Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14 - gentoo-project

From:	Andrew Savchenko <bircoph@g.o>
To:	gentoo-project@l.g.o
Subject:	Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14
Date:	Wed, 03 Apr 2019 18:13:00
Message-Id:	`20190403211251.af935f67d3cc0c2b4356a95b@gentoo.org`
In Reply to:	Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14 by Andrew Savchenko

1

On Wed, 3 Apr 2019 17:43:15 +0300 Andrew Savchenko wrote:

2

> On Wed, 3 Apr 2019 10:04:36 -0400 NP-Hardass wrote:

3

> > On 4/3/19 8:43 AM, Alec Warner wrote:

4

> > >

5

> > >

6

> > > On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@g.o

7

> > > <mailto:NP-Hardass@g.o>> wrote:

8

> > >

9

> > >     On 3/31/19 11:20 PM, William Hubbs wrote:

10

> > >     > Hi all,

11

> > >     >

12

> > >     > two weeks from today (2019-04-14) the Gentoo Council will meet at

13

> > >     > 19:00 UTC in the #gentoo-council channel on freenode.

14

> > >     >

15

> > >     > Please reply to this message with any items you would like us to

16

> > >     put on

17

> > >     > the agenda to discuss or vote on.

18

> > >     >

19

> > >     > Thanks much,

20

> > >     >

21

> > >     > William

22

> > >     >

23

> > >

24

> > >     I'd like the council to discuss the issue and general trend of actions

25

> > >     (particularly recent) to restrict the ability of developers to

26

> > >     contribute to Gentoo.  In my view, efforts are being made to make

27

> > >     contributions as users substantially easier, while efforts are being

28

> > >     made to make being a developer substantially harder.  The months of

29

> > >     studying, quiz taking, and interviews set a bar that should make

30

> > >     contributions from those individuals that become developers easier than

31

> > >     the average user, not more difficult.

32

> > >

33

> > >

34

> > > This is a pretty vague statement, are there particular things you want

35

> > > the council to review; or just the 'general trend'?

36

> > > I'm not aware of any recent changes to the developer onboarding process.

37

> > >

38

> > > -A

39

> > >  

40

> > >

41

> > >

42

> > >     --

43

> > >     NP-Hardass

44

> > >

45

> >

46

> > Not just the onboarding, but the retention too.  General trend is what

47

> > I'm proposing should be discussed publicly during the meeting.

48

> >

49

> > Three points:

50

> >

51

> > At present time, everyone needs a "Real Name" to contribute.  A user,

52

> > with a new email address, can allege to be "Foo Bar" and contribute

53

> > without impediment, but, as recent proposals would have it, developers

54

> > would need to show proof of ID over video call to become part of the web

55

> > of trust for committing.  That effectively allows any user to remain

56

> > anonymous by using a false name, obviating a huge portion of the alleged

57

> > benefit to requiring names in the first place. So, developers can be

58

> > held to such a high standard that they can either no longer contribute,

59

> > while we trim eligible pool of new developers and compare that to the

60

> > ease with which any "named" contributor on github or bugzilla can do as

61

> > they please.

62

> >

63

> > We currently have a RFC, just posted two days ago, for developers to be

64

> > regularly tested to maintain commit status.  Again, if the developer

65

> > feels like it, maybe it is easier for him/her to just become a plain old

66

> > user and submit patches, waiting on the (as I see it, dwindling,) amount

67

> > of active other developers ready to commit instead.

68

>

69

> That RFC was issued on 1st April, so I assume it to be an ill joke.

70

>

71

> > Totally anecdotal, I've seen developers that have fairly decent QA on

72

> > their own commits merge PRs from users without full review and

73

> > introducing a whole host of issues because code from users isn't always

74

> > vetted as thoroughly as ones own work.  So, I'd argue, the QA standards

75

> > of being a dev don't quite apply to you as stringently once you

76

> > downgrade to being a user...

77

> >

78

> > At the end of the day, holding developers to higher standards than users

79

> > is a given, but it shouldn't be more onerous to be a developer than to

80

> > be a user contributing.

81

>

82

> As you already noted, users also have to sign-off contributions with

83

> their real names, though we have no way to verify those names, as

84

> well as for developers actually.

85

>

86

> Will all due respect GLEP76 was prepared by people without much

87

> legal expertise and creates more problems than solves. The part of

88

> GLEP76 mandating real name signatures *must* be amended.

89

>

90

> Why? We have no way to verify that provided names are valid or that

91

> provided ID's are valid. At least in my jurisdiction such

92

> information collected can't be used for legal action or protection

93

> without following established government-assisted verification

94

> procedure. In other jurisdictions similar problems may and will

95

> arise. Additional problem is personal data collection, it is

96

> restricted or heavily regulated in many countries. One can't just

97

> demand to show an ID via electronic means without following

98

> complicated data protection procedures which are likely to be

99

> incompatible between jurisdictions.

