openssl / project

Tracking of project related issues
2 stars 1 forks source link

Automate CLA submitting #856

Open quarckster opened 3 weeks ago

quarckster commented 3 weeks ago

CLA submission should be automated to avoid manual work. Contributors should just fill a web form without any email interaction as we do now. It will require reorganizing the CLA DB and CLA check workflow. As a reference we can take Google CLA form.

t8m commented 3 weeks ago

Can I sign the Google CLA without a Google account?

A Google account is required to sign the CLA. Google accounts are used to link individual and corporate CLAs to covered contributors and provide authentication for CLA management.

How do you want to authenticate the user submitting a CLA via a web form? Would submitting an unauthenticated web form be at least somehow legally binding action? They could always say, that they did not submit anything.

baentsch commented 3 weeks ago

How many CLAs are processed (per day/month)? How much automation (and proper authentication as per @t8m's comment) effort is it worth saving that? Considering how important having (correct/binding) CLAs is --I just need to re-do a lot of work because of this (not having them for PQ code)-- some manual effort doesn't seem over the top (unless it's indeed dozens of CLAs to be processed per day).

t8m commented 3 weeks ago

I'd say its 5-10 CLAs per month at max.

quarckster commented 3 weeks ago

Would submitting an unauthenticated web form be at least somehow legally binding action?

It's the same legal as we do now, we don't have any authentication for CLA submitting in the current workflow.

They could always say, that they did not submit anything.

The could do the same with the current procedure. We trust our CLA submitters.

t8m commented 3 weeks ago

Yes, but we require them to do the manual steps and we review the PDF they submitted. We do not blindly and automatically fill in the CLA database with data submitted from an unauthenticated form. We also require the confirmation of the CCLA requirement (or not) as a separate second step by e-mailing to the submitter. This also at least requires some form of active behavior on the submitter's side.

So I could imagine some automation here and submission via a web form, but at least we should confirm that at least one of the e-mails of the submitter works and there should be a manual review of the signed PDF before the CLA is accepted.

arapov commented 3 weeks ago

It should be done using DocuSign or a similar service that communicates via email. I expect a human to review the I/CCLA before marking an individual as having completed the CLA.

The goal is to make the process easier for contributors and somewhat easier for us. I don’t expect this process to be entirely automated without requiring human involvement.

t8m commented 3 weeks ago

Yeah, that works. The initial description was oversimplifying things.