From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 48D81138334 for ; Fri, 15 Jun 2018 16:03:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ACFCBE08DD; Fri, 15 Jun 2018 16:03:46 +0000 (UTC) Received: from mail-it0-x242.google.com (mail-it0-x242.google.com [IPv6:2607:f8b0:4001:c0b::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 569D9E089E for ; Fri, 15 Jun 2018 16:03:46 +0000 (UTC) Received: by mail-it0-x242.google.com with SMTP id a3-v6so3413094itd.0 for ; Fri, 15 Jun 2018 09:03:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=d08pTza0vOu3DY4Ng0SboUepLMtFsUrgX+CYwdR02DI=; b=tz3UH6lxOIwT5AF7/QVQK+kxryPCWjGwXSA4QWjKY0c0peJmAgY+lWm0PF1BVMYSKP 5Wj6iQWljjWHkp0XFTQqlz07Ev2ZbNnlZKukq4oySZFEZ3nQMcrr6OZfzAvvgVnFBujk HUYreefQ25yDn74XDCkTCoahmhPTkKqDRIz/s259BCwBJyujI+qJjspTxiWJtlUOP1Cb xJdGqShwSuKXdluGVjq7/nWTIM+iL9pUagCYRjUdmGpUmWibJHWuDloV1pkW+I+WP6cd KxbNH8UHDUv2QJjGtBidA7ky9mmlhnT6RgIli7YjoZBCI0/qs99cw3X/TtuBoG/iDTFy yunw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=d08pTza0vOu3DY4Ng0SboUepLMtFsUrgX+CYwdR02DI=; b=cT6AZpJ7v4kHQL9FheiWYJg0GOwaSDRAcsMy2Rj/HTj89TtJF8bIQHclIKwyXHkWzT 9/PCZxTJdlotkhbnsXmqPOAEFo1Yf94rrwepRGI6hADXbYDanQXf7evJ1aIRDOemJz3f EOx0rtYhMnMJ1EO/sl/eya++1E1bSPNeTKQUWvQGW/MSbNgp22M8i4rwQh5HzJdx2e5h qoG1q2cWsCUTtfPePocpj+FhJRo9eOAGtX2yNoqd1v+68rMy80HifT5Mm4wA3kQMOMw2 IUSeHGcjK6SOblxbpjjUBbxY3UJ/A3HCW9DdSWy6Q9Yr5kPR6igiVUQOfZlER1AqvTx5 yUCQ== X-Gm-Message-State: APt69E1HUAFemWatsMopinLFvsbrKZI26f7cGddNxYkNmK+e5dwlbKAw NPXr3ZIgHZ/BD5AxIXxo7v0gA2oG X-Google-Smtp-Source: ADUXVKINY7vYPGGR3ZZpFMupgWfyojDo7WZ8MOUsyTjWmVgu+tLSWEfjZXcwXK8/0AfH5c55jNLU1g== X-Received: by 2002:a02:2422:: with SMTP id f34-v6mr1380802jaa.2.1529078624755; Fri, 15 Jun 2018 09:03:44 -0700 (PDT) Received: from ?IPv6:2604:6000:130f:8578:5e26:aff:fe7e:5367? ([2604:6000:130f:8578:5e26:aff:fe7e:5367]) by smtp.gmail.com with ESMTPSA id b128-v6sm1114952itb.3.2018.06.15.09.03.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Jun 2018 09:03:43 -0700 (PDT) Subject: Re: [gentoo-project] Repo mirror & CI: official statement wrt GitHub To: gentoo-project@lists.gentoo.org References: <1528529135.1261.34.camel@gentoo.org> <8185f4b0-9d30-d15c-1f7b-331f2b9fafe3@gmail.com> <72b16227-ad16-eca1-5f35-994fe7e89e2c@gentoo.org> <933a84d7-2dc3-e77a-0444-ccc4aa20eb26@gmail.com> <36a4e0e2-c9b5-7058-6c16-a326bbd73d36@gmail.com> From: kuzetsa Openpgp: preference=signencrypt Autocrypt: addr=kuzetsa@gmail.com; prefer-encrypt=mutual; keydata= xsFNBFAAvSMBEACekA6f2B5X9zrQGsSvo1hZZ81cNu13WyZy66VS0JKGR17eSONbRN29h8FF sWEdXDnG4l7IcsaGynKkoMZHJKCl75aOW7y68ef7AzGnSabRSQmx6916VwhRrNPzBaAfb4qr 7YhrbX1whf5Rya1M1IWGPNez4QhPxaQBVP4mbE+csKeOEIpKQ2ZYo9q3uGso6rMj4nlh3I9P gVA5w6MX+G7JhcS9xgq/uIPIkZtX6w4xIhG4mfxg4kGARl4pf2eyF/KRCUww9J4geiIgkdMX