| 1 |
On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@g.o> wrote: |
| 2 |
|
| 3 |
> Hi, |
| 4 |
> |
| 5 |
> I'd like to voice my opinion on the matter as well. Full disclosure: |
| 6 |
> NP-Hardass is my mentor and I also had a co-maintainer who has been |
| 7 |
> distressed by the enforcement of the GLEP. |
| 8 |
> |
| 9 |
> Michał Górny: |
| 10 |
> > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: |
| 11 |
> >> Why? We have no way to verify that provided names are valid or that |
| 12 |
> >> provided ID's are valid. At least in my jurisdiction such |
| 13 |
> >> information collected can't be used for legal action or protection |
| 14 |
> >> without following established government-assisted verification |
| 15 |
> >> procedure. In other jurisdictions similar problems may and will |
| 16 |
> >> arise. |
| 17 |
> > |
| 18 |
> > 'Perfect is the enemy of good'. Claiming that you can't be 100% sure |
| 19 |
> > that someone's giving his real name doesn't imply that everyone is using |
| 20 |
> > fake names. Or that it makes no sense to use them. |
| 21 |
> > |
| 22 |
> |
| 23 |
> I understand that but it creates problems with the consistent |
| 24 |
> enforcement of the policy. There are no clear guidelines as to how we |
| 25 |
> decide who requires identity validation and who doesn't. We don't even |
| 26 |
> know who is tasked with making the request and performing the |
| 27 |
> validation. If I work with a user and I am convinced that they provide |
| 28 |
> their real name, is that sufficient for the foundation? Can I |
| 29 |
> arbitrarily be suspicious of any user and demand them to provide their |
| 30 |
> identity? |
| 31 |
> |
| 32 |
|
| 33 |
So first a preface: I would prefer we accept a name until we have some |
| 34 |
reasonable suspicion that it is wrong. |
| 35 |
If someone submitted as "boaty mcboatface" it might immediately raise such |
| 36 |
a suspicion; but a contributor who contributed as "John Doe" might not. Its |
| 37 |
very subjective, yes, and we don't offer better guidelines. |
| 38 |
|
| 39 |
So to your first question, yes its sufficient. |
| 40 |
To your second question, you could, but I think that would be wrong and if |
| 41 |
I found out I'd probably talk to you about it and if it continued, I'd |
| 42 |
probably take some kind of remedial action. The intent is to have a |
| 43 |
reasonable suspicion of fraud or wrongdoing, not to do just do it willy |
| 44 |
nilly. |
| 45 |
|
| 46 |
That being said I don't intend to forge a policy that is bullet-proof. If I |
| 47 |
cannot trust fellow project members to act well, they might as well just |
| 48 |
leave the project now. If project members are looking for "a list of rules |
| 49 |
to follow" my only rules are "don't be an ass" and if you are told you are |
| 50 |
being an ass, maybe listen and take that advice as opposed to objecting. |
| 51 |
|
| 52 |
|
| 53 |
> |
| 54 |
> >> Additional problem is personal data collection, it is |
| 55 |
> >> restricted or heavily regulated in many countries. One can't just |
| 56 |
> >> demand to show an ID via electronic means without following |
| 57 |
> >> complicated data protection procedures which are likely to be |
| 58 |
> >> incompatible between jurisdictions. |
| 59 |
> > |
| 60 |
> > Do you have any proof of that, or are you just basing your comments |
| 61 |
> > on the common concept of misunderstanding GDPR and extending it to match |
| 62 |
> > your private interest? |
| 63 |
> > |
| 64 |
> |
| 65 |
> At the very least, insecure transportation and storage of legal |
| 66 |
> documents has a potential to lead to identity theft, which makes it a |
| 67 |
> legal liability in and of itself. I don't think we should be dismissive |
| 68 |
> on this point. |
| 69 |
> |
| 70 |
|
| 71 |
I don't believe any policies require collecting personal data currently. |
| 72 |
|
| 73 |
|
| 74 |
> |
| 75 |
> >> So the real name requirement gives us no real protection from |
| 76 |
> >> possible cases, but creates real and serious problems by kicking |
| 77 |
> >> active developers and contributors from further contributions. |
| 78 |
> >> NP-Hardass is not the only one. |
| 79 |
> > |
| 80 |
> > Do you have any proof of that? As far as I'm concerned, we're pretty |
| 81 |
> > clear that NP-Hardass can't contribute to Gentoo, and that his previous |
| 82 |
> > contributions shouldn't have been accepted in the first place (and why |
| 83 |
> > Trustees agreed to them is another problem). Are you going to take |
| 84 |
