1 |
On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@g.o> wrote: |
2 |
|
3 |
> Hi, |
4 |
> |
5 |
> I'd like to voice my opinion on the matter as well. Full disclosure: |
6 |
> NP-Hardass is my mentor and I also had a co-maintainer who has been |
7 |
> distressed by the enforcement of the GLEP. |
8 |
> |
9 |
> Michał Górny: |
10 |
> > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: |
11 |
> >> Why? We have no way to verify that provided names are valid or that |
12 |
> >> provided ID's are valid. At least in my jurisdiction such |
13 |
> >> information collected can't be used for legal action or protection |
14 |
> >> without following established government-assisted verification |
15 |
> >> procedure. In other jurisdictions similar problems may and will |
16 |
> >> arise. |
17 |
> > |
18 |
> > 'Perfect is the enemy of good'. Claiming that you can't be 100% sure |
19 |
> > that someone's giving his real name doesn't imply that everyone is using |
20 |
> > fake names. Or that it makes no sense to use them. |
21 |
> > |
22 |
> |
23 |
> I understand that but it creates problems with the consistent |
24 |
> enforcement of the policy. There are no clear guidelines as to how we |
25 |
> decide who requires identity validation and who doesn't. We don't even |
26 |
> know who is tasked with making the request and performing the |
27 |
> validation. If I work with a user and I am convinced that they provide |
28 |
> their real name, is that sufficient for the foundation? Can I |
29 |
> arbitrarily be suspicious of any user and demand them to provide their |
30 |
> identity? |
31 |
> |
32 |
|
33 |
So first a preface: I would prefer we accept a name until we have some |
34 |
reasonable suspicion that it is wrong. |
35 |
If someone submitted as "boaty mcboatface" it might immediately raise such |
36 |
a suspicion; but a contributor who contributed as "John Doe" might not. Its |
37 |
very subjective, yes, and we don't offer better guidelines. |
38 |
|
39 |
So to your first question, yes its sufficient. |
40 |
To your second question, you could, but I think that would be wrong and if |
41 |
I found out I'd probably talk to you about it and if it continued, I'd |
42 |
probably take some kind of remedial action. The intent is to have a |
43 |
reasonable suspicion of fraud or wrongdoing, not to do just do it willy |
44 |
nilly. |
45 |
|
46 |
That being said I don't intend to forge a policy that is bullet-proof. If I |
47 |
cannot trust fellow project members to act well, they might as well just |
48 |
leave the project now. If project members are looking for "a list of rules |
49 |
to follow" my only rules are "don't be an ass" and if you are told you are |
50 |
being an ass, maybe listen and take that advice as opposed to objecting. |
51 |
|
52 |
|
53 |
> |
54 |
> >> Additional problem is personal data collection, it is |
55 |
> >> restricted or heavily regulated in many countries. One can't just |
56 |
> >> demand to show an ID via electronic means without following |
57 |
> >> complicated data protection procedures which are likely to be |
58 |
> >> incompatible between jurisdictions. |
59 |
> > |
60 |
> > Do you have any proof of that, or are you just basing your comments |
61 |
> > on the common concept of misunderstanding GDPR and extending it to match |
62 |
> > your private interest? |
63 |
> > |
64 |
> |
65 |
> At the very least, insecure transportation and storage of legal |
66 |
> documents has a potential to lead to identity theft, which makes it a |
67 |
> legal liability in and of itself. I don't think we should be dismissive |
68 |
> on this point. |
69 |
> |
70 |
|
71 |
I don't believe any policies require collecting personal data currently. |
72 |
|
73 |
|
74 |
> |
75 |
> >> So the real name requirement gives us no real protection from |
76 |
> >> possible cases, but creates real and serious problems by kicking |
77 |
> >> active developers and contributors from further contributions. |
78 |
> >> NP-Hardass is not the only one. |
79 |
> > |
80 |
> > Do you have any proof of that? As far as I'm concerned, we're pretty |
81 |
> > clear that NP-Hardass can't contribute to Gentoo, and that his previous |
82 |
> > contributions shouldn't have been accepted in the first place (and why |
83 |
> > Trustees agreed to them is another problem). Are you going to take |