100

>

101

> So the real name requirement gives us no real protection from

102

> possible cases, but creates real and serious problems by kicking

103

> active developers and contributors from further contributions.

104

> NP-Hardass is not the only one. I invited some gifted people with

105

> high quality out-of-tree work to become contributors or developers,

106

> but due to hostile attitude towards anonymous contributors they

107

> can't join. And people want to stay anonymous for good reasons,

108

> because they are engaged with privacy oriented development.

109

>

110

> We are loosing real people, real contributions and real community.

111

> What for? For solving imaginary problems with inappropriate tools.

112

113

Since the Council usually makes decisions on some specific proposals

114

and not on vague ideas, here is my proposal on this subject: keep real

115

name as a recommendation, not as a requirement. See a draft patch to

116

GLEP 76 below. It is not intended to be a final wording, but it

117

shows the idea.

118

119

diff --git a/glep-0076.rst b/glep-0076.rst

120

index 9d5aa79..b16fae7 100644

121

--- a/glep-0076.rst

122

+++ b/glep-0076.rst

123

@@ -137,8 +137,9 @@ the Certificate of Origin by adding ::

124

     Signed-off-by: Name <e-mail>

125

126

 to the commit message as a separate line.  The sign-off must contain

127

-the committer's legal name as a natural person, i.e., the name that

128

-would appear in a government issued document.

129

+either the committer's legal name as a natural person, i.e., the name

130

+that would appear in a government issued document or the pseudonym.

131

+Usage of the legal name is recommended.

132

133

 The following is the current Gentoo Certificate of Origin, revision 1:

134

135

@@ -242,10 +243,9 @@ to protect the Gentoo infrastructure owners and improve consistency.

136

137

 The copyright model is built on the DCO model used by the Linux kernel

138

 and requires all contributors to certify the legitimacy of their

139

-contributions.  This also requires that they use their real name for

140

-signing; an anonymous certification or one under a pseudonym would not

141

-mean anything.  This policy is derived from the Linux project's policy

142

-[#SUBMITTING-PATCHES]_.

143

+contributions. This also requires that they use their real name

144

+(recommended) or a pseudonym for signing. This policy is derived from the

145

+Linux project's policy [#SUBMITTING-PATCHES]_.

