[Question] How to handle deleted / edited comments?

[vHanda]

Hi. From what I understand this bot will make a commit adding a json file with the following info -

{
  "name": "ibakshay",
  "id": 2423423,
  "comment_id": 534534,
  "repoId": 5433,
  "pullRequestNo": 656,
  "createdAt": "2021-01-22T11:13:02Z"
}

How does this handle the case if the comment is later deleted by the user or edited and the older version is deleted?

[ibakshay]

Hi @vHanda, Thank you for reaching out to us. Are you asking about the signature comment from the contributor ?

[vHanda]

Hi @ibakshay . Yes. I'm not sure how this works if the signature comment is deleted or edited.

[ibakshay]

It is a very good question. Unfortunately, this bot doesn't handle this use case yet. So, the CLA GitHub Action workflow won't be triggered If the signature comment from the contributor is deleted or edited. One thing a project admin can do is to directly check on the GitHub UI or with GitHub API If the signature comment is edited. However, that is not possible If the contributor deletes the signature comment. That is not a good sign.

If you have any idea/thoughts on handling this edge case then feel free to pitch in :) .

[vHanda]

Do you know how the normal cla-assistant handles this case?

--

One way to solve it could be to require the user to also post the digital signature (using pgp) in the comment. And requiring the user to have their public key on a pgp key-exchange server. Or maybe use something like keybase.

What worries me about all these solutions is that I don't know what is or isn't legally acceptable. Especially in different countries.

[ibakshay]

Do you know how the normal cla-assistant handles this case? In normal CLA instance, the contributors will be navigated to a seperate web page and contributors will sign with the click of a button.

One way to solve it could be to require the user to also post the digital signature (using pgp) in the comment. And requiring the user to have their public key on a pgp key-exchange server. Or maybe use something like keybase.

Sounds interesting to me. I will dig deeper into this topic to get further insights. The main idea of CLA assistant lite is to reduce the complexity and to keep things as simple as possible. So, we need to make sure it doesn't get complex.

Also, I forgot to mention before. This CLA assistant lite bot wil also automatically, by default, lock the pull request conversation soon after a pull request is merged.

So, the contributor won't be able to edit/delete the signature comments.

I think this feature answers your question to some extent.

[laurent22]

I wonder if tying the signature to various IDs that may be gone in a few years could cause issues? Maybe that signature should contain the comment that was added by the user, for example:

{
    "name": "laurent22",
    "id": 1285584,
    "comment_id": 1361665980,
    "created_at": "2022-12-21T16:54:13Z",
    "repoId": 79162682,
    "pullRequestNo": 7510,
    "comment": "I have read the CLA Document and I hereby sign the CLA"
}

So there'll be this "comment" field (that will probably be the same for everybody) and then the whole thing will still be valid even if the pull request or repo is gone a few years from now.

Maybe even better, the bot would fetch the user data from the GitHub API and add this to the comment too, so that we have as much info as possible and it will be permanently there. I guess that's an extra step that could be done by us though

[ibakshay]

So there'll be this "comment" field (that will probably be the same for everybody) and then the whole thing will still be valid even if the pull request or repo is gone a few years from now.

Yes, Adding the "comment" field to the signature storage file totally makes sense. Feel free to create a PR or I will do it sometime next week.

Maybe even better, the bot would fetch the user data from the GitHub API and add this to the comment too, so that we have as much info as possible and it will be permanently there. I guess that's an extra step that could be done by us though

What kind of user's metadata would you like to add?

[laurent22]

I just made an API call and I guess these fields would be good, and would help to better identify the user:

{
  "login": "laurent22",
  "id": 1285584,
  "node_id": "MDQ6VXNlcjEyODU1ODQ=",
  "url": "https://api.github.com/users/laurent22",
  "type": "User",
  "name": "Laurent Cozic",
  "company": null,
  "blog": "https://joplinapp.org",
  "location": "London",
  "email": null,
  "bio": null,
  "twitter_username": null,
  "public_repos": 183,
  "public_gists": 9,
  "followers": 1768,
  "following": 8,
  "created_at": "2011-12-26T04:20:45Z",
  "updated_at": "2023-02-19T22:23:47Z"
}

I wish I could help with this, but I won't be able at the moment. I think I'd need to set things up so that I can test properly (for my open PR too), and make myself familiar with GH action syntax

[CalebCurry]

I was curious about this as well and found this issue. Wondering what is preventing a person from disputing a CLA agreement, if they've deleted their original comment? Is there anyway to preserve this info or prove it happened?

[laurent22]

I wonder if a solution would be to post the issue URL to archive.org when the comment is added. Then we could always refer to this to find the original comment

[laurent22]

I thought about another solution: whenever a user signs a pull request, the bot quotes the comment and append a new comment to the pull request:

@someuser signed the pull request on 12/11/24 with the following comment:

I have read the CLA Document and I hereby sign the CLA

Since the comment would have been created by the bot, it won't be possible for anybody but the repo owner to delete it. I'm not sure it would be any easier to implement but thought I'd mention it as I think it would solve the issue too.