Re: Why are so many great packages not trying to get included in GNU Emacs?

[Luke Shumaker]

Hi, sorry to jump in as an outsider.  I just wanted to clarify a
couple of things about Git.

> How could that be possible?  How would we know who wrote those
> changes?  We can't assume it is the person whose account checked them
> in.  Often that is so, but not always.

Git tracks separate "committer" and "author" information (both of
which are name/email/timestamp).  Unfortunately, it only allows
exactly one author; limiting the case where a change has 2
collaborators.

> There may be other issues, such as, if the name on that account is
> John Doe, does that mean the user of that account is the same John Doe
> that signed an assignment?

Git tracks both name and email.  Surely assuming address@hidden is
the same address@hidden that signed the assignment is a safer
assumption?

Of course, that can be intentionally spoofed.  I'm not sure whether
the concern is about accidentally mixing up two people, or about
someone maliciously misrepresenting the authorship.  If the concern is
malicious misrepresentation, then this could be solved with
GPG-signing of either the emails with the patches, or the Git commits
(which is something that Git supports).

----

FWIW, several free software projects that I've contributed to (and
require copyright assignment or other licensing paperwork) handle this
by requiring that each commit message have a specially formatted line
in it:

    Signed-off-by: Full Name <user@domain>

for each person that contributed to that commit (this line can
conveniently be added with `--signoff` flag to `git commit`); and they
have an automated system that validates that each submitted commit has
such a line, and that the person mentioned in the line has signed the
agreement.  I believe this is standard for projects under the auspices
of the Linux Foundation.

-- 
Happy hacking,
~ Luke Shumaker