[antlr-interest] pull requests at github

Wed Jul 11 16:29:17 PDT 2012

Right.  That's the caveat I tried to convey: somehow the signoff has to
"sum over" the certificate -- either verbatim or by reference to an
auditable artifact like a specific version of a cert under revision control.

One way to do this -- and there might be an easier way which is not so hard
as to discourage contributions -- would be to as you say assign each
potential contributor a GUID which could be, say SHA512 over the
concatenation of the contributor's email address and the text of the
current cert language.  GUID = SHA512( contributor_github_username  +
contrib_email + cert_latest).  This GUID need only be generated once by
each contributor whenever one of the three "factors" changes since their
last pull request.  Since both the email and github username of every
contributor are typically public, anyone with read-access to the revision
history of certificates could verify the authenticity.  Non-repudiation is
as good as github's ability to secure accounts; if github is compromised,
all bets are off anyway.

As I recall, you're having the ANTLR site revamped.  It should not be hard
to add a form which pulls the latest cert from github and computes the hash
for the user.  The same tool could be used by anyone to quickly
authenticate hashes.  All open, nothing up your sleeve.  I actually
implemented a slightly more sophisticated system in a webapp I created to
facilitate trusted data-exchange between certain of my clients.  Aw shucks,
I forgot to patent it.  :)

Kyle

Kyle

On Wed, Jul 11, 2012 at 4:00 PM, Terence Parr <parrt at cs.usfca.edu> wrote:

