Agreed that it is working as intended. It’s also good to know that although Cordova’s been requiring CLA’s for it’s contributions, it isn’t a hard Apache requirement. For some contributions I’ve wanted to pull in, the CLA has been the holdup. Thanks for the clarification.
-James Jong On Apr 28, 2014, at 10:40 PM, Andrew Grieve <agri...@chromium.org> wrote: > I'm pretty confident it's working as intended for now. > > > On Mon, Apr 28, 2014 at 3:05 PM, Marvin Humphrey > <mar...@rectangular.com>wrote: > >> On Mon, Apr 28, 2014 at 9:20 AM, Andrew Grieve <agri...@chromium.org> >> wrote: >>> Interesting! Going by this description, it sounds like we wound't need >>> ICLAs for the majority of pull requests since pull requests details get >>> forwarded to the mailing-list. >> >> Legally, the party making the pull request implicitly asserts that they >> have >> the right to contribute the commits under the ALv2 section 5. >> >> However, if a release with infringing material escapes out into the wild, >> having somebody to blame will be cold comfort. Should the original >> copyright >> owner request that we cease distributing the offending release, Cordova's >> users are going to be in a bad situation regardless. >> >>> New proposal: don't worry about CLAs at release time. >> >> The key here is that the Cordova PMC needs to be vigilant with every pull >> request from somebody who has not signed a CLA or is otherwise well-known >> to >> be submitting clean IP. The Cordova committer who accepts the pull request >> and pushes to the ASF repo is the first line of defense. However, the >> rest of >> the PMC is also collectively responsible for reviewing all commits. >> >> So the question is, how confident are you in the existing review process? >> If >> it's working as intended, then there's indeed no need to perform an >> additional >> audit at release time. On the other hand if it's porous, then building in >> more checks might be wise. >> >> Marvin Humphrey >>