GitHub pull requests

[Niclas Hedhman <ni...@hedhman.org>]

Hi,
I am wondering if Weex is really keeping the IP provenance audit trail in
order.

For each GitHub Pull Requests coming in, you need to be able to show which
ICLA that leads back to preferably in an automated fashion.

Easiest would be to ensure that every commit has a "@apache.org" address in
every commit, instead of the private mail addresses that are currently in
use.

IF commits are done to the Apache Git server, the audit trail is automatic
(because it captures the Apache ID making the push), but I don't think that
it capable of handling Pull Requests and 'transitive contributors'.

So, I would suggest that all committers on the project makes a change to
their local git

git config user.email <apache-id>@apache.org
git config user.name "My Real Name"

inside the Weex project local clone.

This would simplify audit trail management a lot, going forward, and make
it much more clear whether any contributions came from elsewhere.


Cheers
-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org <http://zest.apache.org> - New Energy for Java

Re: GitHub pull requests

[Niclas Hedhman <ni...@hedhman.org>]

Just to make it very clear; The ICLA effectively says "I am the creator of
my work, or I have the rights to this work..." [1], whereas the CCLA
effectively says "Our employees are allowed to contribute their work...".
And that's why ASF require a Software Grant separately for the initial IP
donation as the corporation may own the IP rights.
That said, The CCLA is not for the ASF's benefit, but for the individual's
benefit. IF the corporation has not signed the CCLA, it could later come
after the employees and claim that proprietary IP has been published, and
that is what the CCLA is trying to prevent.

Apache is renowned (or frowned upon) for keeping extremely tight records on
IP provenance (see Oracle vs Google, and perhaps
http://www.groklaw.net/pdf3/OraGoogle-959.pdf for Apache Harmony's
involvement in the case. Even Apache member gave testimony in the case.).
We need solid ground to stand on, and that is why we bother with all this
PITA.


[1] this is not authoritative, so consult a lawyer for professional advice
around this,

Cheers
Niclas

On Tue, Mar 7, 2017 at 11:14 AM, Bono Lv (Ali ZiKuan) <
zikuan.ly@alibaba-inc.com> wrote:

> Hi Niclas
>
> Thanks for your reminder about the status of Weex
> contributors license signing. We will work to improve the situation.
>
> Currently, the project indeed has some commit contributed by someone
> who hasn't sign an Apache ICLA license.  We used to
> think these contributions (created by an employee) are owned by our
> corporation and our corporation has signed the
> CCLA.  Now we realized that even our corporation has
> signed CCLA, make sure every contributor have CCLA signed
> is an improvement of legal situation of the project.
>
> I have noticed that besides signing with a handwritten signature, the
> License document [1]  describes an electronic
> signing process using the gpg program.  Is the gpg is
> compulsory if we prefer electronic signing? Can we
> use some web-based electronic signing services such as cla-assistant.io[2]
> or docusign.com[3]?
> [1]:https://www.apache.org/licenses/
> [2]:https://cla-assistant.io[3]:https://www.docusign.com
> Best Regards!
> -----------------
> Bono Lv
> ------------------------------------------------------------------From:Niclas
> Hedhman <ni...@hedhman.org>Send Time:2017年3月4日(星期六) 18:11To:dev <
> dev@weex.incubator.apache.org>Subject:Re: GitHub pull requests
> To give you an idea of what I am talking about;
>
> niclas@devdesk:~/dev/incubator-weex$ git log | grep ^Author | sort -u | wc
>    154     479    6246
>
> 154 different Author "names" is in the repository right now.
>
> You might in the future get a question like;
>    Who of your 154 contributors do not have an ICLA with the secretary@a.o
>  ?
>    And what in the current codebase is still from their contributions?
>
> These kinds of questions MAY arise out of legal action, or just people
> wanting to make sure that there is nothing improper going on.
>
>
> Niclas
>
> On Sat, Mar 4, 2017 at 6:03 PM, Niclas Hedhman <ni...@hedhman.org> wrote:
>
> > Hi,
> > I am wondering if Weex is really keeping the IP
> provenance audit trail in
> > order.
> >
> > For each GitHub Pull Requests coming in, you need
> to be able to show which
> > ICLA that leads back to preferably in an automated fashion.
> >
> > Easiest would be to ensure that every commit has a "@apache.org" address
> > in every commit, instead of the private mail addresses
> that are currently
> > in use.
> >
> > IF commits are done to the Apache Git server, the audit
> trail is automatic
> > (because it captures the Apache ID making the push),
> but I don't think that
> > it capable of handling Pull Requests and 'transitive contributors'.
> >
> > So, I would suggest that all committers on the project makes a change to
> > their local git
> >
> > git config user.email <apache-id>@apache.org
> > git config user.name "My Real Name"
> >
> > inside the Weex project local clone.
> >
> > This would simplify audit trail management a lot, going
> forward, and make
> > it much more clear whether any contributions came from elsewhere.
> >
> >
> > Cheers
> > --
> > Niclas Hedhman, Software Developer
> > http://polygene.apache.org <http://zest.apache.org> - New
> Energy for Java
> >
>
>
>
> --
> Niclas Hedhman, Software Developer
> http://polygene.apache.org <http://zest.apache.org> - New Energy for Java
>



-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org <http://zest.apache.org> - New Energy for Java

Re: GitHub pull requests

["Bono Lv (Ali ZiKuan)" <zi...@alibaba-inc.com>]

Hi Niclas 

Thanks for your reminder about the status of Weex contributors license signing. We will work to improve the situation.

