[Contribution][Proposal] Use Contributors file and Signed-Off-By Process for Arrow

["Melik-Adamyan, Areg" <ar...@intel.com>]

To avoid contamination of the Arrow code with wrong licensed code, which can be accidentally included into arrow, including GPL code, and track the contributions maintainers needs to check actually whether committer has signed the ICLA or CCLA, and listed in the contributors file - which we do not have. This is needed to set the clean chain of contribution to safeguard 3rd parties. So either let's add CONTRIBUTORS file, or also we can add "sign-off by process" [1] as it is used in Kernel. The latter will allow single patch contribution without CLA submission. I do not know what are the requirements of the Apache Foundation, but web page does not state sole requirement only on CLA.

[1] https://ltsi.linuxfoundation.org/software/signed-off-process/

Re: [Contribution][Proposal] Use Contributors file and Signed-Off-By Process for Arrow

[Wes McKinney <we...@gmail.com>]

AFAIK no one has been employing systematic IP scanning tools;
generally when there is code reuse in a pull request it is fairly
obvious. It would be interesting to know how large, mature Apache
projects (Apache Hadoop, Apache Spark, etc.) have approached this
problem.

On Mon, Apr 29, 2019 at 5:13 PM Melik-Adamyan, Areg
<ar...@intel.com> wrote:
>
> HI Wes, thanks for the reply. How do the committers and PMC check the IP currently? Is there any standard tool for it that you use?
>
> > -----Original Message-----
> > From: Wes McKinney [mailto:wesmckinn@gmail.com]
> > Sent: Monday, April 29, 2019 4:39 PM
> > To: dev@arrow.apache.org
> > Subject: Re: [Contribution][Proposal] Use Contributors file and Signed-Off-By
> > Process for Arrow
> >
> > hi Areg,
> >
> > I think this is a question for ASF Legal and not Apache Arrow directly. Some
> > contributors submit a ICLA or CCLA to the project, but broadly it is the
> > responsibility of the Committers and PMC members to steward IP in the
> > project, and one of the parts of the release process is to verify that the
> > software has complied with the ASF's licensing policies [1]
> >
> > Thanks
> > Wes
> >
> > [1]: https://apache.org/legal/resolved.html
> >
> > On Mon, Apr 29, 2019 at 4:27 PM Melik-Adamyan, Areg <areg.melik-
> > adamyan@intel.com> wrote:
> > >
> > > To avoid contamination of the Arrow code with wrong licensed code, which
> > can be accidentally included into arrow, including GPL code, and track the
> > contributions maintainers needs to check actually whether committer has
> > signed the ICLA or CCLA, and listed in the contributors file - which we do not
> > have. This is needed to set the clean chain of contribution to safeguard 3rd
> > parties. So either let's add CONTRIBUTORS file, or also we can add "sign-off by
> > process" [1] as it is used in Kernel. The latter will allow single patch
> > contribution without CLA submission. I do not know what are the requirements
> > of the Apache Foundation, but web page does not state sole requirement only
> > on CLA.
> > >
> > > [1] https://ltsi.linuxfoundation.org/software/signed-off-process/
> > >

RE: [Contribution][Proposal] Use Contributors file and Signed-Off-By Process for Arrow

["Melik-Adamyan, Areg" <ar...@intel.com>]

HI Wes, thanks for the reply. How do the committers and PMC check the IP currently? Is there any standard tool for it that you use?

> -----Original Message-----
> From: Wes McKinney [mailto:wesmckinn@gmail.com]
> Sent: Monday, April 29, 2019 4:39 PM
> To: dev@arrow.apache.org
> Subject: Re: [Contribution][Proposal] Use Contributors file and Signed-Off-By
> Process for Arrow
> 
> hi Areg,
> 
> I think this is a question for ASF Legal and not Apache Arrow directly. Some
> contributors submit a ICLA or CCLA to the project, but broadly it is the
> responsibility of the Committers and PMC members to steward IP in the
> project, and one of the parts of the release process is to verify that the
> software has complied with the ASF's licensing policies [1]
> 
> Thanks
> Wes
> 
> [1]: https://apache.org/legal/resolved.html
> 
> On Mon, Apr 29, 2019 at 4:27 PM Melik-Adamyan, Areg <areg.melik-
> adamyan@intel.com> wrote:
> >
> > To avoid contamination of the Arrow code with wrong licensed code, which
> can be accidentally included into arrow, including GPL code, and track the
> contributions maintainers needs to check actually whether committer has
> signed the ICLA or CCLA, and listed in the contributors file - which we do not
> have. This is needed to set the clean chain of contribution to safeguard 3rd
> parties. So either let's add CONTRIBUTORS file, or also we can add "sign-off by
> process" [1] as it is used in Kernel. The latter will allow single patch
> contribution without CLA submission. I do not know what are the requirements
> of the Apache Foundation, but web page does not state sole requirement only
> on CLA.
> >
> > [1] https://ltsi.linuxfoundation.org/software/signed-off-process/
> >

Re: [Contribution][Proposal] Use Contributors file and Signed-Off-By Process for Arrow

[Wes McKinney <we...@gmail.com>]

hi Areg,

I think this is a question for ASF Legal and not Apache Arrow
directly. Some contributors submit a ICLA or CCLA to the project, but
broadly it is the responsibility of the Committers and PMC members to
steward IP in the project, and one of the parts of the release process
is to verify that the software has complied with the ASF's licensing
policies [1]

Thanks
Wes

[1]: https://apache.org/legal/resolved.html

On Mon, Apr 29, 2019 at 4:27 PM Melik-Adamyan, Areg
<ar...@intel.com> wrote:
>
> To avoid contamination of the Arrow code with wrong licensed code, which can be accidentally included into arrow, including GPL code, and track the contributions maintainers needs to check actually whether committer has signed the ICLA or CCLA, and listed in the contributors file - which we do not have. This is needed to set the clean chain of contribution to safeguard 3rd parties. So either let's add CONTRIBUTORS file, or also we can add "sign-off by process" [1] as it is used in Kernel. The latter will allow single patch contribution without CLA submission. I do not know what are the requirements of the Apache Foundation, but web page does not state sole requirement only on CLA.
>
> [1] https://ltsi.linuxfoundation.org/software/signed-off-process/
>