VNV/jC/imb5GAnrPW9ZLdd5iZa/kUtsW5e/G/VNS0pdDjRABcm9hKeoLE3U8iCCLlu2+vrMM Rr8Ln4LeFg4JQ/Dyg38U8ZG7bu/CcVi3gG3B5m99LdAhiGX+ZgR7gvOzjddLhtIovVPOak7h Owzn1R5Y5H3eCfKfGjVGGdyih7lMxYVlrFVZbeJggk4UkBrOsdqabgx3Yu/fqF6MGlh0bOIt 85w0k/vjzSaa4XfzVh7LIpnGa8OIVrj963fYjYNjPKr2locKINUy4XbsXmgzOwdfQw6VEtno qNqeS3/1I5oWFq3aJUbGaYzQ+ngDUfb2rrRdbCVFkHzX9lCifjQfeBtFLgJsSgkb/k0lby2V 3Hiv/tMpRBq2mYGN0jq7ldm+aN7fKIgR3qJgGWKVD1qJfE24VwARAQABzRtrdXpldHNhIDxr dXpldHNhQGdtYWlsLmNvbT7CwXoEEwEIACQCGyMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AF Aliujh8CGQEACgkQvk1O/QUpfGdV2A//bswKdn2tFJuvl0aZDOams9pIo8xgAY7e0dhy+m5b ja9rqZgjVQLTnSArxT9sqvdQNobLXTr0+bmhaPoGPWWpUJLNVOYe+hIi1IGOjiIC1eJ5PUIy m9fpVue4ana21t7Vmzqn9s7OP++rtfQg5RxeJsplqH5aZSCE1oPmzoRuQ6hKqdxajDyEPWZq A3nH4I68n5X2z/rHzI/FAVaiK9zkTh4iDHBOjAvcWMgDL4rBrfYre6l/zWay5Am0YAQsWxyx h7fME2j/CoTiiOauj2kvDIQa/OViCFMeGyhhAPRo9h3OYYRc0DpkQuskLCbWk1yWdMSqsjq5 4NcviEN9dnH/VU0HWgrsK4v0n6io7sv9psYYCBgRG2HSurzeDjcTGsf6HgyHdffLvqd6iaFK tQyUQg9kJQInb621Hicl1F9vzIJHWtPy9XMtDA0d1sJi3QEDRntQE76cjfw8iTKytEl20wl/ 5z2ocBujk7SIYwNS/5d2vj+UR1RJS3tQsQ2TYxQeXNKrJa8gXRN6oBGenZRjpor/QvXAnNmu 5vJrYDe5Yz6CJAsnu3Q3dhG43IGgcX9xDQPk3lK8uBnqMVGs9XWQaIOFT+eAl8e0Rrw0mrW4 S52AtWbtwnShKvn4/lbcLi1eU7+n6SaAH0+OUWB1JTT7lrIQlU+EqrdsOEeNapYvgDjOwU0E UAC9IwEQAJzB6UZ2XQSp7EVz/nxD5u1nzkh0WJDV5E3Xtg8JD1EdcI+ivJ9mosqw2C92ofPP NhBY3kOszJHWEZWTJL5tDsBReKzDFbJL+W/gc58d7eyu2OJ6vnKmCQhNgsqj5gHQGE0pk81s WUgQqmXYG9U3/XDHlitv32MLARtqgQrHLWqg8hyudU9+eMe15nT1VAdmCkhjMxGBkD1HFl4A iv72wKcuT1RutPCDpvPu3X9h69l49SW8ZyPqJ61MlAqncAMGPdS5VmW9g8rBp8Nb69A+6Gs0 yhuiK9WbQvtDpkiic2GnXESHGCO3E9PjusIlfoIFt5ItGSY8P3B98AAlReEgO7eAPDX2RstR vlSD1/w5KH/pb2nqYN/kXuj944otXDPGJtZcZPmgeSBmuSNNLdTU4JlcUQTSqgy2QqPdEow5 rQAYgb+4zR29GYd8tngSLqbudB6fZwM1g4arTCelR87Owqch3AnPLTZBJYyq7hK6pTTCm6tb Vh1ypiFAazB8K0A75k8Mr/p2KozhvCQNPM5bGxlSlBoCuNbmBVSn2P1KEzximuPSz4fxFup2 ujwYqfqMDr2iMCkPuSwj+vx268PJY6uF4itQv933PhXZQQmo4k34jyypRW3RGxI3s9yblbIr NBqfqnXeJE0fIzjrXYX74zARBpNBIzUUyOjsf9ISK2T5ABEBAAHCwV8EGAECAAkFAlAAvSMC GwwACgkQvk1O/QUpfGezNg/9FN+3xGSrCloBDimKrt1LfXQ1abE3eKDU3/auVHqxhMjFCuvY UPbWH8PBnokDhtE5ynh6lmua9lGpiOwUDt82voebvUbtxT+axk3VOqb9cjc5CYbZ4o2xi7k4 Rj0AtEYdALrpR7J80P7lELj7AHP/4J+tVmg/WuSK9j5NpgOpJzLYqe5cgManNxcfFBZ/VJ79 afecej1CGLGUeYsVjyATReC6ApkvuKdnWNlyoyMrz/13RYSusJEy7laYZgEHU4VmwzFdkB3q wjXUguJWHOZxgKo5Pt+melMgQsNYRmZq2XrYM7gDOc7xBOP6m4HjHVasqEtn99HEBdW9CB3j Ed1eGXWq/4EEGUKsDz29uztGddL5LLU5JH8Ls6zjEOYBxQak+lYQQc5ZQpOBANY0odK4j6Pb 1ZOrsV517BNEohTSgrKBSKQnv59ta57HRtO7zDyFsUqi9awcrmdXL0XaTcmd91BlYv5vLFVr Vqrn1qI56nWqcsIks0AWjF+4VIjxBFXBHK6u4H79p/c1+NT7ZP0TuGaBKU9QAK7HO7Z44qMs 2MC7fgUG/1U6qyRM/SMjCkkegoVBBZGVcksppU3S8KUGnWWp6BGx0tBtTRtna5hZSsdbMsQ+ GtaknVtVoWgjK0uF0voQqTHmeF+ZhOqwV1+SaTnj8n6JNd2O+dkFREkq4s8= Message-ID: <068c46f9-cc89-702b-8c77-94896e1bf321@gmail.com> Date: