Bugzilla permissions - cla_done required?

Karsten 'quaid' Wade kwade at redhat.com
Mon Feb 11 13:18:42 UTC 2008 

On Sun, 2008-02-10 at 23:14 -0500, Jon Stanley wrote:
> Bringing up an old topic here that was recently decided in FESCo[1]
> and also discussed at FUDCon RDU  - escalating to FAB per request.
> 
> As most of you know, I'm leading an effort to relaunch the bug triage
> project.  We had decided that cla_done would be a requirement for a
> few reasons:
> 
> 1)  Ability to use items in release notes, documentation, etc.
>   a)  Although anyone can make a comment on the bug, only folks in the
> 'fedorabugs' group in FAS (which maps to fedora_contrib in bugzilla)
> can set the fedora_requires_release_note flag.   This gets the bug
> special attention from the docs team.
> 2)  Wiki edit access requirement.  In the future this will be going to
> a click-through CLA, which I think is also appropriate for 1.

Here is the most comprehensive guide to how we apply the CLA:

http://fedoraproject.org/wiki/Legal/CLAAcceptanceHierarchies

The cut-off line for GPG-signed is, "Does this contribution go directly
into source control for the distro?"  While the higher level of
assurance is for when a contribution goes directly into a distro, any
contribution needs to be under some kind of agreement.

Bugzilla is not on there for several reasons, as I recall.  The fact
that bugzilla.redhat.com is used by Red Hat for business makes it
difficult for Fedora to dictate the terms of usage.  The Fedora CLA
can't really be a barrier to e.g. getting a bugzilla.r.c account.

Also, bz work falls somewhere between "Mailing list member" and "Wiki
contributor."  The former is a discussion and information exchange, the
later is a contribution of content, such as a patch.

Typically, the bz report itself has served the purpose of making it
clear the patch was a contribution, etc.

For bug triagers, it seems to make sense to, as you say, capture them
with a click-through CLA.  That way we can be assured that content can
then be moved to e.g. source control.

> There's also the argument that signing the CLA is a (minor) technical
> hurdle for new triagers to overcome.  While this is valuable, I also
> think that other things could be used in it's place (open to
> suggestions here) to demonstrate technical ability.

Yes, we hear a lot that it is too difficult.

We've got a good doc on how-to:

http://fedoraproject.org/wiki/DocsProject/UsingGpg

I'm not arguing that it's ideal, but it is a fair barrier at a certain
point.  Maybe not for triagers, though.

> The argument that came to light, and was discussed on
> fedora-devel-list[2] that FAS requires "too much" personal information
> (i.e. home address, phone number, etc) in order to sign up for an
> account and sign the CLA.  Access to bugzilla is controlled via FAS,
> therefore, without an FAS account, access to triage bugs is a
> non-starter.

I'm going to trust Red Hat's lawyers when they say they need that
information in order to have the level of assurance to distribute a
contribution.  If we need to get a hold of a contributor for any
legitimate reason, it'll be a bummer if they really don't live at 123
Main Street, Anywhere, USA.

> So the question here is whether cla_done is required in order to
> belong to the 'fedorabugs' group in FAS?  My vote is 'yes' for the
> reasons listed above for now, revisit with FAS2, as was decided at
> FESCo.

I missed this part.  FESCo has already decided how they want this
handled?  And some folks aren't happy with that situation?

Without FAS2, I don't see a way around this.  That is, I guess something
of a click-through CLA could be hacked up, by why spend the time on that
over finishing FAS2?

- Karsten
-- 
Karsten Wade, Developer Community Mgr.
Dev Fu : http://developer.redhatmagazine.com
Fedora : http://quaid.fedorapeople.org
gpg key : AD0E0C41
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-advisory-board/attachments/20080211/d0d9d4f9/attachment.sig>

More information about the fedora-advisory-board mailing list