CLA Bot and AI Agents? (original) (raw)
Hey folks,
I was playing around with using GitHub Agents to potentially fix an issue: gh-146268: Fix case where assigning an infinite generator to an extend slice hangs instead of raising ValueError by csm10495 · Pull Request #146272 · python/cpython · GitHub .. Interestingly it seems to be stuck at CLA Signing since the commits are cosigned by me and GitHub Copilot.
Is that supposed to work? Like I know the bot can’t sign a CLA.. but it was a bot. I guess I’m wondering what’s the expected process here? This will probably be more common as more AI Agents co-sign commits. I know Claude does it, and Github Agents now at least.
(I could just squash/resign it as just me.. but that seems odd too, so figured I’d ask here.)
Thanks.
Kwpolska (Chris Warrick) March 22, 2026, 9:47am 2
For the AI agent co-signature to appear, the AI agent needs to be the one calling git commit - at which point, does the human contributor even know and understand what is committed under their name?
Moreover, if the code was fully written by AI, who owns the copyright? Is this code even copyrightable?
pf_moore (Paul Moore) March 22, 2026, 12:20pm 3
To be honest, if you’re not comfortable with submitting the PR as your own work, it seems to me that you’re not able to comply with your own obligations under the CLA, of asserting that the work is yours and you have the right to assign it to the PSF. So maybe you should rethink how you’re using LLMs to produce code for submission in the first place.
oscarbenjamin (Oscar Benjamin) March 22, 2026, 12:56pm 4
Why does it seem odd to sign it as yourself?
I have tried using coding agents but have not gone as far as letting them run git commit themselves (because they don’t generate code that is ready to be committed directly and even if they did I want to review and check it first).
As I understand it some coding agents will add this Co-authored-by field in the commit message but I think that is really just a marketing gimmick from the AI companies that is abusing what the field is for. The agent is not really an author, it is a tool that you used. The author is supposed to be the person who can be held responsible for the code whether it turns out to be good or bad. The reason git authors have an email address as well as a name is so that in principle you can email the author but there’s no point emailing copilot about anything.
csm10495 (Charles Machalow) March 22, 2026, 1:20pm 5
To be clear, I would be comfortable with it once I’ve tested and read through and understand it. I wouldn’t just submit something that doesn’t make sense and seem maintainable and tested.
It just didn’t seem transparent to just squash away the co author line. So figured I’d ask if it had come up before.
csm10495 (Charles Machalow) March 22, 2026, 1:25pm 6
The marketing gimmick or not isn’t something I’d debate (to me.. it is a marketing thing). Though something to understand is that you don’t just send a PR for what it gave.
There is a process around understanding, debugging, and testing the stuff it gives back. Only then does it make sense to submit for review to others.
Though I went through more than some would (iterations, testing). I just didn’t immediately squash because I wanted to ask for thoughts.
I wouldn’t PR code to a project like cpython without being comfortable with it.
pf_moore (Paul Moore) March 22, 2026, 2:33pm 7
Agreed, it’s a good question. But it shouldn’t be about the co-author line, it should be about whether you feel the PR is your own work. And that’s a harder one, and very personal. For example, I don’t mind using an LLM to give me sample code that I then use to understand how to solve the problem I have, and then write my own code to solve that problem. And sometimes (quite often, probably!), the code I write is the same as the generated code. But the work I did to understand the logic and write it out myself makes the code feel mine, to me. The LLM was more of a learning tool than a coding assistant.
But having said that, I’d never let an LLM edit my files directly, let alone commit code into my repo. That’s a step too far for me, personally. If, on the other hand, you do let an LLM edit your files, you’ll need to work out your own idea of when you consider the code to be yours (as opposed to “the LLM’s” or “based on the LLM’s training data” or whatever). Ultimately, what you submit has to be your code. You need to decide what steps you have to take to make it feel like your code, to you.
Note that I’m carefully avoiding the question of copyright here. As far as I know, there’s no legal precedent on that matter yet, and I don’t know the PSF’s position here. All I know is that the CLA requires you to have the ability to give the specified rights to the PSF. Whether you have that ability in regard of code generated by an LLM is (AIUI) still to be established in legal terms. For now, you have to make your own decision about that.
gpshead (Gregory P. Smith)
March 22, 2026, 4:51pm 8
You’ve since force pushed (the right solution today) to rewrite the commits to workaround the clabot papercut. To make sure I understood what copilot was doing and how our GitHub - psf/clabot: Python Software Foundation Contributor License Agreement Management Bot · GitHub triggers I went and looked at your earlier branch:
Your copilot created commits show up in git log as:
commit c4c841f0cb1690573734ee029309f110fa1e0e9d
Author: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Date: Sun Mar 22 13:42:31 2026 +0000
Improve error messages for bounded iteration on extended slice assignment
Co-authored-by: csm10495 <5749838+csm10495@users.noreply.github.com>
Agent-Logs-Url: https://github.com/csm10495/cpython/sessions/48a4582d-926d-44bf-aa9b-8078648099f4
It has nothing to do with the Co-authored-by: lines. Those are never considered. What clabot looks at is the Author: on a git commit. The GitHub UI tied your identity to it because GitHub (not git) offers something slightly more than git because it knows who’s account was used.
(that’s from Improve error messages for bounded iteration on extended slice assign… · python/cpython@c4c841f · GitHub until github garbage collects your old unreferenced commit)
The same kind of clabot “Who dis?” thing happens by default if you use Claude Code on the Web and do not tell it or configure it to commit with a different author line. It will have an Author line with the Claude noreply anthropic email address. (tip if you forgot: just ask your session to rewrite commit history to fix the author lines to your liking)
If you want to avoid this when using copilot for remote sandboxed development, try asking it to use your name and email on commit messages if it doesn’t already have a way for you to configure its sandboxed git client directly. For Claude on the web you can add relevant git config commands to the Environment setup script for the remote hosted sandbox it runs in.
These are all papercuts today when we use our modern replacement for IDEs. I think we could potentially improve the clabot here this to avoid the inaccurate “user has not signed the CLA” error response in this scenario when the driver of the system clearly has. That’ll require some care to make sure we’re getting it right.
Git is not an identity system. It is 100% free form text where any one can fill in anything they want. I can commit pretending to be Guido while Guido can commit pretending to be King Arthur. I’m pretty sure ShrubberyBot is secretly the Rabbit of Caerbannog. GitHub will happily show these as being authored by the account matching the arbitrary string any of us put in the author line. This is working as intended because identity is unsolvable.
The CLA bot is a practical attempt at conformance on our part. The other side of that is us as PR reviewers with a Merge button looking things over to be sure it makes sense. A PR put up by someone with commits having Author lines of others who are not present and involved would be suspicious and something we’re expected to catch and flag 
on our own.