[openstack-dev] [puppet] [fuel] more collaboration request

Dmitry Borodaenko dborodaenko at mirantis.com
Fri Jun 12 20:38:31 UTC 2015


On Fri, Jun 12, 2015 at 01:23:28PM -0700, James Bottomley wrote:
> However, the commit history is vital to obtaining the provenance of the
> code.  If there's ever a question about who authored what part of the
> code (or worse, who copied it wrongly from a different project, as in
> the SCO suit against Linux) you need the commit history to establish the
> chain of conveyance into the code.  If we lose this, the protection of
> the OpenStack CLA and ICLA will be lost as well (along with any patent
> grants that may have been captured) because they rely on knowing where
> the code came from.  So in legal hygiene and governance terms, you're
> not free to flush the commit history without setting up the project for
> provenance problems on down the road.

This kind of provenance is currently provided by including sha1 id of
the upstream commit from which the module was imported. That gives you
enough information to a) confirm that the imported version of the code
exactly matches the referenced version in upstream git, and b) use
upstream git commit history to further track down origin of any imported
line of code. Yes, a hassle, but at least the track is not lost.

-- 
Dmitry Borodaenko



More information about the OpenStack-dev mailing list