Preview of a Simpler CLA Process

[Signal Linden (Bennett Goble)]

We're still using the old Contributor License Agreement for BitBucket, but I'd like any meaningful feedback on a new, more modern CLA process that is being considered for projects on GitHub.

First, the terms:

https://github.com/secondlife/cla

The new license is adapted from Google's CC-BY licensed agreement which is also used by GitLab. Its language is less controlling than the old one. It can also be signed digitally as part of pull requests. (The bot we're going to be using for this: https://github.com/contributor-assistant/github-action) Hopefully this will be simpler than sending signed agreements over via fax and horse-drawn courier.

So far this new CLA is wired up with two repositories on github:

• https://github.com/secondlife/autobuild
• https://github.com/secondlife/python-llsd

If you make a pull request for either of these repositories, you will be prompted to review the CLA and sign it by pasting some text as a comment in the PR. Your signature/account will be captured in a private repository that only Lindens have access to, which means you will only have to do this once. It should be noted that even if the signature repo is private, your PR will still be public.

The less ideal news is that there's no connection between GitHub accounts and Second Life/BitBucket accounts. The simplest way to deal with this is to have everyone sign the new CLA when they submit a PR.

Do the benefits (digital signatures, more contributor-friendly terms, PR integration) outweigh the cost here? I'm hoping the new process will attract folks who have been reluctant to sign the previous contract and reveal a lot of personal information.

---

As a note: no news yet on a cutover date for the viewer on GitHub. The sticking point here is that LL has some complex release and merge behavior that interacts with BitBucket APIs which needs an overhaul. Once we have working releases we will let folks know more about potential timeframes. Hopefully, this will be soon and not "soon!"

-Signal

[Henri Beauchamp]

On Tue, 1 Nov 2022 14:03:49 -0700, Signal Linden (Bennett Goble) wrote:

> So far this new CLA is wired up with two repositories on github:
>

> - https://github.com/secondlife/autobuild
> <https://github.com/secondlife/python-llsd>
> - https://github.com/secondlife/python-llsd

>
> If you make a pull request for either of these repositories, you will be
> prompted to review the CLA and sign it by pasting some text as a comment in
> the PR.

These components are not really subject to pull requests by TPV authors/
contributors...

Is there any way to get to the CLA form in another way, so that we can
see what personal info is requested/required to sign it ?...

Regards,

Henri.

[Signal Linden (Bennett Goble)]

Hi Henri,

These components are not really subject to pull requests by TPV authors/ contributors...

One could argue autobuild is, but you're right --TPV developers mostly care about the viewer. :)

Is there any way to get to the CLA form in another way, so that we can see what personal info is requested/required to sign it ?...

The signing process looks like the the images/videos in the contributor-assistant repository's README: https://github.com/contributor-assistant/github-action#demo-for-step-2-and-3

When you create a PR, and have signed the CLA already, you will be asked to sign by posting a specific line of text as a comment. The action will capture your github username, the repository, PR number, comment ID and timestamp.

[Signal Linden (Bennett Goble)]

Slight typo:

* When you create a PR, and have not signed the CLA already, you will be asked...

[Henri Beauchamp]

On Thu, 3 Nov 2022 08:15:02 -0700, Signal Linden (Bennett Goble) wrote:

> Hi Henri,
>
> > These components are not really subject to pull requests by TPV authors/
> > contributors...
>
> One could argue autobuild is

Not for my viewer, no... It does not use it at all (its build system is
standalone and only uses plain cmake and python scripts, which are part of
the viewer sources). :-P

> The signing process looks like the the images/videos in the
> contributor-assistant repository's README:
> https://github.com/contributor-assistant/github-action#demo-for-step-2-and-3
>
> When you create a PR, and have signed the CLA already, you will be asked to
> sign by posting a specific line of text as a comment. The action will
> capture your github username, the repository, PR number, comment ID and
> timestamp.

So, there is no personal (private) details/data asked ? Just the github
account "linking" ? No restriction either on the said github account
(like the need to give-up personal data to github.com for that account) ?

Henri.

[Signal Linden (Bennett Goble)]

So, there is no personal (private) details/data asked ? 

That's correct. Just the GitHub account name which is already associated with the PR.

[Henri Beauchamp]

On Thu, 3 Nov 2022 12:08:32 -0700, Signal Linden (Bennett Goble) wrote:

> >
> > So, there is no personal (private) details/data asked ?
>
>
> That's correct. Just the GitHub account name which is already
> associated with the PR.

Great, thanks !

Now, to wait for the migration of the viewer repo to github... :-D

Regards,

Henri.