Gentoo Archives: gentoo-project

From: Michael Jones <gentoo@×××××××.com>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] Taking the signoff bait
Date: Sun, 19 Jun 2022 20:45:27
Message-Id: CABfmKSKmoGTL-2Uu_WR=G-YHoJqovERb_Jt4uWXuw3c4MxmDhw@mail.gmail.com
In Reply to: Re: [gentoo-project] Taking the signoff bait by Ulrich Mueller
1 I'm sorry that you felt like I was trying to troll-bait. It wasn't an
2 attempt to do so.
3
4 I've refused to change a pull request to include "signed-off by" for
5 multiple projects, including for Gentoo, in the past and had even trivial
6 1-liners rejected, so it's a real blocker for at least one person to
7 contribute more to the project. Whether I'm alone in this is unknown to me.
8
9 "signed-off by" in plain english simply means "Approved by" in the vast
10 majority of non-subject-matter-expert's interpretation of it. Further,
11 different projects *do* use it in that meaning (not in the license
12 attestation meaning), and other projects use it to mean "I assert that I
13 hold the right to submit this under this license". I've also seen, in
14 multiple different projects, such as OpenWRT, people "helpfully" add the
15 "signed-off by" line to commits on behalf of people without permission from
16 the submitter or author.
17
18 I would have much less objection if Gentoo used a combination "authored by"
19 and "license attestation from" or something like that, so that it was clear
20 in the line itself what the legal ramifications are. Simply saying "for
21 Gentoo, it means X" is not sufficient to prevent mistakes unless you're
22 going to plaster it everywhere and require acknowledgement clicks. The room
23 for misunderstanding the meaning is very high due to the use of a 3-word
24 term to mean something quite legally complicated when it has a trivial
25 native-English meaning with no relationship to the legal meaning that the
26 project (Gentoo) chooses to use it for.
27
28 Further considering that they are merely text-lines in a commit statement,
29 it's rather silly that "signed-off by" is used by Gentoo to have *more*
30 meaning than the built-in git-commit fields for author name and email.
31 Though, in fairness, a lot of projects abuse this concept, instead of
32 adding these custom fields to Git directly.
33
34 On Sun, Jun 19, 2022 at 5:33 AM Ulrich Mueller <ulm@g.o> wrote:
35
36 > >>>>> On Sun, 19 Jun 2022, Anna Vyalkova wrote:
37 >
38 > > On 2022-06-18 19:35, Michael Jones wrote:
39 > >> Re-evaluating your "signed off by" requirements on github, when
40 > >> that's legally meaningless, and already covered by the existing
41 > >> github terms of use, would also go a long way.
42 > >>
43 > >> I explicitly will not contribute to a project that has that
44 > >> requirement.
45 > >>
46 > >>
47 > https://docs.github.com/en/site-policy/github-terms/github-terms-of-service#d-user-generated-content
48 >
49 > Maybe I am missing something, but where do the GitHub ToS say that we
50 > can take a contribution from a GitHub PR and distribute it outside?
51 >
52 >
53 From the linked terms of use page.
54 3. Ownership of Content, Right to Post, and License Grants
55
56 You retain ownership of and responsibility for Your Content. If you're
57 posting anything you did not create yourself or do not own the rights to,
58 you agree that you are responsible for any Content you post; that you will
59 only submit Content that you have the right to post; and that you will
60 fully comply with any third party licenses relating to Content you post.
61
62 Because you retain ownership of and responsibility for Your Content, we
63 need you to grant us — and other GitHub Users — certain legal permissions,
64 listed in Sections D.4 — D.7. These license grants apply to Your Content.
65 If you upload Content that already comes with a license granting GitHub the
66 permissions we need to run our Service, no additional license is required.
67 You understand that you will not receive any payment for any of the rights
68 granted in Sections D.4 — D.7. The licenses you grant to us will end when
69 you remove Your Content from our servers, unless other Users have forked it.
70 No one may post a pull request to a project hosted on github that they do
71 not hold the right to post, whether they are the author, or merely posting
72 on behalf of another.
73
74 6. Contributions Under Repository License
75
76 Whenever you add Content to a repository containing notice of a license,
77 you license that Content under the same terms, and you agree that you have
78 the right to license that Content under those terms. If you have a separate
79 agreement to license that Content under different terms, such as a
80 contributor license agreement, that agreement will supersede.
81
82 Isn't this just how it works already? Yep. This is widely accepted as the
83 norm in the open-source community; it's commonly referred to by the
84 shorthand "inbound=outbound". We're just making it explicit.
85
86 Contributions made to a repository that have an explicitly configured
87 license in the github project's settings are licensed under the terms of
88 that project's license, unless otherwise explicitly stated or agreed to via
89 some other mechanism (e.g. the commit message or contents of the commit
90 have wording to indicate an alternative license). It's the project's
91 responsibility to ensure that pull requests / commits that have wording to
92 indicate an explicit license are not merged unless the explicitly specified
93 license is acceptable. If no explicit license wording is present, then the
94 Github project's configured license (e.g. whatever Gentoo set on github) is
95 explicitly the license for the contribution.
96
97 As such, there is no need to use "signed-off by" for contributions made on
98 github, as the same legal infrastructure for assuring that commits are
99 legally/rightfully contributed by random internet strangers that Github has
100 also applies to the Gentoo project (mirror or otherwise) on Github.