> > legal and financial responsibility if his employer claims copyright to |
| 85 |
> > his contributions? And if you say yes, are you going to really take it |
| 86 |
> > or go with the forementioned attitude that we can't legally force you |
| 87 |
> > to? |
| 88 |
> > |
| 89 |
> |
| 90 |
> I do disagree on this point. I believe the Foundation did take |
| 91 |
> appropriate measures to reduce the legal liability when he was |
| 92 |
> recruited. I think it should have been clearly explained how he has |
| 93 |
> become a legal liability to the Foundation before his access was taken |
| 94 |
> away from him. |
| 95 |
> |
| 96 |
|
| 97 |
The Foundation has always carried legal risk. Only recently have we |
| 98 |
(through the awesome work of ulm@ and others) had a policy to help mitigate |
| 99 |
it. These contributors have not 'suddenly become a legal risk' but instead |
| 100 |
the community (council and foundation combined) have adopted a more |
| 101 |
risk-averse stance by adopting GLEP-76 and that results in some |
| 102 |
contributors being unable to contribute. I'm not sure what else needs to be |
| 103 |
explained. |
| 104 |
|
| 105 |
|
| 106 |
> |
| 107 |
> You also bring up a more interesting point here. If I work with a user |
| 108 |
> who has lied to me about their identity, and their employer decided to |
| 109 |
> take it to court, who is liable? Am I at fault for having good faith or |
| 110 |
> is it a neglect on the Foundation's side? |
| 111 |
> |
| 112 |
|
| 113 |
I'm not a lawyer, so I won't speculate on this specific instance. Having a |
| 114 |
policy where commits require a DCO and we take some measure to not accept |
| 115 |
contributions when we have knowledge that the DCO is wrong / invalid is |
| 116 |
clearly better than our previous policy (which was basically "accept all |
| 117 |
contributions.") Whether it is sufficient to prevent any specific legal |
| 118 |
suit, I couldn't tell you. |
| 119 |
|
| 120 |
|
| 121 |
> |
| 122 |
> >> I invited some gifted people with |
| 123 |
> >> high quality out-of-tree work to become contributors or developers, |
| 124 |
> >> but due to hostile attitude towards anonymous contributors they |
| 125 |
> >> can't join. And people want to stay anonymous for good reasons, |
| 126 |
> >> because they are engaged with privacy oriented development. |
| 127 |
> > |
| 128 |
> > This is a very vague statement that sounds like serious overstatement |
| 129 |
> > with no proof, aimed purely to force emotional reaction to support your |
| 130 |
> > proposal. If you really want to propose something meaningful, I'd |
| 131 |
> > really appreciate if you used real evidence to support it rather than |
| 132 |
> > vague claims. |
| 133 |
> > |
| 134 |
> >> We are loosing real people, real contributions and real community. |
| 135 |
> >> What for? For solving imaginary problems with inappropriate tools. |
| 136 |
> >> |
| 137 |
> > |
| 138 |
> > Thank you for telling us that copyright is an imaginary problem. |
| 139 |
> > |
| 140 |
> |
| 141 |
> I can't help but agree with the point that we are losing real |
| 142 |
> contributors and real community. And people whom I talked to didn't |
| 143 |
> oppose the Foundation's attempt to reduce legal liability. They were |
| 144 |
> frustrated by the arbitrary enforcement and not having their opinions |
| 145 |
> heard. The fact that people can get away with using a pseudonym as long |
| 146 |
> as it reads like a normal person name (for which there is no definition) |
| 147 |
> is something we have to address to the people who weren't as lucky with |
| 148 |
> their choice of pseudonym and lost their ability to contribute. |
| 149 |
> |
| 150 |
|
| 151 |
If you want to make a point that Gentoo leadership is bad at making |
| 152 |
opposing feelings heard, well I'd probably agree with you (this thread is |
| 153 |
one such example.) If you want to make some kind of point that "having an |
| 154 |
opinion heard means we change the policy to suit that opinion" then I think |
| 155 |
we just disagree on that point. Don't make it out like we made the decision |
| 156 |
without thinking of anonymous / pseudonymous contributors; numerous |
| 157 |
discussions were had about them and we could not find a way to include them |
| 158 |
in the policy. |
| 159 |
|
| 160 |
That doesn't mean we didn't hear their thoughts and objections though. |
| 161 |
|
| 162 |
-A |
| 163 |
|
| 164 |
|
| 165 |
> |
| 166 |
> -- |
| 167 |
> gokturk |
| 168 |
> |
| 169 |
> |
Archives