Currently, the project indeed has some commit contributed by someone who hasn't sign an Apache ICLA license.  We used to think these contributions (created by an employee) are owned by our corporation and our corporation has signed the CCLA.  Now we realized that even our corporation has signed CCLA, make sure every contributor have CCLA signed is an improvement of legal situation of the project.

I have noticed that besides signing with a handwritten signature, the License document [1]  describes an electronic signing process using the gpg program.  Is the gpg is compulsory if we prefer electronic signing? Can we use some web-based electronic signing services such as cla-assistant.io[2] or docusign.com[3]?
[1]:https://www.apache.org/licenses/
[2]:https://cla-assistant.io[3]:https://www.docusign.com
Best Regards!
-----------------
Bono Lv
------------------------------------------------------------------From:Niclas Hedhman <ni...@hedhman.org>Send Time:2017年3月4日(星期六) 18:11To:dev <de...@weex.incubator.apache.org>Subject:Re: GitHub pull requests
To give you an idea of what I am talking about;

niclas@devdesk:~/dev/incubator-weex$ git log | grep ^Author | sort -u | wc
   154     479    6246

154 different Author "names" is in the repository right now.

You might in the future get a question like;
   Who of your 154 contributors do not have an ICLA with the secretary@a.o ?
   And what in the current codebase is still from their contributions?

These kinds of questions MAY arise out of legal action, or just people
wanting to make sure that there is nothing improper going on.


Niclas

On Sat, Mar 4, 2017 at 6:03 PM, Niclas Hedhman <ni...@hedhman.org> wrote:

> Hi,
> I am wondering if Weex is really keeping the IP provenance audit trail in
> order.
>
> For each GitHub Pull Requests coming in, you need to be able to show which
> ICLA that leads back to preferably in an automated fashion.
>
> Easiest would be to ensure that every commit has a "@apache.org" address
> in every commit, instead of the private mail addresses that are currently
> in use.
>
> IF commits are done to the Apache Git server, the audit trail is automatic
> (because it captures the Apache ID making the push), but I don't think that
> it capable of handling Pull Requests and 'transitive contributors'.
>
> So, I would suggest that all committers on the project makes a change to
> their local git
>
> git config user.email <apache-id>@apache.org
> git config user.name "My Real Name"
>
> inside the Weex project local clone.
>
> This would simplify audit trail management a lot, going forward, and make
> it much more clear whether any contributions came from elsewhere.
>
>
> Cheers
> --
> Niclas Hedhman, Software Developer
> http://polygene.apache.org <http://zest.apache.org> - New Energy for Java
>



-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org <http://zest.apache.org> - New Energy for Java

Re: GitHub pull requests

[Niclas Hedhman <ni...@hedhman.org>]

To give you an idea of what I am talking about;

niclas@devdesk:~/dev/incubator-weex$ git log | grep ^Author | sort -u | wc
   154     479    6246

154 different Author "names" is in the repository right now.

You might in the future get a question like;
   Who of your 154 contributors do not have an ICLA with the secretary@a.o ?
   And what in the current codebase is still from their contributions?

These kinds of questions MAY arise out of legal action, or just people
wanting to make sure that there is nothing improper going on.


Niclas

On Sat, Mar 4, 2017 at 6:03 PM, Niclas Hedhman <ni...@hedhman.org> wrote:

> Hi,
> I am wondering if Weex is really keeping the IP provenance audit trail in
> order.
>
> For each GitHub Pull Requests coming in, you need to be able to show which
> ICLA that leads back to preferably in an automated fashion.
>
> Easiest would be to ensure that every commit has a "@apache.org" address
> in every commit, instead of the private mail addresses that are currently
> in use.
>
> IF commits are done to the Apache Git server, the audit trail is automatic
> (because it captures the Apache ID making the push), but I don't think that
> it capable of handling Pull Requests and 'transitive contributors'.
>
> So, I would suggest that all committers on the project makes a change to
> their local git
>
> git config user.email <apache-id>@apache.org
> git config user.name "My Real Name"
>
> inside the Weex project local clone.
>
> This would simplify audit trail management a lot, going forward, and make
> it much more clear whether any contributions came from elsewhere.
>
>
> Cheers
> --
> Niclas Hedhman, Software Developer
> http://polygene.apache.org <http://zest.apache.org> - New Energy for Java
>



-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org <http://zest.apache.org> - New Energy for Java