#289 Standardize the usage of GPG as an electrical signature

Open
opened 1 month ago by kreyren · 5 comments
kreyren commented 1 month ago

Many projects require the contributors to sign the Contributor License Agreenment (CLA) which on GitHub is usually painful process that discourages contribution as it requires lots of personal informations (personal experience).

Other then CLA the projects might have require Non-Disclosure Agreenment (NDA) to allow the contributors to have access to the source code or other documents. (This could in theory allowed proprietary companies in getting used to release the source-code)

I think we should consider implementing a UI that would simplified this process without the need for said personal informations so that GPG would be recognized as a valid signature.

Handling of the identification

Please decide and propose more option.

Codeberg keeps these confidential provided only to specified parties when legally required

To avoid leaking the personal informations as a requirement for a valid signature codeberg could store a legal documents storing the legal informations of the invidual and provide them only in specified situations i.e. requirested by law enforcements that would be required to sign NDA to not release the information.

Other option

TBD

Many projects require the contributors to sign the Contributor License Agreenment (CLA) which on GitHub is usually painful process that discourages contribution as it requires lots of personal informations (personal experience). Other then CLA the projects might have require Non-Disclosure Agreenment (NDA) to allow the contributors to have access to the source code or other documents. (This could in theory allowed proprietary companies in getting used to release the source-code) I think we should consider implementing a UI that would simplified this process without the need for said personal informations so that GPG would be recognized as a valid signature. ### Handling of the identification Please decide and propose more option. #### Codeberg keeps these confidential provided only to specified parties when legally required To avoid leaking the personal informations as a requirement for a valid signature codeberg could store a legal documents storing the legal informations of the invidual and provide them only in specified situations i.e. requirested by law enforcements that would be required to sign NDA to not release the information. #### Other option TBD
kreyren changed title from LEGAL(FeaReg): Standardize the usage of GPG as electrical signature to LEGAL(FeaReg): Standardize the usage of GPG as an electrical signature 1 month ago
lhinderberger commented 1 month ago
Collaborator

Unrelated to your question, but what does FeaReg mean?

Unrelated to your question, but what does `FeaReg` mean?
kreyren changed title from LEGAL(FeaReg): Standardize the usage of GPG as an electrical signature to LEGAL(FeaReq): Standardize the usage of GPG as an electrical signature 1 month ago
kreyren commented 1 month ago
Poster

@lhinderberger Typographic error of FeaReq which stands for Feature Request, thanks for mentioning it ^-^

@lhinderberger Typographic error of FeaReq which stands for **Fea**ture **Req**uest, thanks for mentioning it ^-^
lhinderberger added the
legal
label 1 month ago
lhinderberger added the
enhancement
label 1 month ago
lhinderberger changed title from LEGAL(FeaReq): Standardize the usage of GPG as an electrical signature to Standardize the usage of GPG as an electrical signature 1 month ago
tklein23 commented 1 month ago

Hi Jacob,

Codeberg is a platform to support Free and Open Source development. At which part in the development do you think should Codeberg responsible for creating GPG signatures? And why should we have NDAs or contributors agreements, when all the development is meant to be in public repositories?

Should this be a feature request Gitea instead of Codeberg?

Cheers!

Hi Jacob, Codeberg is a platform to support Free and Open Source development. At which part in the development do you think should Codeberg responsible for creating GPG signatures? And why should we have NDAs or contributors agreements, when all the development is meant to be in public repositories? Should this be a feature request Gitea instead of Codeberg? Cheers!
kreyren commented 1 month ago
Poster

@tklein23 Yes fits more to the gitea upstream, but they don’t like me there for unknown reason so submitted here.

CLA is used by various (F)OSS projects which in my mind makes it relevant to Codeberg.

In my mind allowing NDA would allow (Paid) Closed Source Software [(P)CSS] to provide their code on Codeberg to the trusted community members to comply with Free Software Foundation’s four essential freedoms of free software to comply with:

  • The freedom to run the program as you wish, for any purpose (freedom 0)
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.

in which case Freedom 2 and Freedom 3 might follow ^-^

Seems that there is a lots of CCS developers who would be happy to release their software, but mostly their code quality is terrible and so it’s not economical for them to release that code (i.e. game developers having a codebase that would expose personal data, break their payment system, etc..)

@tklein23 Yes fits more to the gitea upstream, but they don't like me there for unknown reason so submitted here. CLA is used by various (F)OSS projects which in my mind makes it relevant to Codeberg. In my mind allowing NDA would allow (Paid) Closed Source Software [(P)CSS] to provide their code on Codeberg to the trusted community members to comply with Free Software Foundation's four essential freedoms of free software to comply with: - The freedom to run the program as you wish, for any purpose (freedom 0) - The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this. in which case Freedom 2 and Freedom 3 might follow ^-^ Seems that there is a lots of CCS developers who would be happy to release their software, but mostly their code quality is terrible and so it's not economical for them to release that code (i.e. game developers having a codebase that would expose personal data, break their payment system, etc..)
kreyren commented 1 month ago
Poster

Seems that there is a lots of CCS developers who would be happy to release their software, but mostly their code quality is terrible and so it’s not economical for them to release that code (i.e. game developers having a codebase that would expose personal data, break their payment system, etc..) @kreyren

To provide a real-life example https://github.com/gitpod-io/gitpod was recently released as free and open-source software (previously closed source software for the backend) which i was part of and was contributing within their organization as a trusted community member to make that happend.

> Seems that there is a lots of CCS developers who would be happy to release their software, but mostly their code quality is terrible and so it’s not economical for them to release that code (i.e. game developers having a codebase that would expose personal data, break their payment system, etc..) @kreyren To provide a real-life example https://github.com/gitpod-io/gitpod was recently released as free and open-source software (previously closed source software for the backend) which i was part of and was contributing within their organization as a trusted community member to make that happend.
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.