1 |
Alec Warner: |
2 |
> On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@g.o> wrote: |
3 |
> |
4 |
>> Hi, |
5 |
>> |
6 |
>> I'd like to voice my opinion on the matter as well. Full disclosure: |
7 |
>> NP-Hardass is my mentor and I also had a co-maintainer who has been |
8 |
>> distressed by the enforcement of the GLEP. |
9 |
>> |
10 |
>> Michał Górny: |
11 |
>>> On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: |
12 |
>>>> Why? We have no way to verify that provided names are valid or that |
13 |
>>>> provided ID's are valid. At least in my jurisdiction such |
14 |
>>>> information collected can't be used for legal action or protection |
15 |
>>>> without following established government-assisted verification |
16 |
>>>> procedure. In other jurisdictions similar problems may and will |
17 |
>>>> arise. |
18 |
>>> |
19 |
>>> 'Perfect is the enemy of good'. Claiming that you can't be 100% sure |
20 |
>>> that someone's giving his real name doesn't imply that everyone is using |
21 |
>>> fake names. Or that it makes no sense to use them. |
22 |
>>> |
23 |
>> |
24 |
>> I understand that but it creates problems with the consistent |
25 |
>> enforcement of the policy. There are no clear guidelines as to how we |
26 |
>> decide who requires identity validation and who doesn't. We don't even |
27 |
>> know who is tasked with making the request and performing the |
28 |
>> validation. If I work with a user and I am convinced that they provide |
29 |
>> their real name, is that sufficient for the foundation? Can I |
30 |
>> arbitrarily be suspicious of any user and demand them to provide their |
31 |
>> identity? |
32 |
>> |
33 |
> |
34 |
> So first a preface: I would prefer we accept a name until we have some |
35 |
> reasonable suspicion that it is wrong. |
36 |
> If someone submitted as "boaty mcboatface" it might immediately raise such |
37 |
> a suspicion; but a contributor who contributed as "John Doe" might not. Its |
38 |
> very subjective, yes, and we don't offer better guidelines. |
39 |
> |
40 |
> So to your first question, yes its sufficient. |
41 |
|
42 |
Thanks for clarifying that. |
43 |
|
44 |
> To your second question, you could, but I think that would be wrong and if |
45 |
> I found out I'd probably talk to you about it and if it continued, I'd |
46 |
> probably take some kind of remedial action. The intent is to have a |
47 |
> reasonable suspicion of fraud or wrongdoing, not to do just do it willy |
48 |
> nilly. |
49 |
> |
50 |
> That being said I don't intend to forge a policy that is bullet-proof. If I |
51 |
> cannot trust fellow project members to act well, they might as well just |
52 |
> leave the project now. If project members are looking for "a list of rules |
53 |
> to follow" my only rules are "don't be an ass" and if you are told you are |
54 |
> being an ass, maybe listen and take that advice as opposed to objecting. |
55 |
> |
56 |
|
57 |
My point about the guidelines is for the concern on the receiving party. |
58 |
I suspect there may be situations where saying "I'm not convinced that |
59 |
this is a real name of a person. Would you please provide me a proof of |
60 |
ID?" is perceived offensive. Guidelines published by the Foundation help |
61 |
developers justify their stance and ease people into compliance, I think. |
62 |
|
63 |
> |
64 |
>> |
65 |
>>>> Additional problem is personal data collection, it is |
66 |
>>>> restricted or heavily regulated in many countries. One can't just |
67 |
>>>> demand to show an ID via electronic means without following |
68 |
>>>> complicated data protection procedures which are likely to be |
69 |
>>>> incompatible between jurisdictions. |
70 |
>>> |
71 |
>>> Do you have any proof of that, or are you just basing your comments |
72 |
>>> on the common concept of misunderstanding GDPR and extending it to match |
73 |
>>> your private interest? |
74 |
>>> |
75 |
>> |
76 |
>> At the very least, insecure transportation and storage of legal |
77 |
>> documents has a potential to lead to identity theft, which makes it a |
78 |
>> legal liability in and of itself. I don't think we should be dismissive |
79 |
>> on this point. |
80 |
>> |
81 |
> |
82 |
> I don't believe any policies require collecting personal data currently. |
83 |
> |
84 |
|
85 |
If I have suspicions about a contributor's identity, would you advise me |
86 |
on a method of validation that doesn't require the electronic transfer |
87 |
of a government approved identification? |
88 |
|
89 |
> |
90 |
>> |
91 |
>>>> So the real name requirement gives us no real protection from |
92 |
>>>> possible cases, but creates real and serious problems by kicking |
93 |
>>>> active developers and contributors from further contributions. |
94 |
>>>> NP-Hardass is not the only one. |
95 |
>>> |
96 |
>>> Do you have any proof of that? As far as I'm concerned, we're pretty |
97 |
>>> clear that NP-Hardass can't contribute to Gentoo, and that his previous |
98 |
>>> contributions shouldn't have been accepted in the first place (and why |
99 |
>>> Trustees agreed to them is another problem). Are you going to take |
100 |
>>> legal and financial responsibility if his employer claims copyright to |
101 |
