| 1 |
On 2019-07-01 00:27, Robin H. Johnson wrote: |
| 2 |
> As a clear example of meaningful agreement to the DCO vs the |
| 3 |
> autogenerated agreement that Patrick is concerned about, look at GnuPG's |
| 4 |
> model: |
| 5 |
> |
| 6 |
> 1. A new contributor must send a OpenPGP-signed copy of the GnuPG DCO |
| 7 |
> text to the public mailing list (the exact wording of the DCO |
| 8 |
> contains only a minor change s/open/free/ per FSF principles). |
| 9 |
> 2. Signed-off-by trailer in the commit message is ALSO required, and is |
| 10 |
> only used to verify against the DCO registry. |
| 11 |
|
| 12 |
From my understanding of Patrick's concerns, this doesn't change |
| 13 |
anything for him: It's still possible to autogenerate such a statement. |
| 14 |
|
| 15 |
From my understanding he is questioning the whole idea behind this: I.e. |
| 16 |
is there really a chance that this will protect anyone/anything? Is |
| 17 |
there really a chance that the committer can be legally held accountable? |
| 18 |
|
| 19 |
At least in Europe, a GPG signature has no legal meaning. You will need |
| 20 |
a qualified digital signature for any legal implications. |
| 21 |
|
| 22 |
There are still companies/projects out there requiring that you add your |
| 23 |
handwritten signature below the CLA (i.e. this will require that you |
| 24 |
send the document via post or fax). |
| 25 |
|
| 26 |
So if we are not 100% sure that this will fix a real problem and will |
| 27 |
stand up in court if necessary, the whole thing was just a waste of time. |
| 28 |
|
| 29 |
But maybe that's not what Patrick wanted to say :-) |
| 30 |
|
| 31 |
|
| 32 |
I was told that the main driver for GLEP 76 was to protect the Gentoo |
| 33 |
foundation: Whenever something happens within Gentoo namespace, Gentoo |
| 34 |
foundation is the only accountable body. |
| 35 |
|
| 36 |
In case someone violated DCO and added IP he/she didn't own, the main |
| 37 |
interest of the actual copyright owner is to remove the IP in question. |
| 38 |
I really hope we will never experience such a situation but judging from |
| 39 |
GitHub's public DMCA log I would expect that we will either have to |
| 40 |
spend a lot of money trying to defend Gentoo or would at least have to |
| 41 |
prune (rewrite) repository to get rid of any affected fragment (which |
| 42 |
could be challenging). |
| 43 |
|
| 44 |
The copyright holder may also demand compensation. |
| 45 |
|
| 46 |
It's important to understand that the foundation will have to pay for |
| 47 |
this... |
| 48 |
|
| 49 |
Now thanks to the DCO statement, the foundation is in the position to |
| 50 |
get the money back from contributor who violated DCO and caused the |
| 51 |
trouble. Because I don't expect that the contributor will say, "Oh |
| 52 |
right, I am sorry, this was my fault, let me pay your expenses", |
| 53 |
foundation will now have to sue the contributor. The chances of success |
| 54 |
are very low if contributor isn't within same jurisdiction. In other |
| 55 |
words: It will be hard for the foundation to sue anyone in Europe for |
| 56 |
example because the GPG-signed statement has no legal significance for |
| 57 |
Europeans. |
| 58 |
|
| 59 |
So this is mainly a US-only thing from legal perspective, if at all (I |
| 60 |
am not familiar with US law). |
| 61 |
|
| 62 |
|
| 63 |
-- |
| 64 |
Regards, |
| 65 |
Thomas Deutschmann / Gentoo Linux Developer |
| 66 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives