Community Blog

Community Blog

Meet cla-bot, Our IP Compliance Minion

August 03, 2017

How the Symphony Software Foundation enforces IP Compliance of their hosted code

At the Symphony Software Foundation we care a lot about IP Compliance of the software we host, which is why we:

cla-bot

1. Define a Contributor License Agreement (CLA, that must be either signed by the individual or his/her employer)
2. Securely store data capturing user affiliations, employers and CLAs in our internal infrastructure
3. Require project leaders to validate whether the contributors (or commit authors, in GitHub lingo) of each code contribution are covered by a CLA signed with the Foundation


Since project leaders don’t have access to the signed CLA documents, the Foundation staff end up catching notifications and validating GitHub Pull Requests across all hosted projects, which is tedious, error-prone and doesn’t scale.

To address these issues, we have just completed the internal deployment of cla-bot, an open source project built by Colin Eberhardt, one of our most active members. The bot validates all Pull Requests (PRs) submitted toward Foundation-hosted repositories with a few simple steps:

  1. Extracts the list of Github usernames that authored commits as part of a PR,
  2. Matches the author list against a contributors whitelist that is continuously updated by Foundation internal systems.

If all authors are part of the contributors whitelist then add a cla-signed label to the PR.

screenshot bot label

Otherwise set GitHub commit status to failed and add a comment that welcomes new contributors and points them to the CLA signing process.

bot comment cla signing process

The bot is already scanning several projects of the Foundation, including ContainerJS, our most active project in terms of submitted Pull Requests. We will complete the rollout on all our hosted projects by the end of the month.

The cla-bot is an important milestone in our journey to define and implement a secure and compliant software development sandbox for our members and the fintech industry at large, as it delivers important and tangible advantages for several key players of our eco-systems:

  1. Project maintainers can focus on reviewing and approving code, leaving IP compliance to the Foundation
  2. First-timers will be greeted and clearly instructed on how to sign the CLA
  3. Consumers can be confident that every contribution to a Foundation project comes with an appropriate IP license and authorship representations
  4. The Foundation can document the provenance and legal sign-off for each contribution

Stay tuned for more updates! Want the opportunity to develop a bot, app or integration for the Symphony platform? Join the Innovate 2017 Hackathon on October 3 and show us your skills! Click here to learn more. 

Join the Hackathon!