Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685022 - How should the copyright hook handle branches of external sources?
Summary: How should the copyright hook handle branches of external sources?
Status: CONFIRMED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Git (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
: 698454 (view as bug list)
Depends on:
Blocks: 702696
  Show dependency tree
 
Reported: 2019-05-04 04:54 UTC by Alec Warner (RETIRED)
Modified: 2022-01-09 11:46 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alec Warner (RETIRED) archtester gentoo-dev Security 2019-05-04 04:54:10 UTC 
I see a bunch of projects doing things like

master - Main Gentoo branch of X
origin/XXX - Upstream branch of X

This poses a bit of a problem when folks go to update the origin/XXX branch, because those commits will not be signed or have the DCO; they are literally the upstream commits.

In a similar fashion, when we merge those commits into the master branch, they are literally the upstream commits, so they will also lack a gpg signature or DCO. We could forge a merge commit here, but that seems suboptimal.

One proposal I suggested was to adopt a naming scheme where we basically don't check commits on branches named origin/XXX or if the merge is from origin/XXX to some other branch not under origin/...; essentially exempting these from requiring the DCO.

-A
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-05-04 20:38:50 UTC 
I agree that the commits should be excluded from the GCO requirement.

1. The the mirrored commits are unmodified and can be matched 1:1 to original upstream commits.
2. Upstream GPG signatures on the commits are preserved.
3. Some of the commits might already have a Signed-Off-By header from upstream that signifies acceptance with THAT project's DCO equivalent, that might have different terms than the GCO or Kernel DCO.

I'm not 100% set on the 'origin' name, and want to also know how to track upstreams with multiple repos and branches.

'upstream/$SOMETHING/$BRANCH' ?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-10-27 07:37:29 UTC 
*** Bug 698454 has been marked as a duplicate of this bug. ***
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-10-27 07:37:57 UTC 
Why not just move them to a separate category and disable the hook for all repos there?
Comment 4 John R. Graham gentoo-dev 2019-12-13 16:47:03 UTC 
(In reply to Michał Górny from comment #3)
> Why not just move them to a separate category and disable the hook for all
> repos there?

I guess I see it as cleaner organizationally if a project's work can be included in the project's repository as opposed to being split across two different ones. Therefore I like Robin's proposal better. At least I'd like that flexibility.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-01-10 05:59:04 UTC 
mgorny:
please review the changes on this branch https://gitweb.gentoo.org/infra/githooks.git/log/?h=branch-selection

Specifically, it makes which git refs enforce GCO configurable.
The default continues to be ALL refs.

mgorny has asked that I also get council approval of this change, since he considers it a policy change as well