent and likely to happen.
> Could we, then, adopt a policy that we only merge pull requests (or
> whathaveyou) from people that have signed a contributor agreement?
> a) Tres, Jens: Would that work from a legal perspective?
> b) Ross, Alex: Would that still yield the advantages of the distributed
> source control model?

Maintaining the chain of custody doesn't just consist of selecting pull 
requests or patches coming from somewhere. It also means verifying the 
contributor - be it the one who is creating the patch or pull request or the 
one who is merging new code into the repository - is who he claims to be. In 
the current setup the verification of the merging contributor is done using 
unique SSH logins with keys for every contributor, which works very well.

By the way, there's no problem converting project repositories on an as-needed 
basis to Git repositories in the current infrastructure. But I feel the 
discussion is more about "GitHub or nothing". Apologies to anyone who feels 
offended, I'm just speaking privately here under the impression that no one has 
mentioned any alternative solution.

Moving away from any specific solution and speaking with my Zope Foundation hat 
on candidates must fulfil requirements like these (I don't claim completeness 
here, suggestions are welcome):

- Read access for everyone including anonymous viewers

- Write access for signed contributors only

- Signed contributors must be able to create new repositories themselves 
(current analogy: A contributor adds a new project on svn.zope.org)

- Good verification that a login to the chosen system represents a specific 
person/contributor (current example: access via unique SSH logins with keys)

- Only ZF-appointed contributor admins may open access for contributors after 
receiving and verifying signed  contributor agreements (currently Andreas Jung 
as officially appointed contributor committee member and Christian Theune as 
board member and contributor committee member handle this job)

- Only ZF-appointed contributor admins (see above) may change or revoke access 
privileges for contributors

- a reasonably convenient web view onto the repositories/projects for visitors 
and contributors

- a reasonably convenient way (e.g. web admin capabilities) for the ZF 
contributor adminstration to do their job


Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to