| 1 |
On Wed, May 19, 2021 at 1:03 AM Joonas Niilola <juippis@g.o> wrote: |
| 2 |
> |
| 3 |
> This causes few misunderstandings with the requirements. Is the legal |
| 4 |
> name sign-off required from the *committer*, or from the *contributor*? |
| 5 |
|
| 6 |
So, you are probably referring to case 4, where a contributor makes a |
| 7 |
certification to the committer. I think it is a fair point that the |
| 8 |
policy doesn't state whether the contributor has to also provide a |
| 9 |
sign-off using their real name, or if some other way of providing this |
| 10 |
certification is acceptable. |
| 11 |
|
| 12 |
> What about a contribution where the author just adds a patch from |
| 13 |
> upstream, how much is covered by the Gentoo copyright policies? |
| 14 |
|
| 15 |
Well, I'd think that most of these are going to fall under case #3 |
| 16 |
("The contribution is based upon previous work that, to the best of my |
| 17 |
knowledge, is covered under an appropriate free software license..."), |
| 18 |
unless we're talking about patches to non-FOSS code. That seems |
| 19 |
pretty unlikely to come up, but has it? |
| 20 |
|
| 21 |
> We've turned down many contributions in the past because the contributor |
| 22 |
> did not wish to share their real name. Too many. We've also merged |
| 23 |
> contributions from Github accounts with no history, and absolutely no |
| 24 |
> way for us to determine whether the affiliated name is real. |
| 25 |
|
| 26 |
This is a fair point - we basically assume that if upstream accepts it |
| 27 |
then we can accept it, but I don't think anything else is practical. |
| 28 |
If upstream distributes a tarball under an FOSS license, and we mirror |
| 29 |
it, we can't really go auditing every upstream to ensure every one of |
| 30 |
them actually has the rights to their code. I think the concept is |
| 31 |
that we weigh the actions of projects above the actions of random |
| 32 |
individuals. |
| 33 |
|
| 34 |
> Heck, you can't even tell if the name I use is real. |
| 35 |
|
| 36 |
This has been discussed a fair bit already I believe. The policy is |
| 37 |
intended to cover Gentoo with a reasonable amount of due diligence, |
| 38 |
and also generally create a professional atmosphere not full of random |
| 39 |
pseudonyms. However, we didn't want to get into a situation where |
| 40 |
we're harvesting a lot of sensitive private info like identity docs, |
| 41 |
especially since validating these requires some expertise and probably |
| 42 |
isn't practical online. |
| 43 |
|
| 44 |
Ultimately the policy was intended to find a balance. No doubt you |
| 45 |
could make it slightly more strict or slightly less strict and the |
| 46 |
argument could be made that either is acceptable. |
| 47 |
|
| 48 |
Much of it was based on what the Linux Kernel and other projects do. |
| 49 |
That doesn't make it automatically correct, and the kernel doesn't |
| 50 |
redistribute random stuff from random other projects, so we can't |
| 51 |
conform completely to it. |
| 52 |
|
| 53 |
> Therefore I suggest we update the GLEP to *clearly* state that *only* |
| 54 |
> committer's sign-off is required. |
| 55 |
|
| 56 |
Well, either way it probably is reasonable to make it explicit whether |
| 57 |
a real-name sign-off by the contributor is necessary in case #3, and |
| 58 |
whether that needs to make its way into the commit itself as an |
| 59 |
additional signed-off-by line. |
| 60 |
|
| 61 |
> (And I feel like even that is |
| 62 |
> debatable, but at least a start for now) |
| 63 |
|
| 64 |
It certainly was debated when the policy was enacted. I'm not sure |
| 65 |
that rehashing the debate is going to change much - the arguments |
| 66 |
haven't changed, and I don't think the Council has changed all that |
| 67 |
much either. However, they could speak for themselves... |
| 68 |
|
| 69 |
> Then a small note about ebuild's copyright header. The GLEP states: |
| 70 |
> "All copyrightable files included in Gentoo projects must contain |
| 71 |
> appropriate copyright and license notices" |
| 72 |
> |
| 73 |
> but do ebuilds, at least most of the ebuilds, contain copyrightable |
| 74 |
> innovative work? Most ebuilds are just following the basic skeleton form |
| 75 |
> and calling functions from eclasses and EAPI. Therefore I suggest the |
| 76 |
> copyright headers in ebuilds shouldn't be mandatory, but opt-in, if the |
| 77 |
> author feels like it contains innovative work. |
| 78 |
|
| 79 |
So, only a court can make this determination, and courts in different |
| 80 |
jurisdictions could make the determination differently. IMO it is a |
| 81 |
MUCH simpler solution to just leave the line there for everything than |
| 82 |
to have debates and escalations over just how much content it takes to |
| 83 |
make an ebuild copyrightable, especially when you start throwing |
| 84 |
eclasses and so on into the mix, where setting a variable changes the |
| 85 |
behavior of the ebuild. |
| 86 |
|
| 87 |
There is little harm to have the additional copyright line, but not |
| 88 |
including it could limit our rights. Also, in the case where the |
| 89 |
ebuild at some point in history was part of somebody else's repository |
| 90 |
(perhaps in an earlier revision the maintainer isn't aware of |
| 91 |
offhand), removing the copyright notice might provoke offense. |
| 92 |
|
| 93 |
I'd strongly recommend keeping the current policy if only to keep it |
| 94 |
simple. Really the only inconvenience is updating the year. |
| 95 |
|
| 96 |
> And why couldn't we use the ./header.txt to indicate this copyright for |
| 97 |
> every ebuild, why must it be replicated to each .ebuild file? |
| 98 |
|
| 99 |
Including it in every file is generally considered a best practice - |
| 100 |
you can google that in policies from various reputable sources. Not |
| 101 |
giving sufficient notice can limit rights under copyright law in some |
| 102 |
jurisdictions. Just about every FOSS project does it this way. |
| 103 |
|
| 104 |
> We also have the metadata/AUTHORS file whose purpose I still don't know. |
| 105 |
|
| 106 |
You can find a lot of debate on this on the list archives. Basically |
| 107 |
it exists for a few reasons: |
| 108 |
|
| 109 |
1. Some contributors work for employers who have a requirement to list |
| 110 |
their name in copyright notices. |
| 111 |
2. Some files were sourced in a way that they contain non-Gentoo |
| 112 |
copyright notices already. (Eudev had a bit of a delicate situation |
| 113 |
resulting from this.) |
| 114 |
3. Some developers wanted to have their own names in the copyright |
| 115 |
notices for their contributions. |
| 116 |
|
| 117 |
In these situations the options are to accumulate copyright notices |
| 118 |
(adding Gentoo plus others), or have the AUTHORS file where we can put |
| 119 |
all that in one place and keep the per-file details simple. The full |
| 120 |
history is found in git regardless, but the topic of copyright notice |
| 121 |
is sensitive to some. IMO it isn't intended to be a "credit" for work |
| 122 |
done, but some feel otherwise, and this policy was a way to keep the |
| 123 |
files simple and keep everybody happy. It basically requires nobody |
| 124 |
to do anything but tolerate a small file in the repository, but those |
| 125 |
who wish to be listed can ask. |
| 126 |
|
| 127 |
-- |
| 128 |
Rich |
Archives