1 |
On Wed, 2019-04-03 at 18:35 -0400, Alec Warner wrote: |
2 |
> On Wed, Apr 3, 2019 at 2:44 PM Michał Górny <mgorny@g.o> wrote: |
3 |
> |
4 |
> > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: |
5 |
> > > Why? We have no way to verify that provided names are valid or that |
6 |
> > > provided ID's are valid. At least in my jurisdiction such |
7 |
> > > information collected can't be used for legal action or protection |
8 |
> > > without following established government-assisted verification |
9 |
> > > procedure. In other jurisdictions similar problems may and will |
10 |
> > > arise. |
11 |
> > |
12 |
> > 'Perfect is the enemy of good'. Claiming that you can't be 100% sure |
13 |
> > that someone's giving his real name doesn't imply that everyone is using |
14 |
> > fake names. Or that it makes no sense to use them. |
15 |
> > |
16 |
> > > Additional problem is personal data collection, it is |
17 |
> > > restricted or heavily regulated in many countries. One can't just |
18 |
> > > demand to show an ID via electronic means without following |
19 |
> > > complicated data protection procedures which are likely to be |
20 |
> > > incompatible between jurisdictions. |
21 |
> > |
22 |
> > Do you have any proof of that, or are you just basing your comments |
23 |
> > on the common concept of misunderstanding GDPR and extending it to match |
24 |
> > your private interest? |
25 |
> > |
26 |
> > > So the real name requirement gives us no real protection from |
27 |
> > > possible cases, but creates real and serious problems by kicking |
28 |
> > > active developers and contributors from further contributions. |
29 |
> > > NP-Hardass is not the only one. |
30 |
> > |
31 |
> > Do you have any proof of that? As far as I'm concerned, we're pretty |
32 |
> > clear that NP-Hardass can't contribute to Gentoo, and that his previous |
33 |
> > contributions shouldn't have been accepted in the first place (and why |
34 |
> > Trustees agreed to them is another problem). Are you going to take |
35 |
> > legal and financial responsibility if his employer claims copyright to |
36 |
> > his contributions? And if you say yes, are you going to really take it |
37 |
> > or go with the forementioned attitude that we can't legally force you |
38 |
> > to? |
39 |
> > |
40 |
> |
41 |
> Under the current policy we do not accept contributions from contributors |
42 |
> whose names we believe are not real identities. The current policy says |
43 |
> nothing about previous contributions; almost everyone who contributed to |
44 |
> Gentoo over the past 20 years did so without signing anything, without |
45 |
> identity verification, and with no DCO. Those commits were accepted and |
46 |
> continue to be accepted until we decide otherwise. I don't like the way you |
47 |
> construe the previous work of hundreds of people who contributed to the |
48 |
> project; I find the idea that we should never have accepted these |
49 |
> contributions to be pretty offensive. |
50 |
> |
51 |
> You are free to blame the organization for having bad policies (and you do |
52 |
> and I'm the board President and I will 1000% take the blame) but don't for |
53 |
> a minute blame people who are just trying to contribute and following the |
54 |
> policies that the project had at the time. As you wrote above "perfect is |
55 |
> the enemy of the good" and if we rejected the previous 20 years of work |
56 |
> we'd have basically nothing, so we accept that risk as a cost of continuing |
57 |
> to exist as a Foundation. No business operates with zero risk. |
58 |
|
59 |
I'm sorry. I don't know what exact knowledge people who made those |
60 |
decisions had. I'm just saying that if you know that someone is hiding |
61 |
his contributions to Gentoo from his employer, and if you know that |
62 |
employers often claim copyright to all work their employees do... you |
63 |
get the picture, right? |
64 |
|
65 |
And no, I'm not saying people will sue the hell out of us, take all our |
66 |
money, arrest all developers they can. What I'm really worried about is |
67 |
that if they claim copyright to those contributions, we will have to |
68 |
spend a lot of work finding all his contributions and replacing them |
69 |
with unencumbered code. And it will be especially hard to prove we |
70 |
aren't copying that copyrighted code given that ebuilds are very uniform |
71 |
by nature. |
72 |
|
73 |
> > > I invited some gifted people with |
74 |
> > > high quality out-of-tree work to become contributors or developers, |
75 |
> > > but due to hostile attitude towards anonymous contributors they |
76 |
> > > can't join. And people want to stay anonymous for good reasons, |
77 |
> > > because they are engaged with privacy oriented development. |
78 |
> > This is a very vague statement that sounds like serious overstatement |
79 |
> > with no proof, aimed purely to force emotional reaction to support your |
80 |
> > proposal. If you really want to propose something meaningful, I'd |
81 |
> > really appreciate if you used real evidence to support it rather than |
82 |
> > vague claims. |
83 |
> > |
84 |
> > > We are loosing real people, real contributions and real community. |
85 |
> > > What for? For solving imaginary problems with inappropriate tools. |
86 |
> > > |
87 |
> > |
88 |
> > Thank you for telling us that copyright is an imaginary problem. |
89 |
> > |
90 |
> |
91 |
> Your words are like knives, and this leads to a perception of antagonism. |
92 |
|
93 |
...and accusing Council of 'solving imaginary problems' is not? As far |
94 |
as I'm concerned, that's a *very antagonistic* statement, and seriously |
95 |
undermining Council's professionality. |
96 |
|
97 |
> 1) The policies of the project currently prioritize a knowledge of where |
98 |
> commits come from in order to eventually reduce liability risk for the |
99 |
> project. |
100 |
> 2) I firmly do not believe the project has anything against anonymous / |
101 |
> pseudonymous contributors (nor should it; if you think it does I'm happy to |
102 |
> amend bylaws, GLEPs, and any other charter documents to state that we have |
103 |
> nothing against that type of contribution.) |
104 |
> 3) The current policy makes it difficult to contribute in this way; because |
105 |
> we have this trade-off we have made where we want to know where commits |
106 |
> come from for legal reasons.) |
107 |
> |
108 |
> Its OK to say "Hi X, we cannot accept your anonymous / pseudonymous |
109 |
> contribution because of this policy, and we made this policy to solve a |
110 |
> problem of copyright liability for the organization." |
111 |
> I don't think its OK to say "Hi X, its completely unreasonable to want to |
112 |
> contribute to Gentoo in an Anonymous or Pseudonymous manner; please file |
113 |
> your identity papers to me immediately!" |
114 |
> |
115 |
> My reading is your comments are closer to the latter than the former; I'm |
116 |
> just not sure why that is. |
117 |
> |
118 |
> I think its perfectly sane to ask "how can we build an organization where |
119 |
> we can accept pseudonymous contributions and contain our liability for code |
120 |
> from unverified contributors?" and have people interested in that write up |
121 |
> and vet proposals. I get that its a complex and difficult problem area; |
122 |
> maybe none of the proposals will work! but that doesn't meant we shouldn't |
123 |
> try to do it. |
124 |
|
125 |
This seems to entirely miss the point taken from Linux policy, and focus |
126 |
on the 'Gentoo is Foundation' model. It's not. Gentoo is distributed |
127 |
to all our users, and all our users need to be able to verify that |
128 |
the code comes from contributors who are actually allowed to contribute. |
129 |
They can't really hit 'Foundation has this data somewhere in secret' |
130 |
wall. If not anything else, this makes the project non-transparent, |
131 |
and raises serious doubts whether users can actually trust it. |
132 |
|
133 |
-- |
134 |
Best regards, |
135 |
Michał Górny |