146

147

 In the future, a second stage of this policy may use a combination of

148

 the DCO model and an FLA model [#FLA]_ as it is used by different open

149

150

151

Best regards,

152

Andrew Savchenko

Gentoo Archives: gentoo-project

Replies

1	On Wed, 3 Apr 2019 17:43:15 +0300 Andrew Savchenko wrote:
2	> On Wed, 3 Apr 2019 10:04:36 -0400 NP-Hardass wrote:
3	> > On 4/3/19 8:43 AM, Alec Warner wrote:
4	> > >
5	> > >
6	> > > On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@g.o
7	> > > <mailto:NP-Hardass@g.o>> wrote:
8	> > >
9	> > > On 3/31/19 11:20 PM, William Hubbs wrote:
10	> > > > Hi all,
11	> > > >
12	> > > > two weeks from today (2019-04-14) the Gentoo Council will meet at
13	> > > > 19:00 UTC in the #gentoo-council channel on freenode.
14	> > > >
15	> > > > Please reply to this message with any items you would like us to
16	> > > put on
17	> > > > the agenda to discuss or vote on.
18	> > > >
19	> > > > Thanks much,
20	> > > >
21	> > > > William
22	> > > >
23	> > >
24	> > > I'd like the council to discuss the issue and general trend of actions
25	> > > (particularly recent) to restrict the ability of developers to
26	> > > contribute to Gentoo. In my view, efforts are being made to make
27	> > > contributions as users substantially easier, while efforts are being
28	> > > made to make being a developer substantially harder. The months of
29	> > > studying, quiz taking, and interviews set a bar that should make
30	> > > contributions from those individuals that become developers easier than
31	> > > the average user, not more difficult.
32	> > >
33	> > >
34	> > > This is a pretty vague statement, are there particular things you want
35	> > > the council to review; or just the 'general trend'?
36	> > > I'm not aware of any recent changes to the developer onboarding process.
37	> > >
38	> > > -A
39	> > >
40	> > >
41	> > >
42	> > > --
43	> > > NP-Hardass
44	> > >
45	> >
46	> > Not just the onboarding, but the retention too. General trend is what
47	> > I'm proposing should be discussed publicly during the meeting.
48	> >
49	> > Three points:
50	> >
51	> > At present time, everyone needs a "Real Name" to contribute. A user,
52	> > with a new email address, can allege to be "Foo Bar" and contribute
53	> > without impediment, but, as recent proposals would have it, developers
54	> > would need to show proof of ID over video call to become part of the web
55	> > of trust for committing. That effectively allows any user to remain
56	> > anonymous by using a false name, obviating a huge portion of the alleged
57	> > benefit to requiring names in the first place. So, developers can be
58	> > held to such a high standard that they can either no longer contribute,
59	> > while we trim eligible pool of new developers and compare that to the
60	> > ease with which any "named" contributor on github or bugzilla can do as
61	> > they please.
62	> >
63	> > We currently have a RFC, just posted two days ago, for developers to be
64	> > regularly tested to maintain commit status. Again, if the developer
65	> > feels like it, maybe it is easier for him/her to just become a plain old
66	> > user and submit patches, waiting on the (as I see it, dwindling,) amount
67	> > of active other developers ready to commit instead.
68	>
69	> That RFC was issued on 1st April, so I assume it to be an ill joke.
70	>
71	> > Totally anecdotal, I've seen developers that have fairly decent QA on
72	> > their own commits merge PRs from users without full review and
73	> > introducing a whole host of issues because code from users isn't always
74	> > vetted as thoroughly as ones own work. So, I'd argue, the QA standards
75	> > of being a dev don't quite apply to you as stringently once you
76	> > downgrade to being a user...
77	> >
78	> > At the end of the day, holding developers to higher standards than users
79	> > is a given, but it shouldn't be more onerous to be a developer than to
80	> > be a user contributing.
81	>
82	> As you already noted, users also have to sign-off contributions with
83	> their real names, though we have no way to verify those names, as
84	> well as for developers actually.
85	>
86	> Will all due respect GLEP76 was prepared by people without much
87	> legal expertise and creates more problems than solves. The part of
88	> GLEP76 mandating real name signatures must be amended.
89	>
90	> Why? We have no way to verify that provided names are valid or that
91	> provided ID's are valid. At least in my jurisdiction such
92	> information collected can't be used for legal action or protection
93	> without following established government-assisted verification
94	> procedure. In other jurisdictions similar problems may and will
95	> arise. Additional problem is personal data collection, it is
96	> restricted or heavily regulated in many countries. One can't just
97	> demand to show an ID via electronic means without following
98	> complicated data protection procedures which are likely to be
99	> incompatible between jurisdictions.
100	>
101	> So the real name requirement gives us no real protection from
102	> possible cases, but creates real and serious problems by kicking
103	> active developers and contributors from further contributions.
104	> NP-Hardass is not the only one. I invited some gifted people with
105	> high quality out-of-tree work to become contributors or developers,
106	> but due to hostile attitude towards anonymous contributors they
107	> can't join. And people want to stay anonymous for good reasons,
108	> because they are engaged with privacy oriented development.
109	>
110	> We are loosing real people, real contributions and real community.
111	> What for? For solving imaginary problems with inappropriate tools.
112
113	Since the Council usually makes decisions on some specific proposals
114	and not on vague ideas, here is my proposal on this subject: keep real
115	name as a recommendation, not as a requirement. See a draft patch to
116	GLEP 76 below. It is not intended to be a final wording, but it
117	shows the idea.
118
119	diff --git a/glep-0076.rst b/glep-0076.rst
120	index 9d5aa79..b16fae7 100644
121	--- a/glep-0076.rst
122	+++ b/glep-0076.rst
123	@@ -137,8 +137,9 @@ the Certificate of Origin by adding ::
124	Signed-off-by: Name <e-mail>
125
126	to the commit message as a separate line. The sign-off must contain
127	-the committer's legal name as a natural person, i.e., the name that
128	-would appear in a government issued document.
129	+either the committer's legal name as a natural person, i.e., the name
130	+that would appear in a government issued document or the pseudonym.
131	+Usage of the legal name is recommended.
132
133	The following is the current Gentoo Certificate of Origin, revision 1:
134
135	@@ -242,10 +243,9 @@ to protect the Gentoo infrastructure owners and improve consistency.
136
137	The copyright model is built on the DCO model used by the Linux kernel
138	and requires all contributors to certify the legitimacy of their
139	-contributions. This also requires that they use their real name for
140	-signing; an anonymous certification or one under a pseudonym would not
141	-mean anything. This policy is derived from the Linux project's policy
142	-[#SUBMITTING-PATCHES]_.
143	+contributions. This also requires that they use their real name
144	+(recommended) or a pseudonym for signing. This policy is derived from the
145	+Linux project's policy [#SUBMITTING-PATCHES]_.
146
147	In the future, a second stage of this policy may use a combination of
148	the DCO model and an FLA model [#FLA]_ as it is used by different open
149
150
151	Best regards,
152	Andrew Savchenko