Hi Tim,
I've toyed with this idea myself for a while.
I don't know if it is a good idea for the GNU project in general, but
as someone who sometimes need to check the copyright status of some
contributors for Org/Emacs, the current setup is fine for me.
I'm thinking more along the lines that we are successful in establishing an ELPA repository which has a much higher number of packages than the current situation. If we can establish processes that are reasonably efficient and 'low pain', more developers are likely to be prepared to have their package in ELPA rather than MELPA. If this occurs, the current model of providing push rights to the GNU Emacs repository for package developers will not scale and there will be a higher level of maintenance burden placed on a smaller team of maintainers who do have those rights.
Although, I don't think authentication would be optional as we should
by default assume that the list of signed contributors should be kept
private, shouldn't we?
My idea is that the list does stay private. You cannot see/retrieve the list. All you can do is submit an email address and it will come back with either yes or no (ture/false etc).. You wold need to know the email address before you can check copyright status. You cold add rate limiting to prevent the service being hit with millions of addresses (i.e. someone harvests all the email addresses from the mail list and then tries to determine who has copyright assignment etc).
If the authentication system is mandatory then it raises the larger
question of maintaining a system that needs security monitoring, and
I'm pretty sure the current resources are too scarce for this... but
maybe not.
I agree. It is a great pity there isn't a GNU identity provider. I actually think that would be a really good service in support of free software. If the FSF was able to establish a stable and reliable identity provider, all those sites which now offer login via google, facebook etc, could also offer a free open alternative.
The big problem is, I don't believe the FSF has the resources or skills to do service provisioning. The requirements to provide a reliable service offering are different enough from development of software applications that a whole different group would likely be required. I do wonder if there might be an established organisation who can embrace FSF philosophy and who has the needed skill sets that would be able to provide such a service on behalf of the FSF. There are free and open implementations of identity provider software out there, but nobody is offering it as a service, effectively limiting users who do not want to use closed and potentially evil providers from benefiting from the advantages such services can offer. Either we have to use google, facebook, github etc service or we need to provide our personal info to multiple services for direct access. A free and open identity provider with strong privacy policy that embodies the FSF philosophy is a critical piece of the puzzle which is currently missing. The growth in service delivered technologies only makes this gap worse.