Fri, 15 Jun 2018 12:03:42 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: 4671f407-66dd-46a2-b14f-10f20f49db80 X-Archives-Hash: 767ff24a2ebc81c21ed30b1e26f503a9 On 06/15/2018 11:31 AM, Rich Freeman wrote: > On Fri, Jun 15, 2018 at 10:55 AM kuzetsa wrote: >> >> "Gentoo Developer's Certificate of Origin" - shouldn't >> the author / contributor themselves be involved in this? >> > > It already requires this. The committer would have to certify: > > " (4) The contribution was provided directly to me by some other person > who certified (1), (2), (3), or (4), and I have not modified it." > > (or one of the other items in the list, if they did modify it) > > Ultimately the committer is the person Gentoo has a relationship with, > so they need to make the certification when they make the commit, even > if it is just certifying that somebody else certified it. > > This goes along with something Thomas said earlier - ultimately the > committers are responsible for what they commit. There really isn't a > sane alternative since the whole reason we try to control our > committers is to ensure that things don't end up in the repository > which shouldn't be there. This isn't diminishing the value of 3rd > party contributors - but simply affirming the value-add of having > somebody we know actually look at what is being contributed. That > includes the copyright/license and not just the code. After all, all > this stuff ends up on all our users's systems so we want to protect > them as well as ourselves. Users already have the freedom to use any > overlays they wish if they value these things differently. > > -- > Rich > OH!!! (thanks, I completely missed that detail) from: "$ man git-commit" : [...] The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work [...] this is frustratingly vague (to me), but I suppose the extra metadata included in the same paragraph has a link to: https://developercertificate.org/ --- (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. --- ^ took me a few minutes to figure out what you meant, or where that particular quote came from: I had never considered this, because historically, gentoo developers who use their PGP key to commit rarely use the --signoff feature when committing the submissions of a contributor, and even if they had, there's not a stable definition. in particular, I'm considering the meaning of the phrase: "some other person who certified" - does this mean the contributor needs to use their PGP key to sign or...? it would be good for gentoo to have clarity on this. I think it could lessen feelings / perceptions that contributors ought to maintain a copy of the work on a 3rd party mirror until it is no longer useful (IMO, at least). -- kuza