101
102 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
103
104 From this point, it appears you're responding to someone else, but I'll
105 attempt to answer.
106
107 > 1) We can't see if a commit comes from GitHub or somewhere else in the
108 > > git history. This not only makes verification but also breaks
109 > > verification tools (commit without signoff are rejected by gitolite's
110 > > pre-push hook, github is just a mirror).
111 >
112
113 That's something that could be solved by tooling, either by changing the
114 license that's configured on github to say that any PRs will be modified to
115 include the "signed-off by" line, or by using Merge commits from the PR ->
116 the official git repository done by an automated system that contains
117 wording like "This was a contribution made under the github.com terms of
118 use, blahblahblah".
119
120 Many (most?) drive-by contributors won't have any interest in contributing
121 to Gentoo via gitolite. If you don't plan to accept PRs on github in the
122 future, then this discussion is rather irrelevant, and I'm sorry for
123 stirring the pot.
124
125 But since we are discussing in the original thread how to improve external
126 contributions, I advise adjusting your tooling to be more welcoming, rather
127 than insisting external contributors accept your tooling's limitations.
128
129
130 > > 2) Gentoo has plans to move to their own GitLab instance. So binding
131 > > themselves to GitHub ToS (that can be changes at any time and controlled
132 > > by Miscro$oft) is stupid.
133 >
134
135 I don't think this is very helpful to the stated intention of improving the
136 situation with external contributions. Moving to GitLab doesn't do anything
137 useful from the perspective of external contributors. I have a github
138 account. I won't be making one on the Gentoo GitLab, unless it's.... via
139 logging into Github, which many GitLab instances allow.
140
141 The Github terms of use are basically harmless to Gentoo, and they provide
142 Gentoo with plenty of legal backing in terms of attesting that a
143 contribution was done legitimately. Which asking for random internet people
144 to add "signed-off by" does *not* provide. When I was asked to add
145 "signed-off by" for multiple projects, including Gentoo, no explanation of
146 the legal meaning behind that was given. I *assumed* they were asking me to
147 attest that the PR wouldn't introduce any QA problems, which is the plain
148 meaning of "signed-off by" in English to non-legal experts. Rather the
149 opposite of what Gentoo wants to use it for.
150
151 However, the Github terms of use are quite clear and easy to understand. No
152 one can be confused by what the expectations are for contributions made on
153 Github, and you'd be able to point any legal trouble at the Github legal
154 team for violations of the Github TOS. Since Github's entire business model
155 requires that their terms of use apply properly, they would have a heavy
156 incentive to defend Gentoo on that issue if the commit came from a Github
157 PR.
158
159 Further, Microsoft hosts and accepts PRs for some of its own commercial
160 products like Visual Studio's standard library for C++, without a CLA as
161 far as I know. How is this legally fine for Microsoft for a product they
162 commercially sell, but not for Gentoo which does not commercially sell
163 anything (that I know of, anyway)?
164
165
166
167 > > 3) Commit author != GitHub user.
168 >
169 > I think it's even three entities: author, committer, and GitHub user,
170 > which can all be different.
171 >
172 >
173 That seems accurate.
174
175
176 > > 4) **Most important point!** These ToS apply only to content hosted on
177 > > GitHub! And you retain ownership only on github PRs, not the canonical
178 > > repo.
179 >
180
181 I don't see how this is accurate. Gentoo doesn't own any of the PRs or
182 commits or patches submitted to it in the first place. That ownership is
183 retained by the original author, or whoever they've assigned the ownership
184 of. Are you telling me that the handful of patches / ebuilds that I've sent
185 to Bugzilla are somehow no longer owned by me? That's a surprise...
186
187 "signed-off by" is not a transfer of ownership, even in the flawed way that
188 Gentoo is trying to use it.
189
190 If you're expecting to see ownership transfer, you need a real contributor
191 license agreement that explicitly transfers ownership, which I've not seen
192 anyone ever discussing on the Gentoo mailing list (which could mean I
193 simply missed the discussion).
194
195 Once the commit is made on GitHub, the GitHub TOS assures Gentoo that the
196 person who submitted the PR had the right to do so under the Github TOS and
197 the license that the PR was submitted as. Now that the license is
198 established, Gentoo can do whatever Gentoo want's to with that PR, so long
199 as the license it was submitted under allows it. No need for "signed-off
200 by" or ownership transfer, unless you're planning to re-license things?
201
202
203
204 > > * the only thing I dislike and sabotage in Gentoo's signoff policy is
205 > > that uses "legal name" instead of "real name" - change that already...
206 >
207 > That wording went through several iterations, the last of which changed
208 > it from "real name" to "legal name" [1].
209 >
210 > IIRC, the rationale behind this change was that "real name" was deemed
211 > to vague, and to account for officially registered pseudonyms.
212 > For example, the German passport has an optional field "religious name
213 > or pseudonym" [2].
214 >
215 > Ulrich
216 >
217 > [1]
218 > https://gitweb.gentoo.org/data/glep.git/commit/glep-0076.rst?id=dcc841a715dfa077258fa3f8bef5f15ee22148cb
219 > [2] https://en.wikipedia.org/wiki/German_passport#Following_page
220
221
222 I find it really weird that I was able to make an account on Github, and
223 submit code through them, without needing to provide my real *or* legal
224 name.
225
226 What makes Gentoo special that it needs this additional information, when
227 Github (and thus Microsoft) does not, even for Microsoft's own commercial
228 products hosted on Github?