> So it looks like the intentions of the sign off line
>
> Signed-off-by: Random J Developer <random at developer.example.org>
>
> would go into the commit message so that it stays in the repository, as
> opposed to the pull request, right?
>
> apparently then there is an assumption that random J developer agrees with
> the developer's certificate of origin, but I don't like that from a legal
> point of view. I prefer something like
>
> Developer-certificate-of-origin: [link to contributors license]
> Signed-off-by: Random J Developer <random at developer.example.org>
>
> that way, there is no doubt that the signatory understood what they are
> swearing to.
>
> Ter
> On Jul 11, 2012, at 3:48 PM, Kyle Ferrio wrote:
>
> > Ter & Kirby,
> >
> > I like simple [1], and when simple is not-so-simple I like to shift the
> > burden off people like me because I know how attentive I am to
> bookkeeping
> > when I'm in the flow.
> >
> > As I understand git's signoff feature [2], it applies a non-repudiatable
> > stamp.  That's a good feature and speaks to Ter's "contributor hashcode"
> > concept.  So if the signoff also  -- and this is key -- includes or
> > encapsulates (e.g. with a message digest) teh agreement or the
> > version-number of the agreement [3] then I think we're golden.
> >
> > [1] hat-tip to Oliver aka Dr. Simple.
> > [2] which is to say, not at all.
> > [3] It would be a mistake to assume the agreement will never evolve.
> >
> > Kyle
> >
> >
> > On Wed, Jul 11, 2012 at 3:30 PM, Kirby Bohling <kirby.bohling at gmail.com
> >wrote:
> >
> >> I'm not sure if this workflow will work for you.  As I understand it,
> git
> >> includes the "--signoff" feature.  I'm not sure I understand all the
> >> details, but I know it is essentially to help facilitate that everything
> >> was done in good faith, and there is a provenance review of all code
> going
> >> into the Linux kernel.  It might be worth investigating if that can be
> used
> >> as a template for implementation, or piggy backed upon directly.
> >>
> >>
> >>
> http://stackoverflow.com/questions/1962094/what-is-the-sign-off-feature-in-git-for
> >>
> >> Kirby
> >>
> >>
> >>
> >>
> >> On Wed, Jul 11, 2012 at 5:25 PM, Terence Parr <parrt at cs.usfca.edu>
> wrote:
> >>
> >>> Hi Kyle,
> >>>
> >>> interesting. so, in the commit message, they would have a link or
> >>> something to a certificate of origin.  Maybe once they've made the
> commit,
> >>> they can go to the ANTLR site and submit the commit hash to a website
> where
> >>> they can click "I give the rights etc." which gives them another SHA1
> hash
> >>> or something that combines their user information with the commit hash.
> >>> They can then add this to their commit message or perhaps simply in the
> >>> pull request instead of the commit.
> >>>
> >>> Maybe I should just create a hash for each new contributor, that sort
> of
> >>> like their current generator ID. Then, they can simply include this in
> >>> their pull request and I can check against my ID list.
> >>>
> >>> Ter
> >>>
> >>> On Jul 11, 2012, at 2:20 PM, Kyle Ferrio wrote:
> >>>
> >>>> It would be nice to have a permanent, easily auditable yet unobtrusive
> >>>> record of contributor testimony.  There is such a mechanism: the
> commit
> >>>> log.  It would be easy for any GitHub user to include a link to the
> >>> contrib
> >>>> agreement in a commit message on his branch before calling for a pull.
> >>>> Ideally this would be done with a standardized meta-tag to make it
> easy
> >>> for
> >>>> the person (or machine) accepting the pull request.
> >>>>
> >>>> I agree that it would be great if GitHub would add this to the pull
> >>> request
> >>>> itself.
> >>>>
> >>>> Kyle
> >>>> On Jul 11, 2012 1:25 PM, "Terence Parr" <parrt at cs.usfca.edu> wrote:
> >>>>
> >>>>> Usually, these pull requests are one offs so a click wrap license
> >>> would be
> >>>>> ideal. Those that continue to contribute,  could sign the full meal
> >>> deal.
> >>>>>
> >>>>> Hmm…yeah, maybe you're right. we need a page that covers all pull
> >>> requests
> >>>>> from a particular account.
> >>>>>
> >>>>> it would be nice to have a link or text in each committed pull
> request
> >>> to
> >>>>> show the certificate of origin. Any ideas there?
> >>>>>
> >>>>> Ter
> >>>>> On Jul 11, 2012, at 1:13 PM, Sam Harwell wrote:
> >>>>>
> >>>>>> Generally, you'd have someone send you a signed consent form,
> separate
> >>>>> from
> >>>>>> the pull request itself, that covers "pull requests sent to the
> ANTLR
> >>>>>> project from account ____" owned by that person. If you get a pull
> >>>>> request
> >>>>>> from someone who doesn't already have that agreement in place, send
> >>> them
> >>>>> a
