[PSA] rolling out SignCLA enforcement in CrOS repos

[Mike Frysinger]

the Chromium contribution checklist [1] has long said to check that people have agreed to our CLA before accepting contributions.  Gerrit now has a knob we can toggle to enforce this for all Chromium OS repos.

[1] http://dev.chromium.org/developers/contributing-code/external-contributor-checklist

we're going to start flipping this bit on CrOS repos and see how it goes.  specifically we'll start with docs/ and make sure our bots our OK with pushing updates to it, and then try flipping the bit in some more repos.  if all goes well, we'll make it the default for all CrOS repos, both external and internal.

if your `repo upload` starts failing or people start seeing failures on bots related to CLAs, feel free to raise it so we can back off on the rollout.

overall progress can be tracked in https://crbug.com/863964

-mike

[Mike Frysinger]

the docs/ repo didn't blow up, so i've flipped it for platform2 now as a high-traffic repo.  if that goes well, i'll roll it out to the rest.

-mike

[Julius Werner]

> the docs/ repo didn't blow up, so i've flipped it for platform2 now as a high-traffic repo. if that goes well, i'll roll it out to the rest.

Can you also update the document you linked
(http://dev.chromium.org/developers/contributing-code/external-contributor-checklist)
to make sense for Chromium OS, please? Right now it talks about a
src/AUTHORS file that I have no idea where it actually is. There's no
~/trunk/src/AUTHORS, at least. There is a ~/trunk/AUTHORS that seems
to lie outside of source control (not sure how it got in my chroot)
and looks like it hasn't been written to in decades, is that what this
is talking about? But there's no "wildcard rules" like the
documentation talks about in there either.

Ultimately, I don't feel like I have enough information to understand
this system or know how to help external contributors use it yet. Does
it trigger off some magic AUTHORS in some repo, or does it directly go
to some Google database that tracks signed CLAs? If the latter, are we
still supposed to update some AUTHORS file anyway or can we remove the
directions to do that from the documentation?
https://signcla.corp.google.com/ also seems very hard to use... I can
look up an individual email and get a yes or no answer, but I can't
for example see if there's a wildcard for @companyname.com. Many of
our corporate contributors use multiple email addresses so I expect
this to become a nightmare where nobody knows why they can't commit
something. And what exactly does it trigger off -- the Git author
email address, or committer address, or something else? Many people
like to use private email addresses for open source contributions even
if they're employed at some company, so I see more potential for
trouble there...

[Mike Frysinger]

On Mon, Sep 24, 2018 at 5:06 PM Julius Werner <jwe...@chromium.org> wrote:

> the docs/ repo didn't blow up, so i've flipped it for platform2 now as a high-traffic repo.  if that goes well, i'll roll it out to the rest.

Can you also update the document you linked
(http://dev.chromium.org/developers/contributing-code/external-contributor-checklist)

this doc is in the Chromium space, so let me talk with them about putting a qualifier on that bullet point in some way

Ultimately, I don't feel like I have enough information to understand
this system or know how to help external contributors use it yet. Does
it trigger off some magic AUTHORS in some repo, or does it directly go
to some Google database that tracks signed CLAs? If the latter, are we
still supposed to update some AUTHORS file anyway or can we remove the
directions to do that from the documentation?
https://signcla.corp.google.com/ also seems very hard to use... I can
look up an individual email and get a yes or no answer, but I can't
for example see if there's a wildcard for @companyname.com. Many of
our corporate contributors use multiple email addresses so I expect
this to become a nightmare where nobody knows why they can't commit
something. And what exactly does it trigger off -- the Git author
email address, or committer address, or something else? Many people
like to use private email addresses for open source contributions even
if they're employed at some company, so I see more potential for
trouble there...

AUTHORS is purely informative.  it hasn't generally been used on the CrOS side.  i'm indifferent to whether we should change that, but i'd expect that if we did, we should really be autogenerating it rather than manually editing it.  the file lives in chromite/ fwiw.

everything is gated through the signcla website.  if you're working with an external contributor that isn't a partner (i.e. a company that Google has signed an agreement with), then you should just point them to that page and not try to offer any other advice.  if they still have questions, they should follow that doc where it says to contact acco...@chromium.org.

for partners, their account already should be bound to their partner/company status if they want to access internal partner repos.

for Googlers, the point of enabling SignCLA in GoB is so that you don't have to do any manual checking.  people won't even be able to upload CLs anymore when this is turned on.

-mike

[Dmitry Torokhov]

Does this extend to 3rd party packages or only software that we hold sole copyright on? I.e. somebody uploads a CL patching udev? And if this requires CLA how would that be different from pulling a random change form udev upstream?

[Mike Frysinger]

this will apply to all CLs in all repos under http://chromium.googlesource.com/chromiumos/.  so "yes".

-mike