[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why are so many great packages not trying to get included in GNU Ema

From: Eric Abrahamsen
Subject: Re: Why are so many great packages not trying to get included in GNU Emacs?
Date: Mon, 11 May 2020 12:27:11 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)

The following message is a courtesy copy of an article
that has been posted to gmane.emacs.devel as well.

Clément Pit-Claudel <address@hidden> writes:

> On 11/05/2020 14.57, Eli Zaretskii wrote:>> From: Clément Pit-Claudel
> <address@hidden> Date: Mon, 11 May
>>> 2020 14:51:26 -0400 Cc: address@hidden, address@hidden,
>>> address@hidden, address@hidden,
>>> address@hidden
>>> On 06/05/2020 22.43, Richard Stallman wrote:
>>>> It is not terrible lot of work for people to deal with those
>>>> issues, but I wouldn't assume a simple program can.
>>> These days assignments are signed with PGP keys.  Commits can also
>>> be signed using PGP keys.  Wouldn't that provide an reliable way to
>>> pair up contributors who have assigned copyright with their
>>> contributions?
>> I think you are missing the main point.  The problem is not
>> security, it is correct attribution.
> Sorry, it seems my email was unclear. The proposal doesn't have to do
> with security. I'm trying to find a robust way to figure out if
> someone has copyright papers. Right now Stefan & you can check the
> list, and the rest of us can't, which is a problem for package
> maintainers. Apparently the list can't be made public, so I'm
> suggesting to make public a list of public keys public instead. I was
> not thinking about security.
>> The author of the committed changeset (not the person who does the
>> commit, the author) must be the person who actually wrote the code,
>> not someone else. If that someone else is a real benevolent person, it is 
>> still a
>> problem, because we will make a false presentation that a different
>> person made the change.
> That problem exists regardless of how we check whether someone has
> copyright papers, right?
> What I'm trying to find is a way to check whether I can accept a patch
> into an ELPA package without having to email an Emacs maintainer every
> time.

This is above my paygrade but I'm still on the cc, so... If the
information needs to stay private because it contains PII that
contributors haven't consented to release, would it be possible to set
up something automatic where package maintainers enter an email address,
and the system gives us a plain thumbs up or thumbs down? A webform, an
API endpoint, an automated email address, even something built into

reply via email to

[Prev in Thread] Current Thread [Next in Thread]