On 9/23/17 6:12 PM, Craig Russell wrote:
If it is at all possible, I would prefer to start where we left off last time:
https://whimsy.apache.org/test/icla/invite
Here are some specific issues I have with the demo:
1. The email address on the icla needs to come from the user not the pmc.
Per #5 below, the PMC needs to provide the email address for the invite.
Given that the user receives this, we have authenticated that the
email address works. Perhaps you are suggesting that the user be able
to change their email address; but then we get into the possibility of a
typo. Note: users can change their email addresses via id.apache.org
after the account has been created. How strongly do you feel that users
need to be able to change their email address before the account is created?
2. The Full name on the user form needs to show Prefix GivenName FamilyName
Suffix (easy).
Agreed, easy.
3. I'm still dubious about the acceptability of filling a form having any legal
weight. Is there a way to ask the user for their gpg credentials and sign the
generated form?
Only if the user uploads their private key (strongly NOT recommended)
4. Is there a way for the tool to verify that the link refers to a
[RESULT][VOTE] email?
For things like mail-search.apache.org which uses HTTP authentication,
perhaps. For things like pony mail which uses OATH, this isn't possible
in general, but we could hard code a number of such services. I will
say that the user experience with OATH will likely be suboptimal.
The simplest way to proceed at first is just to capture the email and
provide it to you to verify, which you would do simply by clicking on it.
5. The invitation email sent to the user should come from the canonical
committer invite (easy).
Per above, this requires the inviter to supply an email address.
6. There is no need for "full name" on the pmc invite form. The user will fill
this field. The name as known by the pmc is just fine (easy).
This is for the "to" address in the invitation. It also is a reasonable
default for the public name. I certainly agree that the invitee should
be able to override this.
If you feel that the invitee should be able to override the email
address, that can be handled the same way: the inviter provides a value,
and the invitee can either accept that value as the default or override it.
From previous discussions, there still was substantial interest in
supporting unsolicited ICLAs; such ICLAs can still be processed by
scanning and sending. Perhaps the template ICLA can be updated to
remove the preferred user id field?
No one has been deterred by the preferred user id field, and at least for the
foreseeable future we should retain it on the form. Even if the automated
system is completely functional and totally exceeds expectations it will take
years for all pmcs to get on board (personal experience).
Ack.
Craig
- Sam Ruby
On Sep 23, 2017, at 1:10 PM, Sam Ruby <ru...@intertwingly.net> wrote:
On Sat, Sep 23, 2017 at 3:48 PM, Craig Russell <apache....@gmail.com> wrote:
Perhaps during ATO we can hack on the ICLA process. There was an attempt a
couple of years ago but it stalled.
1. It is time consuming for committers to print, sign, scan, and email the
form. Not every committer has legible handwriting and it can be a challenge to
read the forms. Digital forms are much better to handle.
2. PMCs don't always follow the guidelines at
http://community.apache.org/newcommitter.html with the effect that when the
prospective committer files the ICLA, one or more of the following are missing
or wrong:
committer id
project
[VOTE][RESULT]
If there is a failure here, it is time consuming to sort who does what, how,
and when. New committers get a bad impression of Apache when there is a delay
in processing their new account.
3. Last name first name are still issues. What is Kim Jung Un's first name?
4. Email addresses on the form that differ from the sender's address are a
challenge. They need to be entered manually.
I envision a process whereby the PMC invites a candidate to fill an online
form, which generates a digital document, signed by gpg, and which sends mail
to verify the email address. When the email address is verified, secretary gets
mail to review the filed document which is then processed as today but with
nothing to do but verify the document and file it. Secretary hates typing.
I remain leery of processes that allow users to "agree to the terms and conditions
of a document that you might choose to read" and then grant commit privileges.
Provenance is still a key legal issue for me.
Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org http://db.apache.org/jdo
- Sam Ruby
Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org http://db.apache.org/jdo
