On 12/05/2020 16.17, Alan Third wrote:
> On Tue, May 12, 2020 at 03:48:01PM -0400, Clément Pit-Claudel wrote:
>> Now the problem is reduced to "does the author with this PGP key
>> have an assignment on file"? But this question can be answered in a
>> decentralized way (no need for an API): the FSF can just sign keys
>> instead.
> 
> As if there aren’t enough people complaining about copyright
> assignment, now you want to force everyone to use the horror that is
> PGP/GPG?

No no, not at all!  Definitely not force and definitely not everyone.  I'm trying to find a way to allow package maintainers to check copyright assignments when they accept patches, that's all.  There are easy cases: for Emacs committers like you, the list is already public, so that's no trouble (and thus signatures wouldn't be needed).  For others, the signature would be one reliable option to determine whether they have papers on file.

But the complexity of PGP is a valid concern.  I operated under the assumption that most new contributors sign copyright papers with PGP, and so that PGP was a reasonable baseline.

Concretely, how do you handle these cases?  What am I supposed to do, when I get a patch, to check if the patch author has an assignment on file?  Surely I can't bother Eli every time.  Is it enough to take the author's word for it that they have an assignment?  Alan, do you have advice on handling these situations?

As an alternative, the attached python script implements a REST API to do the checking.  I don't have access to fencepost, so I don't know what format the file tracking assignments is — I made a guess about that part.  

(Of course, having an API makes it possible to determine whether a given email address has copyright papers on file, but it gives no guarantees against impersonation.)

Cheers,
Clément.