1 |
On Wed, May 19, 2021 at 1:03 AM Joonas Niilola <juippis@g.o> wrote: |
2 |
> |
3 |
> This causes few misunderstandings with the requirements. Is the legal |
4 |
> name sign-off required from the *committer*, or from the *contributor*? |
5 |
|
6 |
So, you are probably referring to case 4, where a contributor makes a |
7 |
certification to the committer. I think it is a fair point that the |
8 |
policy doesn't state whether the contributor has to also provide a |
9 |
sign-off using their real name, or if some other way of providing this |
10 |
certification is acceptable. |
11 |
|
12 |
> What about a contribution where the author just adds a patch from |
13 |
> upstream, how much is covered by the Gentoo copyright policies? |
14 |
|
15 |
Well, I'd think that most of these are going to fall under case #3 |
16 |
("The contribution is based upon previous work that, to the best of my |
17 |
knowledge, is covered under an appropriate free software license..."), |
18 |
unless we're talking about patches to non-FOSS code. That seems |
19 |
pretty unlikely to come up, but has it? |
20 |
|
21 |
> We've turned down many contributions in the past because the contributor |
22 |
> did not wish to share their real name. Too many. We've also merged |
23 |
> contributions from Github accounts with no history, and absolutely no |
24 |
> way for us to determine whether the affiliated name is real. |
25 |
|
26 |
This is a fair point - we basically assume that if upstream accepts it |
27 |
then we can accept it, but I don't think anything else is practical. |
28 |
If upstream distributes a tarball under an FOSS license, and we mirror |
29 |
it, we can't really go auditing every upstream to ensure every one of |
30 |
them actually has the rights to their code. I think the concept is |
31 |
that we weigh the actions of projects above the actions of random |
32 |
individuals. |
33 |
|
34 |
> Heck, you can't even tell if the name I use is real. |
35 |
|
36 |
This has been discussed a fair bit already I believe. The policy is |
37 |
intended to cover Gentoo with a reasonable amount of due diligence, |
38 |
and also generally create a professional atmosphere not full of random |
39 |
pseudonyms. However, we didn't want to get into a situation where |
40 |
we're harvesting a lot of sensitive private info like identity docs, |
41 |
especially since validating these requires some expertise and probably |
42 |
isn't practical online. |
43 |
|
44 |
Ultimately the policy was intended to find a balance. No doubt you |
45 |
could make it slightly more strict or slightly less strict and the |
46 |
argument could be made that either is acceptable. |
47 |
|
48 |
Much of it was based on what the Linux Kernel and other projects do. |
49 |
That doesn't make it automatically correct, and the kernel doesn't |
50 |
redistribute random stuff from random other projects, so we can't |
51 |
conform completely to it. |
52 |
|
53 |
> Therefore I suggest we update the GLEP to *clearly* state that *only* |
54 |
> committer's sign-off is required. |
55 |
|
56 |
Well, either way it probably is reasonable to make it explicit whether |
57 |
a real-name sign-off by the contributor is necessary in case #3, and |
58 |
whether that needs to make its way into the commit itself as an |
59 |
additional signed-off-by line. |
60 |
|
61 |
> (And I feel like even that is |
62 |
> debatable, but at least a start for now) |
63 |
|
64 |
It certainly was debated when the policy was enacted. I'm not sure |
65 |
that rehashing the debate is going to change much - the arguments |
66 |
haven't changed, and I don't think the Council has changed all that |
67 |
much either. However, they could speak for themselves... |
68 |
|
69 |
> Then a small note about ebuild's copyright header. The GLEP states: |
70 |
> "All copyrightable files included in Gentoo projects must contain |
71 |
> appropriate copyright and license notices" |
72 |
> |
73 |
> but do ebuilds, at least most of the ebuilds, contain copyrightable |
74 |
> innovative work? Most ebuilds are just following the basic skeleton form |
75 |
> and calling functions from eclasses and EAPI. Therefore I suggest the |
76 |
> copyright headers in ebuilds shouldn't be mandatory, but opt-in, if the |
77 |
> author feels like it contains innovative work. |
78 |
|
79 |
So, only a court can make this determination, and courts in different |
80 |
jurisdictions could make the determination differently. IMO it is a |
81 |
MUCH simpler solution to just leave the line there for everything than |
82 |
to have debates and escalations over just how much content it takes to |
83 |
make an ebuild copyrightable, especially when you start throwing |
84 |
eclasses and so on into the mix, where setting a variable changes the |
85 |
behavior of the ebuild. |
86 |
|
87 |
There is little harm to have the additional copyright line, but not |
88 |
including it could limit our rights. Also, in the case where the |
89 |
ebuild at some point in history was part of somebody else's repository |
90 |
(perhaps in an earlier revision the maintainer isn't aware of |
91 |
offhand), removing the copyright notice might provoke offense. |
92 |
|
93 |
I'd strongly recommend keeping the current policy if only to keep it |
94 |
simple. Really the only inconvenience is updating the year. |
95 |
|
96 |
> And why couldn't we use the ./header.txt to indicate this copyright for |
97 |
> every ebuild, why must it be replicated to each .ebuild file? |
98 |
|
99 |
Including it in every file is generally considered a best practice - |
100 |
you can google that in policies from various reputable sources. Not |
101 |
giving sufficient notice can limit rights under copyright law in some |
102 |
jurisdictions. Just about every FOSS project does it this way. |
103 |
|
104 |
> We also have the metadata/AUTHORS file whose purpose I still don't know. |
105 |
|
106 |
You can find a lot of debate on this on the list archives. Basically |
107 |
it exists for a few reasons: |
108 |
|
109 |
1. Some contributors work for employers who have a requirement to list |
110 |
their name in copyright notices. |
111 |
2. Some files were sourced in a way that they contain non-Gentoo |
112 |
copyright notices already. (Eudev had a bit of a delicate situation |
113 |
resulting from this.) |
114 |
3. Some developers wanted to have their own names in the copyright |
115 |
notices for their contributions. |
116 |
|
117 |
In these situations the options are to accumulate copyright notices |
118 |
(adding Gentoo plus others), or have the AUTHORS file where we can put |
119 |
all that in one place and keep the per-file details simple. The full |
120 |
history is found in git regardless, but the topic of copyright notice |
121 |
is sensitive to some. IMO it isn't intended to be a "credit" for work |
122 |
done, but some feel otherwise, and this policy was a way to keep the |
123 |
files simple and keep everybody happy. It basically requires nobody |
124 |
to do anything but tolerate a small file in the repository, but those |
125 |
who wish to be listed can ask. |
126 |
|
127 |
-- |
128 |
Rich |