On Aug 20, 2012, at 8:18 , Wolfgang Schnerring <w...@gocept.com> wrote:
> a) Using Github is found to be quite attractive by lots of people.
> b) We need to be diligent in maintaining the chain of custody of code so
> the copyright situation is kept clean.
> As far as I understand it, the legal lynchpin is that using Github
> (strongly) encourages merging code contributions of people that did not
> sign a contributor agreement -- which is the same situation as if
> someone attaches a patch file to a bug tracker ticket, but will be much
> more frequent and likely to happen.
> Could we, then, adopt a policy that we only merge pull requests (or
> whathaveyou) from people that have signed a contributor agreement?
> a) Tres, Jens: Would that work from a legal perspective?
> b) Ross, Alex: Would that still yield the advantages of the distributed
> source control model?
Maintaining the chain of custody doesn't just consist of selecting pull
requests or patches coming from somewhere. It also means verifying the
contributor - be it the one who is creating the patch or pull request or the
one who is merging new code into the repository - is who he claims to be. In
the current setup the verification of the merging contributor is done using
unique SSH logins with keys for every contributor, which works very well.
By the way, there's no problem converting project repositories on an as-needed
basis to Git repositories in the current infrastructure. But I feel the
discussion is more about "GitHub or nothing". Apologies to anyone who feels
offended, I'm just speaking privately here under the impression that no one has
mentioned any alternative solution.
Moving away from any specific solution and speaking with my Zope Foundation hat
on candidates must fulfil requirements like these (I don't claim completeness
here, suggestions are welcome):
- Read access for everyone including anonymous viewers
- Write access for signed contributors only
- Signed contributors must be able to create new repositories themselves
(current analogy: A contributor adds a new project on svn.zope.org)
- Good verification that a login to the chosen system represents a specific
person/contributor (current example: access via unique SSH logins with keys)
- Only ZF-appointed contributor admins may open access for contributors after
receiving and verifying signed contributor agreements (currently Andreas Jung
as officially appointed contributor committee member and Christian Theune as
board member and contributor committee member handle this job)
- Only ZF-appointed contributor admins (see above) may change or revoke access
privileges for contributors
- a reasonably convenient web view onto the repositories/projects for visitors
- a reasonably convenient way (e.g. web admin capabilities) for the ZF
contributor adminstration to do their job
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -