[OpenStack-Infra] Better Corporate CLA management

Clark Boylan cboylan at sapwetik.org
Fri Mar 13 17:16:13 UTC 2015


On Thu, Mar 12, 2015, at 05:41 PM, Stefano Maffulli wrote:
> hello folks,
> 
> We would like to provide a greater degree of freedom to individuals who
> contribute on behalf of corporations who signed the Corporate CLA. By
> allowing corporate managers to maintain list of their authorized
> contributors we may be able to remove the need for every individual to
> sign an iCLA. 
> 
> Currently, corporate managers sign the CCLA on echosign and provide a
> list of approved contributors on the "Schedule A". That list is kept
> only as an archived 'paperwork' since it's not machine readable. OTOH to
> make sure that we have a track of who is authorized to commit code, we
> require every individual to sign the iCLA whether their name is in a
> Schedule A or not. This has been confusing a lot of people, creates
> unnecessary manual work and duplication of information.
> 
> How would the infra team suggest we tackle this problem?
> 
Based on the success of projects self managing third party CI voting
rights, I think we can solve this in a way very similar to how Gerrit
does it for contributions to Gerrit itself.

For each company that has signed a CCLA two groups would be created in
gerrit:
* companyname-ccla-owner, this group would be self owned and have
membership of company representatives that decide who can push to
Gerrit.
* companyname-ccla-members, this group would be owned by
companyname-ccla-owner and its membership would include those users can
can push to Gerrit.
Then each companyname-ccla-members would be added to the super group for
all CCLA signers

This will give companies greater tracking over who is covered by their
CCLA and remove the need for the ICLA as a proxy for that.

The one hurdle we need to get over is delegating the group creation,
initial ownership and membership config, and addition to the super CCLA
group to a group that isn't the Gerrit admins. I don't want to become
the bottleneck that has to decide when a CCLA is properly signed.

Options for this:
1. Potentially Gerrit ACLs be made rich enough to delegate these
activities to groups other than Gerrit admins (perhaps Zaro can comment
on this).
2. We could write a tool that used a serialized set of group info and
enforced that in Gerrit. Then have a repo for this data whose core team
was able to validate the CCLA process is complete before updating Gerrit
via updates to this repo.

Thoughts? Particularly interested in thoughts on the two options just
above and any other ideas people may have to tackle that particular
implementation detail.

Clark



More information about the OpenStack-Infra mailing list