| 1 |
On Wed, Jun 20, 2018 at 9:06 AM Ulrich Mueller <ulm@g.o> wrote: |
| 2 |
> |
| 3 |
> >>>>> On Wed, 20 Jun 2018, Rich Freeman wrote: |
| 4 |
> |
| 5 |
> > The "underlying need" is what I'm getting at. Do we REALLY need to |
| 6 |
> > track developers post-retirement? If we do, is DOB really the best |
| 7 |
> > way to do this? |
| 8 |
> |
| 9 |
> I would presume that we do, if we need to clarify copyright or |
| 10 |
> licensing of any files in our repositories. I could provide several |
| 11 |
> examples where I had to contact retired devs because of license |
| 12 |
> issues. |
| 13 |
> |
| 14 |
> But indeed, knowing their date of birth wouldn't have helped there. |
| 15 |
|
| 16 |
Past developers may not be reachable, cooperative, or even alive. |
| 17 |
|
| 18 |
If we need information or assurances from them, we should obtain it |
| 19 |
BEFORE we accept commits, not try to chase it down years later. |
| 20 |
|
| 21 |
I'd be interested in any cases where we felt this was necessary. I |
| 22 |
know that a lot of work was done recently to try to figure out the |
| 23 |
license history of the tree, but honestly I'm not convinced it was |
| 24 |
necessary, and legally digging into messy situations can sometimes |
| 25 |
even be harmful. In general I think forward-looking solutions tend to |
| 26 |
be best unless there is a clear legal duty to look backwards. |
| 27 |
|
| 28 |
|
| 29 |
> |
| 30 |
> > And what are we going to do when some retired developer asks us to |
| 31 |
> > forget about them? I don't think legally we need to go retract |
| 32 |
> > published info, but that DOB seems very much the sort of thing that |
| 33 |
> > would be risky to hold on to if somebody explicitly told us they don't |
| 34 |
> > want us to retain it. We'd probably need justification to do so. |
| 35 |
> |
| 36 |
> The only justification I can think of is that we may need to know if |
| 37 |
> a developer was of legal age when committing any code. But that seems |
| 38 |
> very theoretical, since we don't even verify anybody's identity. |
| 39 |
> |
| 40 |
|
| 41 |
Even if we did verify somebody's identity, we could document that this |
| 42 |
was done, and not retain any personally-identifying info. |
| 43 |
|
| 44 |
Ultimately it comes down to what constitutes reasonable care, and that |
| 45 |
largely depends on why we're doing things in the first place. |
| 46 |
|
| 47 |
I could elaborate a lot more, but IMO in a copyright case, Gentoo's |
| 48 |
liability is going to come down a lot more to what Gentoo is doing |
| 49 |
than what the developer from 10 years ago did. Did Gentoo exercise |
| 50 |
reasonable care and this is innocent infringement (which is NOT |
| 51 |
without substantial liability, it just avoids the completely insane |
| 52 |
statutory provisions in US law cf. 17 USC 504(b) and (c)2)? |
| 53 |
|
| 54 |
I'm actually pressed to think of how the testimony of the committing |
| 55 |
dev could actually help us in a defensive copyright case as the burden |
| 56 |
of proof is on our side when it comes to proving ownership, and if the |
| 57 |
plaintiff can prove ownership I don't see how the testimony of a dev |
| 58 |
would overturn that. It might help more in an offensive one, but in |
| 59 |
that case we can pick code for our lawsuit where the committing dev is |
| 60 |
readily available, assuming we ever resorted to an offensive action. |
| 61 |
|
| 62 |
-- |
| 63 |
Rich |
Archives