From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4EB04138334 for ; Fri, 15 Jun 2018 16:11:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A5790E0909; Fri, 15 Jun 2018 16:11:56 +0000 (UTC) Received: from mail-pf0-f195.google.com (mail-pf0-f195.google.com [209.85.192.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 59130E0908 for ; Fri, 15 Jun 2018 16:11:56 +0000 (UTC) Received: by mail-pf0-f195.google.com with SMTP id c22-v6so5104028pfi.2 for ; Fri, 15 Jun 2018 09:11:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=yh9HouhwiqDJx94LPbi/iTizUgkZS8chYlHJwpNNIFw=; b=BxqNuWKNqi4FlOqp9MefzHQcgfjP2LZ5569tIJJoRi988VrOtVviAdysUFJklRPLRc Dsnl4DnJFlrHdCI0vcPK0ICmFP6EpJzaMW2kUoFGqXKz1Bo2Xv169DE9hOE1me2HAxjs MpA0XxgSvsyDndkO9incRx5BulA02sHpyd8i/XC2SBUaiQsL+2MORhG376kaYiMAI0oh v4UAVDL/aTvZEe9uMm2ewtwmOdlPjP2L4JOmUXC4msOh/6kUVXuR8vvVZbWMCAALL3vP bNDno5HXOCnnDECn0oYr5O1oXln9kcBx0hXuDwkPV5xqXIaUTu9JCwDseoxuMl26LV7n gjRg== X-Gm-Message-State: APt69E0GX0WX7pBm8hZWFwa7Q5UQdg9JcF4r0690WpVMvAjThzVbbfz9 F90UjMHF+PFQOiiU6KZoPZsaUMqA20uZjzTa0GaIHo5q X-Google-Smtp-Source: ADUXVKJjXrsijiBPtz4pmb4ELE2zHEDjNUsRfI7LJA+GEoBfwvhXwj6FmXRQkx96p/a9//0Q7RrMtzZdbXaAHltJpw0= X-Received: by 2002:a62:3a59:: with SMTP id h86-v6mr2624444pfa.209.1529079114619; Fri, 15 Jun 2018 09:11:54 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 References: <1528529135.1261.34.camel@gentoo.org> <8185f4b0-9d30-d15c-1f7b-331f2b9fafe3@gmail.com> <72b16227-ad16-eca1-5f35-994fe7e89e2c@gentoo.org> <933a84d7-2dc3-e77a-0444-ccc4aa20eb26@gmail.com> <36a4e0e2-c9b5-7058-6c16-a326bbd73d36@gmail.com> <068c46f9-cc89-702b-8c77-94896e1bf321@gmail.com> In-Reply-To: <068c46f9-cc89-702b-8c77-94896e1bf321@gmail.com> From: Rich Freeman Date: Fri, 15 Jun 2018 12:11:42 -0400 Message-ID: Subject: Re: [gentoo-project] Repo mirror & CI: official statement wrt GitHub To: gentoo-project Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 381ab9a6-6282-4a3b-ab5f-11de02e57133 X-Archives-Hash: 11450a0a01b883383002ed01a2c942dc On Fri, Jun 15, 2018 at 12:03 PM kuzetsa wrote: > > from: "$ man git-commit" : [...] The meaning of a > signoff depends on the project, but it typically > certifies that committer has the rights to submit > this work [...] > > this is frustratingly vague (to me), but I suppose > the extra metadata included in the same paragraph > has a link to: https://developercertificate.org/ Well, we aren't using that as-is, but a modified version of this. Gentoo policies aren't contained in manpages. The Gentoo policy is in draft GLEP 76: https://gitweb.gentoo.org/data/glep.git/tree/glep-0076.rst (It was posted a few days ago on this list, and discussed here in various forms over the last few years.) > ^ took me a few minutes to figure out what you meant, > or where that particular quote came from: It came from GLEP 76 (still in draft). It is of course based on the Linux DCO (which I believe is attributed in the GLEP). > I had never considered this, because historically, > gentoo developers who use their PGP key to commit > rarely use the --signoff feature when committing the > submissions of a contributor, and even if they had, > there's not a stable definition. Today they shouldn't be using --signoff, because there IS no official policy. They will be required to do so once GLEP 76 is approved (this will be enforced with a commit hook). > "some other person who certified" - does this mean the > contributor needs to use their PGP key to sign or...? > > it would be good for gentoo to have clarity on this. IMO it is up to the certifier to decide what constitutes a certification made by somebody else. This is necessarily outside of Gentoo so to try to impose a particular mechanism would make it harder to use outside code. For example, all Linux commits have a DCO signoff, but these have no GPG signoffs to go with them. We wouldn't want to block people from using GPL2 Linux code just because they use a different mechanism to track such things. The Gentoo DCO is an agreement between the Gentoo committer (a Gentoo dev) and Gentoo. That is roughly how I see it at least. -- Rich