Accepting PRs from non project members

["seba.wagner@gmail.com" <se...@gmail.com>]

Hey!

I hope everyone is safe n healthy!

I am quite keen to use Github and its features. Its great and OpenSource
project truely thrive with the open way of how people can fork/PR/submit
proposals and the collaborative way of discussing their changes.

However we were discussing on our private mailing list about acceptance of
PR requests from non project members. They havn't signed an ICLA. We assume
it is okay to accept those. We think it is probably similar to submitting a
patch via a Jira ticket ?

How does accepting a code contribution from a non project member via a
GitHub PR work legally ?

I was searching the web and the ASF website a bit. I found not much but and
article on Wired [1]

Sry to quote anybody reading this (!!)
*Stein says ASF will keep copies of all the code hosted on GitHub on its
own servers, and contributors who don't agree to GitHub's terms of service
will be able to submit code changes through ASF's own Git server, which
Stein says isn't going anywhere. But the bulk of the organization's
projects will now be developed on GitHub.*

So does that mean it's okay to accept. And the way it works is that legally
they are actually submitting the PR to Github. Not ASF. So they are covered
by Github's Terms of Service[2]. And in turn we/ASF are happy to accept
this contribution as those Terms of Service cover us too?

Thanks!
Seba

[1] https://www.wired.com/story/open-source-all-about-github-now/
[2] https://help.github.com/en/github/site-policy/github-terms-of-service

Sebastian Wagner
https://www.linkedin.com/in/sebastianwagner/

Re: Accepting PRs from non project members

["seba.wagner@gmail.com" <se...@gmail.com>]

Awesome thanks for that Greg!

Sebastian Wagner
https://www.linkedin.com/in/sebastianwagner/


On Tue, 21 Apr 2020 at 09:37, Greg Stein <gs...@gmail.com> wrote:

> On Mon, Apr 20, 2020 at 4:34 PM Greg Stein <gs...@gmail.com> wrote:
> >...
>
>> What is important is to understand the ICLA says you have the rights to
>> apply the change.
>>
>
> I was imprecise with my language here. ... the ICLA requires you to have
> the rights.
>
> From the Foundation's standpoint, you've signed one, so we "see you have
> the rights [given the requirements of your signed ICLA]". I used the point
> of view above.
>
> A small but very important distinction. If a committer doesn't believe
> they have the rights to push code to the repository, then they should not
> do it.
>
> Cheers,
> -g
>
>

Re: Accepting PRs from non project members

[Greg Stein <gs...@gmail.com>]

On Mon, Apr 20, 2020 at 4:34 PM Greg Stein <gs...@gmail.com> wrote:
>...

> What is important is to understand the ICLA says you have the rights to
> apply the change.
>

I was imprecise with my language here. ... the ICLA requires you to have
the rights.

From the Foundation's standpoint, you've signed one, so we "see you have
the rights [given the requirements of your signed ICLA]". I used the point
of view above.

A small but very important distinction. If a committer doesn't believe they
have the rights to push code to the repository, then they should not do it.

Cheers,
-g

Re: Accepting PRs from non project members

[Greg Stein <gs...@gmail.com>]

Hello, Seba,

On Mon, Apr 20, 2020 at 3:43 PM seba.wagner@gmail.com <se...@gmail.com>
wrote:
>...

> However we were discussing on our private mailing list about acceptance of
> PR requests from non project members. They havn't signed an ICLA. We assume
> it is okay to accept those. We think it is probably similar to submitting a
> patch via a Jira ticket ?
>

Yup. A committer with an ICLA on file can approve/push the PR to the
repository. Standard concerns apply about "how big is this patch?"

What is important is to understand the ICLA says you have the rights to
apply the change. In this case, it is assumed you have been given the
rights by the contributor who opened the PR, since they opened it.
Permission can also be assumed under clause 5 of the ALv2.

So what is *really* happening is that the *committer* is marked as pushing
the change, and is (thus) responsible for it, it falls under their ICLA,
and the ASF legal umbrella applies to that committer. The contributor is
marked in git as the author (which is distinct from the pusher).

How does accepting a code contribution from a non project member via a
> GitHub PR work legally ?
>

See above.


> I was searching the web and the ASF website a bit. I found not much but
> and article on Wired [1]
>
> Sry to quote anybody reading this (!!)
> *Stein says ASF will keep copies of all the code hosted on GitHub on its
> own servers, and contributors who don't agree to GitHub's terms of service
> will be able to submit code changes through ASF's own Git server, which
> Stein says isn't going anywhere. But the bulk of the organization's
> projects will now be developed on GitHub.*
>

That's me! :-)

That paragraph means we're keeping copies of everything on our servers.

Further: there are some *committers* (noting how Apache distinguishes
between committers and contributors) who choose not to sign GitHub's T&C.
Thus, they cannot participate on GitHub with the other committers in their
community. We provide a way for them to commit via gitbox.a.o. It is
unrelated to PRs and contributors.

So does that mean it's okay to accept. And the way it works is that legally
> they are actually submitting the PR to Github. Not ASF. So they are covered
> by Github's Terms of Service[2]. And in turn we/ASF are happy to accept
> this contribution as those Terms of Service cover us too?
>

The Foundation does not concern itself with GitHub's T&C. That is for the
users who agreed to them.

Cheers,
Greg Stein
Infrastructure Administrator, ASF