Open quanah opened 3 years ago
I can kind of understand "organisation members get a special privilege (not having to sign-off), but to get it, they must prove they're organisation members (with GPG)", but:
If a non-organisation member submits a PR containing commits that falsely claim to be authored by an organisation member:
On the other hand, if a non-organisation member submits a PR and isn't trying to frame an organisation member specifically, then we have no way to confirm whether or not they're actually trying to frame someone else instead. The whole thing is already premised on a trust that the author is who the submitter says they are, which is fine actually; but it seems like if a GPG signature should be required anywhere, it's the "we have no idea who you are" case, not the "is an organisation member" case.
I guess if the whole project is already requiring GPG-signed commits, then the issue becomes academic. But if the project isn't already requiring GPG-signed commits, it feels backwards to suddenly require it here.
+1
I think this should be configurable. I'd love to use this check, but organization membership (because it's governed by external contracts) will be enough to satisfy any legal issues (for my use-case). Ideally then, organization members shouldn't need to jump through extra hoops.
Having an enumeration instead of a boolean would allow people to configure it easily:
members_must_sign_off: "gpg" | "trailer" | "no"
Installed DCO bot for the cyrus projects (https://github.com/cyrusimap/cyrus-sasl and https://github.com/cyrusimap/cyrus-imapd).
Set up the bit so that members should be ignored:
https://github.com/cyrusimap/cyrus-sasl/commit/647f5a46c259afee5bc68c2687bd7715bba50e91
for example. Instead, members must now gpg sign commits. That seems to be the opposite result of what was intended?