1 |
I'm sorry that you felt like I was trying to troll-bait. It wasn't an |
2 |
attempt to do so. |
3 |
|
4 |
I've refused to change a pull request to include "signed-off by" for |
5 |
multiple projects, including for Gentoo, in the past and had even trivial |
6 |
1-liners rejected, so it's a real blocker for at least one person to |
7 |
contribute more to the project. Whether I'm alone in this is unknown to me. |
8 |
|
9 |
"signed-off by" in plain english simply means "Approved by" in the vast |
10 |
majority of non-subject-matter-expert's interpretation of it. Further, |
11 |
different projects *do* use it in that meaning (not in the license |
12 |
attestation meaning), and other projects use it to mean "I assert that I |
13 |
hold the right to submit this under this license". I've also seen, in |
14 |
multiple different projects, such as OpenWRT, people "helpfully" add the |
15 |
"signed-off by" line to commits on behalf of people without permission from |
16 |
the submitter or author. |
17 |
|
18 |
I would have much less objection if Gentoo used a combination "authored by" |
19 |
and "license attestation from" or something like that, so that it was clear |
20 |
in the line itself what the legal ramifications are. Simply saying "for |
21 |
Gentoo, it means X" is not sufficient to prevent mistakes unless you're |
22 |
going to plaster it everywhere and require acknowledgement clicks. The room |
23 |
for misunderstanding the meaning is very high due to the use of a 3-word |
24 |
term to mean something quite legally complicated when it has a trivial |
25 |
native-English meaning with no relationship to the legal meaning that the |
26 |
project (Gentoo) chooses to use it for. |
27 |
|
28 |
Further considering that they are merely text-lines in a commit statement, |
29 |
it's rather silly that "signed-off by" is used by Gentoo to have *more* |
30 |
meaning than the built-in git-commit fields for author name and email. |
31 |
Though, in fairness, a lot of projects abuse this concept, instead of |
32 |
adding these custom fields to Git directly. |
33 |
|
34 |
On Sun, Jun 19, 2022 at 5:33 AM Ulrich Mueller <ulm@g.o> wrote: |
35 |
|
36 |
> >>>>> On Sun, 19 Jun 2022, Anna Vyalkova wrote: |
37 |
> |
38 |
> > On 2022-06-18 19:35, Michael Jones wrote: |
39 |
> >> Re-evaluating your "signed off by" requirements on github, when |
40 |
> >> that's legally meaningless, and already covered by the existing |
41 |
> >> github terms of use, would also go a long way. |
42 |
> >> |
43 |
> >> I explicitly will not contribute to a project that has that |
44 |
> >> requirement. |
45 |
> >> |
46 |
> >> |
47 |
> https://docs.github.com/en/site-policy/github-terms/github-terms-of-service#d-user-generated-content |
48 |
> |
49 |
> Maybe I am missing something, but where do the GitHub ToS say that we |
50 |
> can take a contribution from a GitHub PR and distribute it outside? |
51 |
> |
52 |
> |
53 |
From the linked terms of use page. |
54 |
3. Ownership of Content, Right to Post, and License Grants |
55 |
|
56 |
You retain ownership of and responsibility for Your Content. If you're |
57 |
posting anything you did not create yourself or do not own the rights to, |
58 |
you agree that you are responsible for any Content you post; that you will |
59 |
only submit Content that you have the right to post; and that you will |
60 |
fully comply with any third party licenses relating to Content you post. |
61 |
|
62 |
Because you retain ownership of and responsibility for Your Content, we |
63 |
need you to grant us — and other GitHub Users — certain legal permissions, |
64 |
listed in Sections D.4 — D.7. These license grants apply to Your Content. |
65 |
If you upload Content that already comes with a license granting GitHub the |
66 |
permissions we need to run our Service, no additional license is required. |
67 |
You understand that you will not receive any payment for any of the rights |
68 |
granted in Sections D.4 — D.7. The licenses you grant to us will end when |
69 |
you remove Your Content from our servers, unless other Users have forked it. |
70 |
No one may post a pull request to a project hosted on github that they do |
71 |
not hold the right to post, whether they are the author, or merely posting |
72 |
