Re: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA
I will definitely ping GitHub folks about this, but I thought it useful to at least document the desired approach in general.
From: cncf-toc@... <cncf-toc@...> on behalf of Matt Farina via Lists.Cncf.Io <matt=mattfarina.com@...>
Sent: Tuesday, January 7, 2020 11:30 AM
To: CNCF TOC <cncf-toc@...>
Cc: cncf-toc@... <cncf-toc@...>
Subject: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA
Dependabot is a service now owned by GitHub. Do we want to expect all people offering a service like this to sign the CNCF CLA and associate their bot with it? The person choosing to use the bot is different from those providing it and the person choosing to use it is a member of the project.
This problem only affects those using the CLA. Dependabot appropriately signs for the DCO. The majority of CNCF projects are not affected by this issue.
Dependabot creates a PR like any other random person to come along on GitHub. A person with merge access has to merge the PR and the PR has to pass tests and review as if a person were suggesting the same change. https://dependabot.com/#how-it-works
What would an attack vector for a bot like this be? If a bot had write access to the code I would be concerned.
A thought for this case... GitHub is a CNCF member and has a signed CLA (I assume) since GitHub employees contribute to Kubernetes. Is there someone there who can add Dependabots account to the CLA?
This would be the quick and easy approach. It would not scale to similar services.
- Matt Farina
On Tue, Jan 7, 2020, at 2:05 PM, Sarah Allen wrote: