> On 7. Apr 2019, at 11:11, Schanzenbach, Martin <mschanzenb...@posteo.de> > wrote: > > > >> On 7. Apr 2019, at 11:02, Christian Grothoff <christ...@grothoff.org> wrote: >> >> On 4/7/19 8:33 AM, Schanzenbach, Martin wrote: >>> Contributors should be able to do anything they want in their own >>> namespaces including committing code that does not compile (e.g. for >>> their gnunet.git forks). However, in order to get it into the "main" >>> gnunet project codebase, the CI must pass for the respective pull >>> request and I would argue that 1-2 "main" devs should sign off on the >>> commit (this allows us to control the CAA issue a bit). >> Eh, sorry, but under forthcoming EU regulation, we cannot even host >> contributor's code without having a signed the CAA. So Git pushes should >> only be possible for people that signed the CAA, and in that case if a >> CAA-signing contributor has pushed a change to a namespace/branch that >> by convention is to be merged, we should ideally automate the merge. > > I think you misunderstand the new regulation. Having a CAA does not protect > the platform from this. > It is not enough to have the user state that the code is his, the platform > must verify/ensure that. > No legal document is able to absolve us from this.
Btw I also think it only applied to commercial platforms. So is there really a need to worry??? > >> >> However, given that we cannot then preserve the gpg signature on the >> commit (depending on how the merge goes), maybe indeed we _need_ a dev >> to do the sign-off just to get at least one proper gpg signature on the >> commit. In that case, maybe the CI can automatically send an e-mail to >> a group of devs that are on sanity-checking + gpg-signing duty. >> >> Anyway, the CAA issue should be solved prior to any Git write access, >> and the sign off step _may_ be (borderline) acceptable to address the >> GPG signing issue, but it shouldn't be seen or phrased as that this is >> done by the "main" devs. The sign-off should be more more like a >> secretary position for pushing the paperwork along. > > Well then the whole "open participation" thing is moot anyway and I wonder > why it comes up all the time here. > If we have a beaurocractic onboarding process including the CAA (which we do > not have atm btw), then participation is limited and must be done through > gatekeepers anyway. > OTOH, I do not really see a problem with fork+edit without the CAA. The > problem _only_ arises when the code is merged into the main repo. > Which is why I think my proposal is better. (apart from the EU regulation > stuff, but there is no solution to that) > >> >> WDYT?
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ GNUnet-developers mailing list GNUnet-developers@gnu.org https://lists.gnu.org/mailman/listinfo/gnunet-developers