on behalf of another. |
73 |
|
74 |
6. Contributions Under Repository License |
75 |
|
76 |
Whenever you add Content to a repository containing notice of a license, |
77 |
you license that Content under the same terms, and you agree that you have |
78 |
the right to license that Content under those terms. If you have a separate |
79 |
agreement to license that Content under different terms, such as a |
80 |
contributor license agreement, that agreement will supersede. |
81 |
|
82 |
Isn't this just how it works already? Yep. This is widely accepted as the |
83 |
norm in the open-source community; it's commonly referred to by the |
84 |
shorthand "inbound=outbound". We're just making it explicit. |
85 |
|
86 |
Contributions made to a repository that have an explicitly configured |
87 |
license in the github project's settings are licensed under the terms of |
88 |
that project's license, unless otherwise explicitly stated or agreed to via |
89 |
some other mechanism (e.g. the commit message or contents of the commit |
90 |
have wording to indicate an alternative license). It's the project's |
91 |
responsibility to ensure that pull requests / commits that have wording to |
92 |
indicate an explicit license are not merged unless the explicitly specified |
93 |
license is acceptable. If no explicit license wording is present, then the |
94 |
Github project's configured license (e.g. whatever Gentoo set on github) is |
95 |
explicitly the license for the contribution. |
96 |
|
97 |
As such, there is no need to use "signed-off by" for contributions made on |
98 |
github, as the same legal infrastructure for assuring that commits are |
99 |
legally/rightfully contributed by random internet strangers that Github has |
100 |
also applies to the Gentoo project (mirror or otherwise) on Github. |
101 |
|
102 |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
103 |
|
104 |
From this point, it appears you're responding to someone else, but I'll |
105 |
attempt to answer. |
106 |
|
107 |
> 1) We can't see if a commit comes from GitHub or somewhere else in the |
108 |
> > git history. This not only makes verification but also breaks |
109 |
> > verification tools (commit without signoff are rejected by gitolite's |
110 |
> > pre-push hook, github is just a mirror). |
111 |
> |
112 |
|
113 |
That's something that could be solved by tooling, either by changing the |
114 |
license that's configured on github to say that any PRs will be modified to |
115 |
include the "signed-off by" line, or by using Merge commits from the PR -> |
116 |
the official git repository done by an automated system that contains |
117 |
wording like "This was a contribution made under the github.com terms of |
118 |
use, blahblahblah". |
119 |
|
120 |
Many (most?) drive-by contributors won't have any interest in contributing |
121 |
to Gentoo via gitolite. If you don't plan to accept PRs on github in the |
122 |
future, then this discussion is rather irrelevant, and I'm sorry for |
123 |
stirring the pot. |
124 |
|
125 |
But since we are discussing in the original thread how to improve external |
126 |
contributions, I advise adjusting your tooling to be more welcoming, rather |
127 |
than insisting external contributors accept your tooling's limitations. |
128 |
|
129 |
|
130 |
> > 2) Gentoo has plans to move to their own GitLab instance. So binding |
131 |
> > themselves to GitHub ToS (that can be changes at any time and controlled |
132 |
> > by Miscro$oft) is stupid. |
133 |
> |
134 |
|
135 |
I don't think this is very helpful to the stated intention of improving the |
136 |
situation with external contributions. Moving to GitLab doesn't do anything |
137 |
useful from the perspective of external contributors. I have a github |
138 |
account. I won't be making one on the Gentoo GitLab, unless it's.... via |
139 |
logging into Github, which many GitLab instances allow. |
140 |
|
141 |
The Github terms of use are basically harmless to Gentoo, and they provide |
142 |
Gentoo with plenty of legal backing in terms of attesting that a |
143 |
contribution was done legitimately. Which asking for random internet people |
144 |
to add "signed-off by" does *not* provide. When I was asked to add |
145 |
