[Zope-dev] We need to change how code ownership works.

Jens Vagelpohl jens at dataflake.org
Mon Aug 20 07:07:44 UTC 2012 

On Aug 20, 2012, at 8:18 , Wolfgang Schnerring <ws at gocept.com> wrote:
> a) Using Github is found to be quite attractive by lots of people.
> b) We need to be diligent in maintaining the chain of custody of code so
> the copyright situation is kept clean.
> 
> As far as I understand it, the legal lynchpin is that using Github
> (strongly) encourages merging code contributions of people that did not
> sign a contributor agreement -- which is the same situation as if
> someone attaches a patch file to a bug tracker ticket, but will be much
> more frequent and likely to happen.
> 
> Could we, then, adopt a policy that we only merge pull requests (or
> whathaveyou) from people that have signed a contributor agreement?
> a) Tres, Jens: Would that work from a legal perspective?
> b) Ross, Alex: Would that still yield the advantages of the distributed
> source control model?



Maintaining the chain of custody doesn't just consist of selecting pull requests or patches coming from somewhere. It also means verifying the contributor - be it the one who is creating the patch or pull request or the one who is merging new code into the repository - is who he claims to be. In the current setup the verification of the merging contributor is done using unique SSH logins with keys for every contributor, which works very well.

By the way, there's no problem converting project repositories on an as-needed basis to Git repositories in the current infrastructure. But I feel the discussion is more about "GitHub or nothing". Apologies to anyone who feels offended, I'm just speaking privately here under the impression that no one has mentioned any alternative solution.

Moving away from any specific solution and speaking with my Zope Foundation hat on candidates must fulfil requirements like these (I don't claim completeness here, suggestions are welcome):

- Read access for everyone including anonymous viewers

- Write access for signed contributors only

- Signed contributors must be able to create new repositories themselves (current analogy: A contributor adds a new project on svn.zope.org)

- Good verification that a login to the chosen system represents a specific person/contributor (current example: access via unique SSH logins with keys)

- Only ZF-appointed contributor admins may open access for contributors after receiving and verifying signed  contributor agreements (currently Andreas Jung as officially appointed contributor committee member and Christian Theune as board member and contributor committee member handle this job)

- Only ZF-appointed contributor admins (see above) may change or revoke access privileges for contributors

- a reasonably convenient web view onto the repositories/projects for visitors and contributors

- a reasonably convenient way (e.g. web admin capabilities) for the ZF contributor adminstration to do their job

jens

More information about the Zope-Dev mailing list