rwinch
commented
8 years ago Talking to legal, the answer is no
Closed rwinch closed 8 years ago
rwinch
commented
8 years ago Talking to legal, the answer is no
Currently we only look at the user who submitted the PR to ensure that that user signed the CLA. This aligns with the current approach for Spring.
However, it is possible that there are commits from someone other that the user that submitted the PR. Should we consider requiring verify each commit's email address has signed the agreement? If so what is the workflow to notify these users?
Personally, I'm not very keen on verifying every commit's email address. I think we should word the CLA that the person submitting the CLA takes responsibility for all the commits of the entire PR.
The only way we can really reach out to each user is to send emails to them directly from our application. This means the application could cause spam to people who do not want to get emails. At the moment all notifications are done through GitHub and only to the user who authenticated so we know that sending them a message is alright. Furthermore, there are settings for notifications that can be modified via GitHub.