Re: [gentoo-project] [RFC] glep-0076: add clarification about the sign-off requirements

[Michael Jones <gentoo@jonesmz.com>]

[-- Attachment #1: Type: text/plain, Size: 2562 bytes --]

On Wed, Jul 28, 2021 at 10:42 AM Sam James <sam@gentoo.org> wrote:

>
>
> > On 28 Jul 2021, at 12:50, Thomas Deutschmann <whissi@gentoo.org> wrote:
> >
> > Hi,
> >
> > this was also my understanding. GLEP 76 applies to everyone -- no
> exception and during discussion we explicit agreed that it's better to
> reject any contribution from individual(s) who cannot do the sign-off for
> whatever reason.
> >
> > Keep in mind: Whoever will proxy such a commit will be 100% responsible
> in the end. For purely self-protection reasons nobody should proxy a commit
> he/she doesn't understand, doesn't know the origin or in general has any
> doubts about. _You_ will be responsible for this because _you_ introduced
> the commit in Gentoo.
>
> Agreed, but s/commit/contribution/?
>
> >
> > That said, an individual who doesn't want to do the sign-off for
> whatever reason could also contribute without getting attribution if
> contributor will find a developer who is willing to do this (=what happens
> for most small proposed bug fixes via b.g.o for example).
> >
> >
>
> Right.
>
> Part of the reason why I'm keen on this proposal is that there's no
> practical difference between accepting a patch on Bugzilla and
> re-committing it under my own name and just merging their PR. I suppose if
> we're clear on guidelines,
> dropping signoffs where people admit their names are fake would be okay,
> but it still feels like extra work for developers when merging PRs.
>
> best,
> sam
>




I've not followed this full discussion, but has the propensity for projects
other than Gentoo to add the git signed-off-by field to commits on behalf
of people been brought up? I've seen that happen in OpenWRT twice, as well
as other random projects.

I can't imagine that using the git signed-off-by field is in any way
legally meaningful unless you're also requiring developers register their
public key with Gentoo, and then sign their commits with their pub/priv
key. You also have to consider that the signed-off-by field is used by
different projects in very different ways, and there's no legal precedent
that I'm aware of that implies that signed-off-by means "I wrote this",
since there are project that use it as "I've approved this".

Anything less than that is just asking for someone to, entirely plausibly,
claim that they were not the person who added the signed-off-by field to
the commit in question, and good luck proving otherwise. Or that they meant
something very different than what Gentoo thinks they did when they added
signed-off-by to their commit.

[-- Attachment #2: Type: text/html, Size: 3235 bytes --]