1 |
On 2019-07-01 00:27, Robin H. Johnson wrote: |
2 |
> As a clear example of meaningful agreement to the DCO vs the |
3 |
> autogenerated agreement that Patrick is concerned about, look at GnuPG's |
4 |
> model: |
5 |
> |
6 |
> 1. A new contributor must send a OpenPGP-signed copy of the GnuPG DCO |
7 |
> text to the public mailing list (the exact wording of the DCO |
8 |
> contains only a minor change s/open/free/ per FSF principles). |
9 |
> 2. Signed-off-by trailer in the commit message is ALSO required, and is |
10 |
> only used to verify against the DCO registry. |
11 |
|
12 |
From my understanding of Patrick's concerns, this doesn't change |
13 |
anything for him: It's still possible to autogenerate such a statement. |
14 |
|
15 |
From my understanding he is questioning the whole idea behind this: I.e. |
16 |
is there really a chance that this will protect anyone/anything? Is |
17 |
there really a chance that the committer can be legally held accountable? |
18 |
|
19 |
At least in Europe, a GPG signature has no legal meaning. You will need |
20 |
a qualified digital signature for any legal implications. |
21 |
|
22 |
There are still companies/projects out there requiring that you add your |
23 |
handwritten signature below the CLA (i.e. this will require that you |
24 |
send the document via post or fax). |
25 |
|
26 |
So if we are not 100% sure that this will fix a real problem and will |
27 |
stand up in court if necessary, the whole thing was just a waste of time. |
28 |
|
29 |
But maybe that's not what Patrick wanted to say :-) |
30 |
|
31 |
|
32 |
I was told that the main driver for GLEP 76 was to protect the Gentoo |
33 |
foundation: Whenever something happens within Gentoo namespace, Gentoo |
34 |
foundation is the only accountable body. |
35 |
|
36 |
In case someone violated DCO and added IP he/she didn't own, the main |
37 |
interest of the actual copyright owner is to remove the IP in question. |
38 |
I really hope we will never experience such a situation but judging from |
39 |
GitHub's public DMCA log I would expect that we will either have to |
40 |
spend a lot of money trying to defend Gentoo or would at least have to |
41 |
prune (rewrite) repository to get rid of any affected fragment (which |
42 |
could be challenging). |
43 |
|
44 |
The copyright holder may also demand compensation. |
45 |
|
46 |
It's important to understand that the foundation will have to pay for |
47 |
this... |
48 |
|
49 |
Now thanks to the DCO statement, the foundation is in the position to |
50 |
get the money back from contributor who violated DCO and caused the |
51 |
trouble. Because I don't expect that the contributor will say, "Oh |
52 |
right, I am sorry, this was my fault, let me pay your expenses", |
53 |
foundation will now have to sue the contributor. The chances of success |
54 |
are very low if contributor isn't within same jurisdiction. In other |
55 |
words: It will be hard for the foundation to sue anyone in Europe for |
56 |
example because the GPG-signed statement has no legal significance for |
57 |
Europeans. |
58 |
|
59 |
So this is mainly a US-only thing from legal perspective, if at all (I |
60 |
am not familiar with US law). |
61 |
|
62 |
|
63 |
-- |
64 |
Regards, |
65 |
Thomas Deutschmann / Gentoo Linux Developer |
66 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |