Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disabling "sign-off" for members doesn't work, instead requires GPG signatures #153

Open
quanah opened this issue May 5, 2021 · 3 comments

Comments

@quanah
Copy link

quanah commented May 5, 2021

Installed DCO bot for the cyrus projects (https://github.com/cyrusimap/cyrus-sasl and https://github.com/cyrusimap/cyrus-imapd).

Set up the bit so that members should be ignored:

cyrusimap/cyrus-sasl@647f5a4

for example. Instead, members must now gpg sign commits. That seems to be the opposite result of what was intended?

@elliefm
Copy link

elliefm commented May 5, 2021

I can kind of understand "organisation members get a special privilege (not having to sign-off), but to get it, they must prove they're organisation members (with GPG)", but:

If a non-organisation member submits a PR containing commits that falsely claim to be authored by an organisation member:

  • the PR submitter/commit author mismatch will already stand out at code review, regardless of the DCO check
  • reviewers can trivially verify the authenticity by just asking the org-member alleged author about it over another channel
  • the submitter could have trivially succeeded at the DCO check anyway, by making the same fraudulent claim in a Signed-off-by: line? (I'm not certain, I haven't poked this hard.)

On the other hand, if a non-organisation member submits a PR and isn't trying to frame an organisation member specifically, then we have no way to confirm whether or not they're actually trying to frame someone else instead. The whole thing is already premised on a trust that the author is who the submitter says they are, which is fine actually; but it seems like if a GPG signature should be required anywhere, it's the "we have no idea who you are" case, not the "is an organisation member" case.

I guess if the whole project is already requiring GPG-signed commits, then the issue becomes academic. But if the project isn't already requiring GPG-signed commits, it feels backwards to suddenly require it here.

@butler54
Copy link

+1

@HalosGhost
Copy link

HalosGhost commented Aug 19, 2021

I think this should be configurable. I'd love to use this check, but organization membership (because it's governed by external contracts) will be enough to satisfy any legal issues (for my use-case). Ideally then, organization members shouldn't need to jump through extra hoops.

Having an enumeration instead of a boolean would allow people to configure it easily:

members_must_sign_off: "gpg" | "trailer" | "no"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants