clahub / clahub Goto Github PK

Perhaps I missed something but now that I've created my CLA, I can't seem to update or delete it. It's a fire and forget thing. This is critical to have in the future as CLA's will change over time much like a Terms of Service and Privacy Policies.

This will break adoption in a big way.

So an administrative interface needs to be cooked up to allow the owner to revise/delete/version their CLA's. This interface should probably also allow the owner to remove users who have already signed the CLA.

Our (that is, node's) current CLA dumps the data into a google doc spreadsheet, which is available to the committers on the project.

In order to switch to clahub, we'd need to still have easy and reliable access to the raw data. Something we could download and back up would be incredibly sweet.

However, this data needs to be private, as well, as it typically contains phone numbers, irl mailing addresses, corporate contacts, etc. That is, it should be visible only to those with commit access to the project, or perhaps some arbitrary set of github users.

You can see the CLA for one of my repos that I created at: http://www.clahub.com/agreements/fusion94/ArduinoExamples

It's formatted horribly. Either the textarea box didn't respect the paragraph breaks or I needed to insert HTML/Markdown. If the latter is required that's cool but the CLA author needs to be notified of that at CLA creation.

I created this project,
Added the CONTRIBUTING file, and subscribed it to clahub.com

However, Pull requests are going through without requiring anyone to sign.

Am I doing something wrong here?

I have a repo, crnixon/hmda-tools, which is forked from CFPB/hmda-tools. I tried to use CLAHub to add a contributor agreement to crnixon/hmda-tools, but the checks are now showing up on CFPB/hmda-tools.

I can find no way to remove the CLAHub service from a repo. Could you please remove it from my repo?

Owners/Admins need to agree to the CLAHub ToS prior to creations a CLA.

When changing domains from clahub.herokuapp.com to www.clahub.com, I neglected to update a production config variable that determines the hostname for GitHub's post-receive webhook notifications. As such, commits were not being updated as pass/fail based on CLA signature status.

This has been fixed and I updated all existing webhook URLs via API in production and verified this.

For folks with CLAs on the production site: I'd generally avoid publicizing user information, but I'd rather notify folks about this. I've emailed everyone whose email I can ascertain. For others I only have the GitHub username, and can't figure out how to send a GH message (didn't that feature exist previously?) As such, cc @maxandersen @webmink @pidster.

I mistakenly saved the CLA before it was finished. Can you delete it so I can add the new, correct one?

Hi,

I would like to redo the CLA for one of my projects (gdfm/samoa). Is there a simple way to delete the CLA and create a new one?

It's helpful to communicate site news and issue status to users of the site.

• Create a status blog
• Add a library like paul_revere to provide user-dismissible announcements

My hope is that people find this useful enough to use for their own organizations. In that case, I would not expect that "@jasonm's free Heroku app" is the ideal infrastructure for storing your company's legally-binding agreements.

@fusion94 recommended providing sufficient hooks and documentation so that an organization can easily self-host the application and rebrand/crossbrand their installation. Imagine e.g. http://clas.apache.org with visual style consistent with their existing branding.

The purpose of this issue is originally to solicit feedback on this proposal. If you'd like this and have any thoughts on it, please include them here.

Once a user creates a CLA for a project/repo they are presented text and/or directed to a URL that looks something like this:

To get started, <a href="http://www.clahub.com/agreements/4/ArduinoExamples">sign the Contributor License Agreement</a>.

The issue is that the actual URL is located at:

http://www.clahub.com/agreements/fusion94/ArduinoExamples

Cool service. Just wondering if changing the repo owner/organization would mess with the link between CLA hub and the project at all. That might happen in the near future so I want to know if I should wait to do CLA hub until then. Thanks!

If e.g. travis-ci and clahub both update the status for a commit, only the last one is displayed.

A few options:

• Provide alternative status indication methods; e.g. commenting on the commit instead of commit status.
• Providing a flexible status indication API: e.g. you subscribe to a CLAHub webhook which emits new commit statuses.

CC @scottgonzalez re https://twitter.com/scott_gonzalez/status/294643971655884803

Hi all, cool project, thanks for keeping it going!

I need to have a CLA for the scope of a whole organization, not just individual repos. When new repos are added, they should be covered by the existing CLA, not require a new CLA to be signed.

IANAL, but the way things are articulated, it would be easy for a layperson to be convinced that the CLAs here reflect against individual repos, and a new repo that was created without it being included in CLAHub could be confused for a CLA not being required for that repo.

(extracted idea from #10)

Contributor or project maintainer should be able to manually revoke CLA signature at any time.

Commits on open pull requests should be updated to reflect failure for any commits from the revoked user.

(Ticket was originally for harmonyagreements.org - I think the CLA/CAA space is more varied and subtle and deserves broader treatment.)

One challenge maintainers have is choosing CLA text. Even understanding the options and the possible clauses involved is nontrivial, and we can help.

There are a variety of agreement texts we can draw from:

• http://elinux.org/Developer_Certificate_Of_Origin
• http://nodejs.org/cla.html
• http://www.harmonyagreements.org/

We should help clarify the issues afoot like compatible licensing, copyright assignment, employer rules, etc.

Ideally we help maintainers choose the agreement text to best fit their motivation and situation.

Somewhat related, I like how https://www.iubenda.com provides a simple "non-legalese" breakdown of their generated privacy policies.

Right now we use a generic webhook, but could be listed as a GitHub service by contributing to https://github.com/github/github-services

Kind of the opposite situation of #1, I can add an email address to my account after I've signed the CLA and submitted a pull request (see commit 86b3ac6 on sumbach/clahub-test#1). This commit continues to be marked Failure after I add the email address ([email protected]) to my account.

Note that commit 803ecd0 is from the same email address and is marked Success.

See also #29.

I've wanted to individually contact early users regarding issues or questions. Sometimes people don't list their email on their GitHub profile, so we're not able to fetch it via the API.

Hi,

I'm trying CLAHub in my GH organization. I created the CLA and tried to sign it but got the following message:

We're sorry, but something went wrong.

Some notes:

• No problem when signing the CLAHub's CLA a few seconds ago :-)
• I have 1 pull-request pending in the repository linked with the CLA I've just created

Thanks!

Regards,
Thibault

Is there any thoughts on supporting sites other than GitHub such as GitLab ?

I really like the idea and I'd like to contribute to a project that uses CLAhub to manage CLAs. I know there are some cost added by getting a SSL-certificate in order to enable HTTPS but I'm not so much in favour to use a service that requires me to pass personal data like a phone number yet doesn't provide at least transport security.

Instead of barking about missing tin foil hats, what would be needed to get SSL on clahub.com? :)

Hey,

I created an agreement yesterday for my open source project ConDep, but when my Contributors try to sign the agreement, they get a page saying: "Something went wrong".

Btw, great initiative!

Thanks,

./jon

Don't show the GitHub user uid:

Typically there is a CLA text for an individual contributor and a CLA text for a company contributor. Support this.

We should encourage the user to continue their contribution process. Maybe this just means linking back to the GitHub repo, or maybe there's something better we can do (their open pull req, or the original GH referring URL that landed them onto clahub.com).

CLAHub knows to look and check the signature status on commits because it receives webhooks from GitHub notifying it of new commits.

Currently, CLAHub only handles to the "push" event: https://github.com/clahub/clahub/blob/master/app/controllers/github_webhooks_controller.rb#L7

It should handle more events, like "pull_request" - here is a list of the events: http://developer.github.com/v3/repos/hooks/

For example, on sumbach/clahub-test#1 the "Good to merge" message is displayed in spite of two commits failing the CLA check.

I'm not sure if this is achievable via the current Commit Status API (since it seems more focused on CI tools where only the most recent commit is relevant).

So you can troubleshoot old issues.

Hear back from logg.ly and add http://loggly.com/support/advanced/s3-bucket-archives/

See #40, sometime's it's useful to remove CLAHub integration. This can be done by manually removing the webhook in a project's service, but we could provide automation of this.

See Agreement#delete_github_repo_hook (which I have used in manual testing but is not exposed via the UI): https://github.com/clahub/clahub/blob/762e01c63a7bfa785abcaa5eaf68b39b330ed1dd/app/models/agreement.rb#L30-35

The app is very barebones and mechanical right now, and I think the most important addition is around educating people about when they might want a CLA, what it does, and how to choose one.

When a contributor signs the agreement for a project with open pulls, we check all those pulls to update their signature status based on this new signature. With a lot of open pulls, that could take a while, making the contributor wait a while for the signature HTTP request.

The app/jobs/push_status_checker.rb is all set up to be async, it just isn't yet.

I seem to have no option to delete the CLA myself.

I’d like to get rid of the CLA for nanoc/nanoc.ws.

See commit 803ecd0 on sumbach/clahub-test#1. I've added this email address ([email protected]) to my account but have NOT yet verified my ownership of this address.

I don't think such email addresses should be considered for purposes of verifying they have signed the CLA--it lets any GitHub user claim any email address not yet associated with another GitHub account.

I'm not sure if this is accessible via the GitHub APIs you're using (if not, I'd be happy to escalate this request to the GitHub team).

On agreements#show, we suggest linking the CLA from the CONTRIBUTING or CONTRIBUTING.md file:

We can check for the existence of those:

[~] curl -I https://github.com/jasonm/clahub-test/blob/master/CONTRIBUTING.md | grep HTTP
HTTP/1.1 404 Not Found

[~] curl -I https://github.com/jasonm/clahub-test/blob/master/README.md | grep HTTP
HTTP/1.1 200 OK

and suggest to create a new file:

https://github.com/blog/1327-creating-files-on-github

with a URL like:

https://github.com/jasonm/clahub-test/new/master?filename=CONTRIBUTING.md

or to edit an existing file with a URL like:

https://github.com/jasonm/clahub-test/edit/master/README.md

What should we record upon signature to make the signature more legally defensible? IP address and time? Should the contributor re-type their name or initials? Anything else?

We shall allow agreement authors to include one or more predefined fields:

Implicit

• GitHub username
• Date

Default to: include on new CLAs, but allow opt-out

• Email
• Name
• Mailing address
• Country
• Phone or Skype
• Type "I AGREE"
• Corporate Contributor Information

Default to: exclude from new CLAs, but allow opt-in

• Type your initials

Until all the legal details get worked out (see #5), it would be great if CLAHub could also support other CLA signing processes (e.g., mailing a signed paper copy of the form, fax, S/MIME or GPG signature, etc).

The easiest way to allow projects to effectively use CLAHub (and GitHub pull requests) is the provide for manual entry of CLA signing info:

• date of signature
• name
• email address
• GitHub username?
• mailing address?
• phone number?

See also #25, #31.

It can be valuable for other contributors to get set up easily with a staging environment.

I'm trying to verify the CLAHub setup for Molajo/Filesystem - specifically, Molajo/Filesystem#2. That project is using TravisCI, so #27 still applies here and we'll currently only see one status indicator at a time (Travis or CLAHub) for a given pull.

That said, I can see via API access that CLAHub never correctly set a status on Molajo/Filesystem@3636c37 for Molajo/Filesystem#2.

In fact, when GitHub sent a Webhook to CLAHub, CLAHub responded with a 504 Gateway Timeout:

irb(main):008:0> pp g.repos.hooks.find('Molajo', 'Filesystem', a.github_repo_hook_id)
{"url"=>"https://api.github.com/repos/Molajo/Filesystem/hooks/ID_REDACTED",
 "test_url"=>
  "https://api.github.com/repos/Molajo/Filesystem/hooks/ID_REDACTED/test",
 "id"=>ID_REDACTED,
 "name"=>"web",
 "active"=>true,
 "events"=>["push"],
 "config"=>{"url"=>"http://www.clahub.com/repo_hook"},
 "last_response"=>{"code"=>504, "status"=>"timeout", "message"=>""},
 "updated_at"=>"2013-02-17T08:47:45Z",
 "created_at"=>"2013-02-06T06:33:13Z"}

It could have been that CLAHub was running on a single Heroku Dyno and did not spin up in time, or that the processing simply took too long.

Ideally GitHub webhooks would retry if given a non-2xx response. Absent that, we should ensure CLAHub always has at least 1 dyno. Since Heroku also imposes a 30-second limit on response time, we likely also want to background all webhook responses, similar to #1.

We don't need read+write for private repos, and this is rightfully concerning to users:

UPDATE: We sure don't need repo, but it'd be nice to narrow public_repo to public_repo:status.

http://developer.github.com/v3/oauth/#scopes

Combined Status API is not available. So this means we could have support for running both clahub and Travis CI at the same time for each pull request. I think it is needed that clahub sets a correct context for this to work.

Hi,
I've signed the agreement for ajaxplorer/ajaxplorer-core before sending my first pull request (pydio/pydio-core#240) (maybe even before forking the project) and nothing appear in all my pull request (see also my 2nd PR pydio/pydio-core#242 and @cdujeu comment pydio/pydio-core#240 (comment)).
Email of the commiter (me) is the same as the email of the github account.
For each PR i've created a new branch on my fork, push my commit to it, and i've made a PR to ajaxplorer/ajaxplorer-core master.
Maybe related to #47 ? I don't remember having error message as in #48.
If I try to re-sign the CLA, it says "You have signed this CLA".
ClaHub is still in "Authorized applications".

I wanted to make a CLA for my project, but I'm not satisfied with it, so I wanted to redo it while nobody had signed it, yet. How would I go about this?

I love this project. However...
the last patches were applied 4 months ago - are you continuing to evolve this project?

The link to Source Code and Issues on CLAHub points to:

https://github.com/jasonm/clahub when it should point to:

https://github.com/clahub/clahub

The creator of a CLA should be able to be notified via email when a new user signs the CLA.

Once a user has signed a CLA and is listed under "Users who have signed:" then clicking on their username should take one to their github profile page.

https://github.com/fusion94
instead of
http://www.clahub.com/agreements/kandanapp/kandan#

We only need the public_repo scope for people who make agreements. People who are signing agreements really only need their identity provided by GitHub, so we should only ask for the (no scope) "Public read-only-access" GitHub OAuth scope.

Related to, but different from, #17