84 |
> > legal and financial responsibility if his employer claims copyright to |
85 |
> > his contributions? And if you say yes, are you going to really take it |
86 |
> > or go with the forementioned attitude that we can't legally force you |
87 |
> > to? |
88 |
> > |
89 |
> |
90 |
> I do disagree on this point. I believe the Foundation did take |
91 |
> appropriate measures to reduce the legal liability when he was |
92 |
> recruited. I think it should have been clearly explained how he has |
93 |
> become a legal liability to the Foundation before his access was taken |
94 |
> away from him. |
95 |
> |
96 |
|
97 |
The Foundation has always carried legal risk. Only recently have we |
98 |
(through the awesome work of ulm@ and others) had a policy to help mitigate |
99 |
it. These contributors have not 'suddenly become a legal risk' but instead |
100 |
the community (council and foundation combined) have adopted a more |
101 |
risk-averse stance by adopting GLEP-76 and that results in some |
102 |
contributors being unable to contribute. I'm not sure what else needs to be |
103 |
explained. |
104 |
|
105 |
|
106 |
> |
107 |
> You also bring up a more interesting point here. If I work with a user |
108 |
> who has lied to me about their identity, and their employer decided to |
109 |
> take it to court, who is liable? Am I at fault for having good faith or |
110 |
> is it a neglect on the Foundation's side? |
111 |
> |
112 |
|
113 |
I'm not a lawyer, so I won't speculate on this specific instance. Having a |
114 |
policy where commits require a DCO and we take some measure to not accept |
115 |
contributions when we have knowledge that the DCO is wrong / invalid is |
116 |
clearly better than our previous policy (which was basically "accept all |
117 |
contributions.") Whether it is sufficient to prevent any specific legal |
118 |
suit, I couldn't tell you. |
119 |
|
120 |
|
121 |
> |
122 |
> >> I invited some gifted people with |
123 |
> >> high quality out-of-tree work to become contributors or developers, |
124 |
> >> but due to hostile attitude towards anonymous contributors they |
125 |
> >> can't join. And people want to stay anonymous for good reasons, |
126 |
> >> because they are engaged with privacy oriented development. |
127 |
> > |
128 |
> > This is a very vague statement that sounds like serious overstatement |
129 |
> > with no proof, aimed purely to force emotional reaction to support your |
130 |
> > proposal. If you really want to propose something meaningful, I'd |
131 |
> > really appreciate if you used real evidence to support it rather than |
132 |
> > vague claims. |
133 |
> > |
134 |
> >> We are loosing real people, real contributions and real community. |
135 |
> >> What for? For solving imaginary problems with inappropriate tools. |
136 |
> >> |
137 |
> > |
138 |
> > Thank you for telling us that copyright is an imaginary problem. |
139 |
> > |
140 |
> |
141 |
> I can't help but agree with the point that we are losing real |
142 |
> contributors and real community. And people whom I talked to didn't |
143 |
> oppose the Foundation's attempt to reduce legal liability. They were |
144 |
> frustrated by the arbitrary enforcement and not having their opinions |
145 |
> heard. The fact that people can get away with using a pseudonym as long |
146 |
> as it reads like a normal person name (for which there is no definition) |
147 |
> is something we have to address to the people who weren't as lucky with |
148 |
> their choice of pseudonym and lost their ability to contribute. |
149 |
> |
150 |
|
151 |
If you want to make a point that Gentoo leadership is bad at making |
152 |
opposing feelings heard, well I'd probably agree with you (this thread is |
153 |
one such example.) If you want to make some kind of point that "having an |
154 |
opinion heard means we change the policy to suit that opinion" then I think |
155 |
we just disagree on that point. Don't make it out like we made the decision |
156 |
without thinking of anonymous / pseudonymous contributors; numerous |
157 |
discussions were had about them and we could not find a way to include them |
158 |
in the policy. |
159 |
|
160 |
That doesn't mean we didn't hear their thoughts and objections though. |
161 |
|
162 |
-A |
163 |
|
164 |
|
165 |
> |
166 |
> -- |
167 |
> gokturk |
168 |
> |
169 |
> |