elliefm
commented
3 years ago I can kind of understand "organisation members get a special privilege (not having to sign-off), but to get it, they must prove they're organisation members (with GPG)", but:
If a non-organisation member submits a PR containing commits that falsely claim to be authored by an organisation member:
- the PR submitter/commit author mismatch will already stand out at code review, regardless of the DCO check
- reviewers can trivially verify the authenticity by just asking the org-member alleged author about it over another channel
- the submitter could have trivially succeeded at the DCO check anyway, by making the same fraudulent claim in a Signed-off-by: line? (I'm not certain, I haven't poked this hard.)
On the other hand, if a non-organisation member submits a PR and isn't trying to frame an organisation member specifically, then we have no way to confirm whether or not they're actually trying to frame someone else instead. The whole thing is already premised on a trust that the author is who the submitter says they are, which is fine actually; but it seems like if a GPG signature should be required anywhere, it's the "we have no idea who you are" case, not the "is an organisation member" case.
I guess if the whole project is already requiring GPG-signed commits, then the issue becomes academic. But if the project isn't already requiring GPG-signed commits, it feels backwards to suddenly require it here.
butler54
HalosGhost
Installed DCO bot for the cyrus projects (https://github.com/cyrusimap/cyrus-sasl and https://github.com/cyrusimap/cyrus-imapd).
Set up the bit so that members should be ignored:
https://github.com/cyrusimap/cyrus-sasl/commit/647f5a46c259afee5bc68c2687bd7715bba50e91
for example. Instead, members must now gpg sign commits. That seems to be the opposite result of what was intended?