About 'How to Contribute' page

[jihoon-seo]

While reviewing #1888, I found some points that it would be great for maintainers to discuss.

1. The guide says that contributors need to sign the Linux Foundation CLA, but currently this repo (cncf/glossary) is not requiring LF CLA to contributors. → My suggestion: if we will not require LF CLA to the Glossary contributors, then let's remove this part from our guide.
2. The guide says that contributors need to verify their commit signature, and that link leads to GitHub's 'About commit signature verification' guide. (Our guide also says that contributors enable vigilant mode in their GitHub account to display the “Verified” status on their commits.) In that GitHub guide, it says that a commit or tag will be displayed as "Verified" only when it has a GPG, SSH, or S/MIME signature. If a contributor open a PR using GitHub web UI, then the commits in the PR automatically has GPG sign, (example) but this does not apply to most of commits created in the contributors' local dev environments (I mean, the commits will not have GPG, SSH, or S/MIME signature, unless the contributor explicitly signs.), (example) so the commits that are created in the contributors' local dev environments will be displayed with no verification status, or even "Unverified", if the contributor enables "Vigilant mode" in GitHub settings (which flags unsigned commits as unverified). This is not desirable, because the commits created in the contributors' local dev environments are also legit commits even though they do not have a GPG, SSH, or S/MIME signature. And since this repo (cncf/glossary) is requiring just DCO signs for commits, so we can consider the commit legit as long as it has a DCO sign. → My suggestion: because the commit verification badge of GitHub UI has nothing to do with our current requirement on signing commits (DCO), so let's rewrite this part to guide about DCO signing.

Maintainers PTAL!

[seokho-son]

@jihoon-seo Regarding the LF CLA, I think it is worth to mention it even if we don't currently verify it. I guess we need to apply EasyCLA to the Glossary as well as other repositories in CNCF organization. (but, not sure) @cjyabraham do we have a plan or guidance for using EasyCLA to check signed CLA? (or should we check it with anyone else?)

[cjyabraham]

Hi @seokho-son, I'm not too up-to-date on how these work. Perhaps @jeefy or @amye could offer an answer?

[amye]

Projects can choose CLA or DCO, CNCF doesn't have a preference. I will defer back to the project for your own governance around this!

[caniszczyk]

CNCF doesn't have a preference but DCO is generally "lower barrier to entry" (no legal paperwork involved)

On Thu, May 11, 2023 at 8:04 AM Amye Scavarda Perrin < @.***> wrote:

Projects can choose CLA or DCO, CNCF doesn't have a preference. I will defer back to the project for your own governance around this!

— Reply to this email directly, view it on GitHub https://github.com/cncf/glossary/issues/2017#issuecomment-1544160490, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIJFD6S2ZUTYZGOULDLXFT5ZDANCNFSM6AAAAAAX5TMERY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Cheers,

Chris Aniszczyk https://aniszczyk.org

[seokho-son]

Thanks @amye @caniszczyk for the clarification! I prefer lower barrier to entry. :)

Hi @jihoon-seo

• Regarding the CLA, I agree with your suggestion : if we will not require LF CLA to the Glossary contributors, then let's remove this part from our guide. (let's remove!)
• Regarding the commit signature verification, I prefer your suggestion too. I'd like to check other maintainers opinion. :)

[seokho-son]

Hi @jihoon-seo Since there is no additional opinions from other maintainers, let's proceed it according to the agreement. Could you implement it? :)

[kumarankit999]

I Can also help with this! Involve me if any help is needed!