| 1 |
Alec Warner: |
| 2 |
> On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@g.o> wrote: |
| 3 |
> |
| 4 |
>> Hi, |
| 5 |
>> |
| 6 |
>> I'd like to voice my opinion on the matter as well. Full disclosure: |
| 7 |
>> NP-Hardass is my mentor and I also had a co-maintainer who has been |
| 8 |
>> distressed by the enforcement of the GLEP. |
| 9 |
>> |
| 10 |
>> Michał Górny: |
| 11 |
>>> On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: |
| 12 |
>>>> Why? We have no way to verify that provided names are valid or that |
| 13 |
>>>> provided ID's are valid. At least in my jurisdiction such |
| 14 |
>>>> information collected can't be used for legal action or protection |
| 15 |
>>>> without following established government-assisted verification |
| 16 |
>>>> procedure. In other jurisdictions similar problems may and will |
| 17 |
>>>> arise. |
| 18 |
>>> |
| 19 |
>>> 'Perfect is the enemy of good'. Claiming that you can't be 100% sure |
| 20 |
>>> that someone's giving his real name doesn't imply that everyone is using |
| 21 |
>>> fake names. Or that it makes no sense to use them. |
| 22 |
>>> |
| 23 |
>> |
| 24 |
>> I understand that but it creates problems with the consistent |
| 25 |
>> enforcement of the policy. There are no clear guidelines as to how we |
| 26 |
>> decide who requires identity validation and who doesn't. We don't even |
| 27 |
>> know who is tasked with making the request and performing the |
| 28 |
>> validation. If I work with a user and I am convinced that they provide |
| 29 |
>> their real name, is that sufficient for the foundation? Can I |
| 30 |
>> arbitrarily be suspicious of any user and demand them to provide their |
| 31 |
>> identity? |
| 32 |
>> |
| 33 |
> |
| 34 |
> So first a preface: I would prefer we accept a name until we have some |
| 35 |
> reasonable suspicion that it is wrong. |
| 36 |
> If someone submitted as "boaty mcboatface" it might immediately raise such |
| 37 |
> a suspicion; but a contributor who contributed as "John Doe" might not. Its |
| 38 |
> very subjective, yes, and we don't offer better guidelines. |
| 39 |
> |
| 40 |
> So to your first question, yes its sufficient. |
| 41 |
|
| 42 |
Thanks for clarifying that. |
| 43 |
|
| 44 |
> To your second question, you could, but I think that would be wrong and if |
| 45 |
> I found out I'd probably talk to you about it and if it continued, I'd |
| 46 |
> probably take some kind of remedial action. The intent is to have a |
| 47 |
> reasonable suspicion of fraud or wrongdoing, not to do just do it willy |
| 48 |
> nilly. |
| 49 |
> |
| 50 |
> That being said I don't intend to forge a policy that is bullet-proof. If I |
| 51 |
> cannot trust fellow project members to act well, they might as well just |
| 52 |
> leave the project now. If project members are looking for "a list of rules |
| 53 |
> to follow" my only rules are "don't be an ass" and if you are told you are |
| 54 |
> being an ass, maybe listen and take that advice as opposed to objecting. |
| 55 |
> |
| 56 |
|
| 57 |
My point about the guidelines is for the concern on the receiving party. |
| 58 |
I suspect there may be situations where saying "I'm not convinced that |
| 59 |
this is a real name of a person. Would you please provide me a proof of |
| 60 |
ID?" is perceived offensive. Guidelines published by the Foundation help |
| 61 |
developers justify their stance and ease people into compliance, I think. |
| 62 |
|
| 63 |
> |
| 64 |
>> |
| 65 |
>>>> Additional problem is personal data collection, it is |
| 66 |
>>>> restricted or heavily regulated in many countries. One can't just |
| 67 |
>>>> demand to show an ID via electronic means without following |
| 68 |
>>>> complicated data protection procedures which are likely to be |
| 69 |
>>>> incompatible between jurisdictions. |
| 70 |
>>> |
| 71 |
>>> Do you have any proof of that, or are you just basing your comments |
| 72 |
>>> on the common concept of misunderstanding GDPR and extending it to match |
| 73 |
>>> your private interest? |
| 74 |
>>> |
| 75 |
>> |
| 76 |
>> At the very least, insecure transportation and storage of legal |
| 77 |
>> documents has a potential to lead to identity theft, which makes it a |
| 78 |
>> legal liability in and of itself. I don't think we should be dismissive |
| 79 |
>> on this point. |
| 80 |
>> |
| 81 |
> |
| 82 |
> I don't believe any policies require collecting personal data currently. |
| 83 |
> |
| 84 |
|
| 85 |
If I have suspicions about a contributor's identity, would you advise me |
| 86 |
on a method of validation that doesn't require the electronic transfer |
| 87 |
of a government approved identification? |
| 88 |
|
| 89 |
> |
| 90 |
>> |
| 91 |
>>>> So the real name requirement gives us no real protection from |
| 92 |
>>>> possible cases, but creates real and serious problems by kicking |
| 93 |
>>>> active developers and contributors from further contributions. |
| 94 |
>>>> NP-Hardass is not the only one. |
| 95 |
>>> |
| 96 |
>>> Do you have any proof of that? As far as I'm concerned, we're pretty |
| 97 |
>>> clear that NP-Hardass can't contribute to Gentoo, and that his previous |
| 98 |
>>> contributions shouldn't have been accepted in the first place (and why |
| 99 |
>>> Trustees agreed to them is another problem). Are you going to take |
| 100 |
>>> legal and financial responsibility if his employer claims copyright to |
| 101 |
>>> his contributions? And if you say yes, are you going to really take it |
