sdbusplus commits missing CLA

krtaylor kurt.r.taylor at
Tue Mar 3 05:01:41 AEDT 2020

On 2/23/20 6:14 PM, Andrew Jeffery wrote:
> On Sat, 22 Feb 2020, at 06:40, krtaylor wrote:
>> On 2/20/20 2:35 PM, Patrick Williams wrote:
>>> Kurt,
>> (Not a lawyer)
>>> We have a few commits for the openbmc/sdbusplus repository that have
>>> been floating around in Gerrit since early 2018 and seem to be stuck in
>>> "missing CLA limbo".  It appears that there was some discussion on the
>>> CLA at one point but I don't know what happened to it.  I don't see a
>>> CLA from the Bosch company in the Google Doc folder.
>> I have not received a CLA from Bosch, or an ICLA from the developer(s)
>> referenced.
>>> There was recently a request to revive this work because someone else is
>>> finding it useful (and we've had a feature request open for a long time
>>> on one of them as well).  What options do we, the maintainers, have in
>>> this situation?
>> We cannot accept/merge the code until resolved. If they cannot complete
>> a ICLA/CCLA for this submission, it should be abandoned.
> So "contributors" can DoS the project by authoring patches and not signing
> a CLA?

Never been a problem in any project I've been a part of. But,there are 
plans to make it easier for a maintainer to check (maybe fully automate) 
whether a contributor is part of a CLA group, see "Community Support" 

> What happens if someone forks the repo in question and applies the
> unaccepted patch, and we end up changing the bitbake recipe to point at the

Why would we do that? We can't stop anyone from forking our project, in 
fact most companies that build a product based on OBMC will fork a 
"supported"" version anyway. They can add or remove anything they wish.

> fork? And if that's bad, how is that different to consuming projects that don't
> have a CLA (e.g. Linux, u-boot, qemu etc)?

It still remains the responsibility of the company to accept the risk of 
shipping open source code as a part of their product. This is as old as 
the open source movement itself.

> I feel like this needs a bit more thought...

The CLA protects all participants; companies and individuals. I know for 
a fact that several of our participating companies (if not all) would 
have a big problem with the CLA not being in place. It is up to us as a 
community to incorporate it into our processes, and we have discussed it 
at length. I don't feel like the current policy/process is horrible and 
needs fixing.

What changes would you propose?

Kurt Taylor (krtaylor)

> Andrew

More information about the openbmc mailing list