Re: Why are so many great packages not trying to get included in GNU Emacs?

[Clément Pit-Claudel]

On 12/05/2020 16.17, Alan Third wrote:
> On Tue, May 12, 2020 at 03:48:01PM -0400, Clément Pit-Claudel wrote:
>> Now the problem is reduced to "does the author with this PGP key
>> have an assignment on file"? But this question can be answered in a
>> decentralized way (no need for an API): the FSF can just sign keys
>> instead.
> 
> As if there aren’t enough people complaining about copyright
> assignment, now you want to force everyone to use the horror that is
> PGP/GPG?

No no, not at all!  Definitely not force and definitely not everyone.  I'm 
trying to find a way to allow package maintainers to check copyright 
assignments when they accept patches, that's all.  There are easy cases: for 
Emacs committers like you, the list is already public, so that's no trouble 
(and thus signatures wouldn't be needed).  For others, the signature would be 
one reliable option to determine whether they have papers on file.

But the complexity of PGP is a valid concern.  I operated under the assumption 
that most new contributors sign copyright papers with PGP, and so that PGP was 
a reasonable baseline.

Concretely, how do you handle these cases?  What am I supposed to do, when I 
get a patch, to check if the patch author has an assignment on file?  Surely I 
can't bother Eli every time.  Is it enough to take the author's word for it 
that they have an assignment?  Alan, do you have advice on handling these 
situations?

As an alternative, the attached python script implements a REST API to do the 
checking.  I don't have access to fencepost, so I don't know what format the 
file tracking assignments is — I made a guess about that part.  

(Of course, having an API makes it possible to determine whether a given email 
address has copyright papers on file, but it gives no guarantees against 
impersonation.)

Cheers,
Clément.

fencepost_api.py
Description: Text Data