| 102 |
>>> or go with the forementioned attitude that we can't legally force you |
| 103 |
>>> to? |
| 104 |
>>> |
| 105 |
>> |
| 106 |
>> I do disagree on this point. I believe the Foundation did take |
| 107 |
>> appropriate measures to reduce the legal liability when he was |
| 108 |
>> recruited. I think it should have been clearly explained how he has |
| 109 |
>> become a legal liability to the Foundation before his access was taken |
| 110 |
>> away from him. |
| 111 |
>> |
| 112 |
> |
| 113 |
> The Foundation has always carried legal risk. Only recently have we |
| 114 |
> (through the awesome work of ulm@ and others) had a policy to help mitigate |
| 115 |
> it. These contributors have not 'suddenly become a legal risk' but instead |
| 116 |
> the community (council and foundation combined) have adopted a more |
| 117 |
> risk-averse stance by adopting GLEP-76 and that results in some |
| 118 |
> contributors being unable to contribute. I'm not sure what else needs to be |
| 119 |
> explained. |
| 120 |
> |
| 121 |
> |
| 122 |
|
| 123 |
To the best of my knowledge, the Foundation has a long established |
| 124 |
practice of allowing developers to use pseudonyms on the condition that |
| 125 |
they reveal their legal identity to the Foundation for legal protection. |
| 126 |
Was the exclusion of developers with pseudonyms as per GLEP76 a result |
| 127 |
of a conclusion that the Foundation being informed about developers |
| 128 |
legal identity wrt copyright infringement carries more risk compared to |
| 129 |
their total exclusion from development? |
| 130 |
|
| 131 |
>> |
| 132 |
>> You also bring up a more interesting point here. If I work with a user |
| 133 |
>> who has lied to me about their identity, and their employer decided to |
| 134 |
>> take it to court, who is liable? Am I at fault for having good faith or |
| 135 |
>> is it a neglect on the Foundation's side? |
| 136 |
>> |
| 137 |
> |
| 138 |
> I'm not a lawyer, so I won't speculate on this specific instance. Having a |
| 139 |
> policy where commits require a DCO and we take some measure to not accept |
| 140 |
> contributions when we have knowledge that the DCO is wrong / invalid is |
| 141 |
> clearly better than our previous policy (which was basically "accept all |
| 142 |
> contributions.") Whether it is sufficient to prevent any specific legal |
| 143 |
> suit, I couldn't tell you. |
| 144 |
> |
| 145 |
> |
| 146 |
>> |
| 147 |
>>>> I invited some gifted people with |
| 148 |
>>>> high quality out-of-tree work to become contributors or developers, |
| 149 |
>>>> but due to hostile attitude towards anonymous contributors they |
| 150 |
>>>> can't join. And people want to stay anonymous for good reasons, |
| 151 |
>>>> because they are engaged with privacy oriented development. |
| 152 |
>>> |
| 153 |
>>> This is a very vague statement that sounds like serious overstatement |
| 154 |
>>> with no proof, aimed purely to force emotional reaction to support your |
| 155 |
>>> proposal. If you really want to propose something meaningful, I'd |
| 156 |
>>> really appreciate if you used real evidence to support it rather than |
| 157 |
>>> vague claims. |
| 158 |
>>> |
| 159 |
>>>> We are loosing real people, real contributions and real community. |
| 160 |
>>>> What for? For solving imaginary problems with inappropriate tools. |
| 161 |
>>>> |
| 162 |
>>> |
| 163 |
>>> Thank you for telling us that copyright is an imaginary problem. |
| 164 |
>>> |
| 165 |
>> |
| 166 |
>> I can't help but agree with the point that we are losing real |
| 167 |
>> contributors and real community. And people whom I talked to didn't |
| 168 |
>> oppose the Foundation's attempt to reduce legal liability. They were |
| 169 |
>> frustrated by the arbitrary enforcement and not having their opinions |
| 170 |
>> heard. The fact that people can get away with using a pseudonym as long |
| 171 |
>> as it reads like a normal person name (for which there is no definition) |
| 172 |
>> is something we have to address to the people who weren't as lucky with |
| 173 |
>> their choice of pseudonym and lost their ability to contribute. |
| 174 |
>> |
| 175 |
> |
| 176 |
> If you want to make a point that Gentoo leadership is bad at making |
| 177 |
> opposing feelings heard, well I'd probably agree with you (this thread is |
| 178 |
> one such example.) If you want to make some kind of point that "having an |
| 179 |
> opinion heard means we change the policy to suit that opinion" then I think |
| 180 |
> we just disagree on that point. Don't make it out like we made the decision |
| 181 |
> without thinking of anonymous / pseudonymous contributors; numerous |
| 182 |
> discussions were had about them and we could not find a way to include them |
| 183 |
> in the policy. |
| 184 |
> |
| 185 |
> That doesn't mean we didn't hear their thoughts and objections though. |
| 186 |
> |
| 187 |
> -A |
| 188 |
> |
| 189 |
|
| 190 |
Perhaps the people I talked to didn't find the right people to talk to |
| 191 |
before me. I'm not trying to paint the leadership as ignorant or bad. I |
| 192 |
understand that this is all volunteer work first and foremost. I wasn't |
| 193 |
implying to enact a change in the policy on the basis that people's |
| 194 |
opinions haven't been sufficiently heard. |
| 195 |
|
| 196 |
> |
| 197 |
>> |
| 198 |
>> -- |
| 199 |
>> gokturk |
| 200 |
>> |
| 201 |
>> |
Archives