>>> his contributions? And if you say yes, are you going to really take it |
102 |
>>> or go with the forementioned attitude that we can't legally force you |
103 |
>>> to? |
104 |
>>> |
105 |
>> |
106 |
>> I do disagree on this point. I believe the Foundation did take |
107 |
>> appropriate measures to reduce the legal liability when he was |
108 |
>> recruited. I think it should have been clearly explained how he has |
109 |
>> become a legal liability to the Foundation before his access was taken |
110 |
>> away from him. |
111 |
>> |
112 |
> |
113 |
> The Foundation has always carried legal risk. Only recently have we |
114 |
> (through the awesome work of ulm@ and others) had a policy to help mitigate |
115 |
> it. These contributors have not 'suddenly become a legal risk' but instead |
116 |
> the community (council and foundation combined) have adopted a more |
117 |
> risk-averse stance by adopting GLEP-76 and that results in some |
118 |
> contributors being unable to contribute. I'm not sure what else needs to be |
119 |
> explained. |
120 |
> |
121 |
> |
122 |
|
123 |
To the best of my knowledge, the Foundation has a long established |
124 |
practice of allowing developers to use pseudonyms on the condition that |
125 |
they reveal their legal identity to the Foundation for legal protection. |
126 |
Was the exclusion of developers with pseudonyms as per GLEP76 a result |
127 |
of a conclusion that the Foundation being informed about developers |
128 |
legal identity wrt copyright infringement carries more risk compared to |
129 |
their total exclusion from development? |
130 |
|
131 |
>> |
132 |
>> You also bring up a more interesting point here. If I work with a user |
133 |
>> who has lied to me about their identity, and their employer decided to |
134 |
>> take it to court, who is liable? Am I at fault for having good faith or |
135 |
>> is it a neglect on the Foundation's side? |
136 |
>> |
137 |
> |
138 |
> I'm not a lawyer, so I won't speculate on this specific instance. Having a |
139 |
> policy where commits require a DCO and we take some measure to not accept |
140 |
> contributions when we have knowledge that the DCO is wrong / invalid is |
141 |
> clearly better than our previous policy (which was basically "accept all |
142 |
> contributions.") Whether it is sufficient to prevent any specific legal |
143 |
> suit, I couldn't tell you. |
144 |
> |
145 |
> |
146 |
>> |
147 |
>>>> I invited some gifted people with |
148 |
>>>> high quality out-of-tree work to become contributors or developers, |
149 |
>>>> but due to hostile attitude towards anonymous contributors they |
150 |
>>>> can't join. And people want to stay anonymous for good reasons, |
151 |
>>>> because they are engaged with privacy oriented development. |
152 |
>>> |
153 |
>>> This is a very vague statement that sounds like serious overstatement |
154 |
>>> with no proof, aimed purely to force emotional reaction to support your |
155 |
>>> proposal. If you really want to propose something meaningful, I'd |
156 |
>>> really appreciate if you used real evidence to support it rather than |
157 |
>>> vague claims. |
158 |
>>> |
159 |
>>>> We are loosing real people, real contributions and real community. |
160 |
>>>> What for? For solving imaginary problems with inappropriate tools. |
161 |
>>>> |
162 |
>>> |
163 |
>>> Thank you for telling us that copyright is an imaginary problem. |
164 |
>>> |
165 |
>> |
166 |
>> I can't help but agree with the point that we are losing real |
167 |
>> contributors and real community. And people whom I talked to didn't |
168 |
>> oppose the Foundation's attempt to reduce legal liability. They were |
169 |
>> frustrated by the arbitrary enforcement and not having their opinions |
170 |
>> heard. The fact that people can get away with using a pseudonym as long |
171 |
>> as it reads like a normal person name (for which there is no definition) |
172 |
>> is something we have to address to the people who weren't as lucky with |
173 |
>> their choice of pseudonym and lost their ability to contribute. |
174 |
>> |
175 |
> |
176 |
> If you want to make a point that Gentoo leadership is bad at making |
177 |
> opposing feelings heard, well I'd probably agree with you (this thread is |
178 |
> one such example.) If you want to make some kind of point that "having an |
179 |
> opinion heard means we change the policy to suit that opinion" then I think |
180 |
> we just disagree on that point. Don't make it out like we made the decision |
181 |
> without thinking of anonymous / pseudonymous contributors; numerous |
182 |
> discussions were had about them and we could not find a way to include them |
183 |
> in the policy. |
184 |
> |
185 |
> That doesn't mean we didn't hear their thoughts and objections though. |
186 |
> |
187 |
> -A |
188 |
> |
189 |
|
190 |
Perhaps the people I talked to didn't find the right people to talk to |
191 |
before me. I'm not trying to paint the leadership as ignorant or bad. I |
192 |
understand that this is all volunteer work first and foremost. I wasn't |
193 |
implying to enact a change in the policy on the basis that people's |
194 |
opinions haven't been sufficiently heard. |
195 |
|
196 |
> |
197 |
>> |
198 |
>> -- |
199 |
>> gokturk |
200 |
>> |
201 |
>> |