> >>>>>> message that you need the consent form before being able to consider
> >>> the
> >>>>>> request.
> >>>>>>
> >>>>>> --
> >>>>>> Sam Harwell
> >>>>>> Owner, Lead Developer
> >>>>>> http://tunnelvisionlabs.com
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Terence Parr [mailto:parrt at cs.usfca.edu]
> >>>>>> Sent: Wednesday, July 11, 2012 3:05 PM
> >>>>>> To: ANTLR interest
> >>>>>> Subject: [antlr-interest] pull requests at github
> >>>>>>
> >>>>>> Howdy,
> >>>>>>
> >>>>>> people are now submitting nice pull request to the ANTLR project
> >>>>> software,
> >>>>>> but I have to keep the license clean. That's why I used to accept
> >>> things
> >>>>>> through the feedback page:
> >>>>>>
> >>>>>> http://www.antlr.org/misc/feedback
> >>>>>>
> >>>>>> or with the contributors license agreement. I submitted a feature
> >>>>> request to
> >>>>>> github to add such a license granting clause to the pull requests.
> >>> they
> >>>>> like
> >>>>>> the idea, but I haven't heard back about implementation.
> >>>>>>
> >>>>>> What if we set up a webpage similar to the feedback page (current
> text
> >>>>>> enclosed at the bottom) with a text box where people can submit a
> URL
> >>> to
> >>>>> a
> >>>>>> pull request, certifying the origin of the material in that pull
> >>> request.
> >>>>>> The name/username/email etc. would have to match.very messy.
> >>>>>>
> >>>>>> As a result of the certificate of origin, I could automatically
> post a
> >>>>>> comment to the pull request so that it somehow links the
> certificate.
> >>>>>>
> >>>>>> Does anybody have any process or legal advice?
> >>>>>>
> >>>>>> Ter
> >>>>>>
> >>>>>> Submission certification of origin and rights
> >>>>>>
> >>>>>> By hitting the submit button, you are warranting and representing
> that
> >>>>> you
> >>>>>> have the right to release this code or other content free of any
> >>>>> obligations
> >>>>>> to third parties and are granting Terence Parr and ANTLR project
> >>>>>> contributors, henceforth referred to as The ANTLR Project, a license
> >>> to
> >>>>>> incorporate it into The ANTLR Project tools (such as ANTLRWorks and
> >>>>>> StringTemplate) or related works under the BSD license. (For large
> new
> >>>>> code
> >>>>>> submissions or major new functionality, The ANTLR Project will ask
> >>> you to
> >>>>>> become an official ANTLR project contributor). You understand that
> The
> >>>>> ANTLR
> >>>>>> Project may or may not incorporate your submission and you warrant
> and
> >>>>>> represent the following:
> >>>>>> I created this submission. I am the author of all contributed work
> >>>>> submitted
> >>>>>> and further warrant and represent that such work is my original
> >>> creation
> >>>>> and
> >>>>>> I have the right to license it to The ANTLR Project for release
> under
> >>> the
> >>>>>> BSD license. I hereby grant The ANTLR Project a nonexclusive,
> >>>>> irrevocable,
> >>>>>> royalty-free, worldwide license to reproduce, distribute, prepare
> >>>>> derivative
> >>>>>> works, and otherwise use this contribution as part of the ANTLR
> >>> project,
> >>>>>> associated documentation, books, and tools at no cost to The ANTLR
> >>>>> Project.
> >>>>>> I have the right to submit. This submission does not violate the
> >>> rights
> >>>>> of
> >>>>>> any person or entity and that I have legal authority over this
> >>> submission
> >>>>>> and to make this certification.
> >>>>>> If I violate another's rights, liability lies with me. I agree to
> >>> defend,
> >>>>>> indemnify, and hold The ANTLR Project and ANTLR users harmless from
> >>> any
> >>>>>> claim or demand, including reasonable attorney fees, made by any
> third
> >>>>> party
> >>>>>> due to or arising out of my violation of these terms and conditions
> >>> or my
> >>>>>> violation of the rights of another person or entity.
> >>>>>> I have read this and do so certify
> >>>>>>
> >>>>>> List: http://www.antlr.org/mailman/listinfo/antlr-interest
> >>>>>> Unsubscribe:
> >>>>>>
> >>> http://www.antlr.org/mailman/options/antlr-interest/your-email-address
> >>>>>>
> >>>>>
> >>>>>
> >>>>> List: http://www.antlr.org/mailman/listinfo/antlr-interest
> >>>>> Unsubscribe:
> >>>>>
> http://www.antlr.org/mailman/options/antlr-interest/your-email-address
> >>>>>
> >>>>
> >>>> List: http://www.antlr.org/mailman/listinfo/antlr-interest
> >>>> Unsubscribe:
> >>> http://www.antlr.org/mailman/options/antlr-interest/your-email-address
> >>>
> >>>
> >>> List: http://www.antlr.org/mailman/listinfo/antlr-interest
> >>> Unsubscribe:
> >>> http://www.antlr.org/mailman/options/antlr-interest/your-email-address
> >>>
> >>
> >>
> >
> > List: http://www.antlr.org/mailman/listinfo/antlr-interest
> > Unsubscribe:
> http://www.antlr.org/mailman/options/antlr-interest/your-email-address
>
>