"signed-off by" for multiple projects, including Gentoo, no explanation of |
146 |
the legal meaning behind that was given. I *assumed* they were asking me to |
147 |
attest that the PR wouldn't introduce any QA problems, which is the plain |
148 |
meaning of "signed-off by" in English to non-legal experts. Rather the |
149 |
opposite of what Gentoo wants to use it for. |
150 |
|
151 |
However, the Github terms of use are quite clear and easy to understand. No |
152 |
one can be confused by what the expectations are for contributions made on |
153 |
Github, and you'd be able to point any legal trouble at the Github legal |
154 |
team for violations of the Github TOS. Since Github's entire business model |
155 |
requires that their terms of use apply properly, they would have a heavy |
156 |
incentive to defend Gentoo on that issue if the commit came from a Github |
157 |
PR. |
158 |
|
159 |
Further, Microsoft hosts and accepts PRs for some of its own commercial |
160 |
products like Visual Studio's standard library for C++, without a CLA as |
161 |
far as I know. How is this legally fine for Microsoft for a product they |
162 |
commercially sell, but not for Gentoo which does not commercially sell |
163 |
anything (that I know of, anyway)? |
164 |
|
165 |
|
166 |
|
167 |
> > 3) Commit author != GitHub user. |
168 |
> |
169 |
> I think it's even three entities: author, committer, and GitHub user, |
170 |
> which can all be different. |
171 |
> |
172 |
> |
173 |
That seems accurate. |
174 |
|
175 |
|
176 |
> > 4) **Most important point!** These ToS apply only to content hosted on |
177 |
> > GitHub! And you retain ownership only on github PRs, not the canonical |
178 |
> > repo. |
179 |
> |
180 |
|
181 |
I don't see how this is accurate. Gentoo doesn't own any of the PRs or |
182 |
commits or patches submitted to it in the first place. That ownership is |
183 |
retained by the original author, or whoever they've assigned the ownership |
184 |
of. Are you telling me that the handful of patches / ebuilds that I've sent |
185 |
to Bugzilla are somehow no longer owned by me? That's a surprise... |
186 |
|
187 |
"signed-off by" is not a transfer of ownership, even in the flawed way that |
188 |
Gentoo is trying to use it. |
189 |
|
190 |
If you're expecting to see ownership transfer, you need a real contributor |
191 |
license agreement that explicitly transfers ownership, which I've not seen |
192 |
anyone ever discussing on the Gentoo mailing list (which could mean I |
193 |
simply missed the discussion). |
194 |
|
195 |
Once the commit is made on GitHub, the GitHub TOS assures Gentoo that the |
196 |
person who submitted the PR had the right to do so under the Github TOS and |
197 |
the license that the PR was submitted as. Now that the license is |
198 |
established, Gentoo can do whatever Gentoo want's to with that PR, so long |
199 |
as the license it was submitted under allows it. No need for "signed-off |
200 |
by" or ownership transfer, unless you're planning to re-license things? |
201 |
|
202 |
|
203 |
|
204 |
> > * the only thing I dislike and sabotage in Gentoo's signoff policy is |
205 |
> > that uses "legal name" instead of "real name" - change that already... |
206 |
> |
207 |
> That wording went through several iterations, the last of which changed |
208 |
> it from "real name" to "legal name" [1]. |
209 |
> |
210 |
> IIRC, the rationale behind this change was that "real name" was deemed |
211 |
> to vague, and to account for officially registered pseudonyms. |
212 |
> For example, the German passport has an optional field "religious name |
213 |
> or pseudonym" [2]. |
214 |
> |
215 |
> Ulrich |
216 |
> |
217 |
> [1] |
218 |
> https://gitweb.gentoo.org/data/glep.git/commit/glep-0076.rst?id=dcc841a715dfa077258fa3f8bef5f15ee22148cb |
219 |
> [2] https://en.wikipedia.org/wiki/German_passport#Following_page |
220 |
|
221 |
|
222 |
I find it really weird that I was able to make an account on Github, and |
223 |
submit code through them, without needing to provide my real *or* legal |
224 |
name. |
225 |
|
226 |
What makes Gentoo special that it needs this additional information, when |
227 |
Github (and thus Microsoft) does not, even for Microsoft's own commercial |
228 |
products hosted on Github? |