From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: =?UTF-8?Q?Cl=c3=a9ment_Pit-Claudel?= Newsgroups: gmane.emacs.devel Subject: Re: Why are so many great packages not trying to get included in GNU Emacs? Date: Tue, 12 May 2020 15:48:01 -0400 Message-ID: References: <9mmFgzvrBwjt_n_VJyaJdXINraNi5HsGpwq-0MLeKiJA7kG2BQA4uywrzjyz7lpRS0OZDpjEi8lspOKYUA7P_QsODsDew_8nbH960G55fmY=@protonmail.com> <87d07xamrg.fsf@ericabrahamsen.net> <878silajdl.fsf@ericabrahamsen.net> <87tv18pyh4.fsf@russet.org.uk> <83blmu9u57.fsf@gnu.org> <7c61a272-f4ba-fdfd-755b-1a720e8cc2df@gmail.com> <838shy9srs.fsf@gnu.org> <7f820b59-ebbc-18c7-9f08-104a7ba88dd2@gmail.com> <834kslao2y.fsf@gnu.org> <052569f9-0571-6471-7a27-f3d7b36497a0@gmail.com> <83sgg58ari.fsf@gnu.org> <837dxh847w.fsf@gnu.org> <834ksl833q.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="15207"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 Cc: casouri@gmail.com, rms@gnu.org, eric@ericabrahamsen.net, emacs-devel@gnu.org, monnier@iro.umontreal.ca, ndame@protonmail.com, phillip.lord@russet.org.uk To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue May 12 21:49:41 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jYauK-0003r7-QL for ged-emacs-devel@m.gmane-mx.org; Tue, 12 May 2020 21:49:40 +0200 Original-Received: from localhost ([::1]:54266 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jYauJ-0004Wx-Qi for ged-emacs-devel@m.gmane-mx.org; Tue, 12 May 2020 15:49:39 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:49426) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jYasq-0003QU-GI for emacs-devel@gnu.org; Tue, 12 May 2020 15:48:08 -0400 Original-Received: from mail-qk1-x72a.google.com ([2607:f8b0:4864:20::72a]:46618) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jYaso-00014y-35; Tue, 12 May 2020 15:48:08 -0400 Original-Received: by mail-qk1-x72a.google.com with SMTP id f83so14935703qke.13; Tue, 12 May 2020 12:48:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=VZfJCaKclnmDRabFh2RifatXXxn/4ZOIceMO7678GL4=; b=JSoJkNgfoYpaXi9BZqVaV4cZ5SKRrgVQAVAVO599kEnaPxXZiMr4ZLEZjlKrGs2feM GChxdgC7gBWO8b8hjS4MsYvNRgDit1J5+xj2N2NJMeFl6Jn2B83on/7/tuzwjlnApYrq kyVKB0KqbrjNxylnxJ44MljJXrM11gj4398jwiCU6SCFb1zG4BLzjwdjjlnA9dU6wQWL M1BskWA+HwPBDuzULuNmaMwG8fDeDMi7qvsmVKRzECW1avRrQE1CQEQwfciIBCrOVq5M UeRwtKthnc6QbPoW0kYBgeFwJUUcn/IczHy8k8gIWAXpUYP108PETX7BPoz4meJgvMyW b9Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=VZfJCaKclnmDRabFh2RifatXXxn/4ZOIceMO7678GL4=; b=d5djn8w63DoDPB4lF1N/6SJ1060RYs0A6HlTuggRRBBz7MXRVeQ2c1mw9gsMbzH5nS IWpux2g4IgnAZ4UpSTpghSgWC0SF0dqwtptqWmx7Sp7ng8qhsaSzWY4eC/VnHZPCbmez 9Cma5vQQ0ufd98/IwAnfhpV8KDk4yE9XhO2PGLqGXRjHEVKYctNh4GG+nnJyFX5I4Cv6 oNAuZn5i+9cgToE7MpagXuop/+6JAry40Kyvr+mRbnQcYQviByX6v5lTPy2FbToLqfnr +euHBXhu4dtGm5t9l8/d4BW8zDO4BhH+2+TG8WKOamPiM8W71Gi0hrPg6kLjSs1cZZ5x +qVg== X-Gm-Message-State: AOAM531pZA6Gh9K5rx4DQNWFI8J/gVZYQLcDZXIqOxhy/k1dfpKcG3Ol SxdwOkurQ89/H8txEmehVyM= X-Google-Smtp-Source: ABdhPJw1U/EjEz1Be6P48IwlciMte/DywTx+cUrChIy0b5kcRkyx6yb04f7JqNvGxAYE8D4CC412dA== X-Received: by 2002:a37:9fc6:: with SMTP id i189mr4298384qke.257.1589312883034; Tue, 12 May 2020 12:48:03 -0700 (PDT) Original-Received: from ?IPv6:2601:184:4180:66e7:4d17:b25e:8d9:2188? ([2601:184:4180:66e7:4d17:b25e:8d9:2188]) by smtp.googlemail.com with ESMTPSA id a12sm11643800qko.103.2020.05.12.12.48.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 May 2020 12:48:02 -0700 (PDT) In-Reply-To: <834ksl833q.fsf@gnu.org> Content-Language: en-GB Received-SPF: pass client-ip=2607:f8b0:4864:20::72a; envelope-from=cpitclaudel@gmail.com; helo=mail-qk1-x72a.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:250034 Archived-At: On 12/05/2020 13.39, Eli Zaretskii wrote: >> Cc: rms@gnu.org, phillip.lord@russet.org.uk, >> eric@ericabrahamsen.net, casouri@gmail.com, emacs-devel@gnu.org, >> monnier@iro.umontreal.ca, ndame@protonmail.com From: Clément >> Pit-Claudel Date: Tue, 12 May 2020 13:26:37 >> -0400 >> >>>> My proposal is that this API should be the FSF signing public >>>> keys >>> >>> I don't think I follow. FSF is not a piece of software and not >>> an API. It is an organization. How can an organization be an >>> API? >> >> With the scheme I propose, you don't need an API any more, I think >> (for properly signed commits). > > Now I'm completely confused: what scheme are you proposing? Can you > describe it in more detail? Yes, of course. One problem with have when integrating external packages is that we have many commits whose copyright status is unclear: who wrote them? Does the FSF have a copyright assignment for that person? Currently, the way you answer such a question is that you look at the commit, try to determine the author, and check a list of people who have assigned copyright to see if the author is in it. This process is cumbersome, because few have access to the list. One way to make it smoother is to add an API that gives access to that list. Another strategy, which doesn't solve the problem for past commits but could help for future commits, is to embed that information into commits. Something like adding a line in the commit saying "I-have-assigned-copyright: Yes". Of course, just adding that line doesn't prove anything: we want to make sure that we do have an assignment for that commit. So, instead of adding a line, the author could sign the commit with their PGP key, saying "all these changes are mine or from sources owned by FSF" (a bit like a developer certificate of origin). Now the problem is reduced to "does the author with this PGP key have an assignment on file"? But this question can be answered in a decentralized way (no need for an API): the FSF can just sign keys instead. Indeed, currently, when you assign copyright to the FSF, you sign a document with a GPG key. The FSF could sign that key to indicate "we have received copyright papers for this author". Then, to verify "do we have papers for the author of this commit", anyone could check "is this commit signed with a key signed by the FSF"? As a package maintainer, I wouldn't have to ever check fencepost to verify assignments when I receive patches. Instead, the way I check that someone has an assignment on file is by asking them to sign their commit with an FSF-signed key. Does it make sense? Clément.