| 1 |
I'm sorry that you felt like I was trying to troll-bait. It wasn't an |
| 2 |
attempt to do so. |
| 3 |
|
| 4 |
I've refused to change a pull request to include "signed-off by" for |
| 5 |
multiple projects, including for Gentoo, in the past and had even trivial |
| 6 |
1-liners rejected, so it's a real blocker for at least one person to |
| 7 |
contribute more to the project. Whether I'm alone in this is unknown to me. |
| 8 |
|
| 9 |
"signed-off by" in plain english simply means "Approved by" in the vast |
| 10 |
majority of non-subject-matter-expert's interpretation of it. Further, |
| 11 |
different projects *do* use it in that meaning (not in the license |
| 12 |
attestation meaning), and other projects use it to mean "I assert that I |
| 13 |
hold the right to submit this under this license". I've also seen, in |
| 14 |
multiple different projects, such as OpenWRT, people "helpfully" add the |
| 15 |
"signed-off by" line to commits on behalf of people without permission from |
| 16 |
the submitter or author. |
| 17 |
|
| 18 |
I would have much less objection if Gentoo used a combination "authored by" |
| 19 |
and "license attestation from" or something like that, so that it was clear |
| 20 |
in the line itself what the legal ramifications are. Simply saying "for |
| 21 |
Gentoo, it means X" is not sufficient to prevent mistakes unless you're |
| 22 |
going to plaster it everywhere and require acknowledgement clicks. The room |
| 23 |
for misunderstanding the meaning is very high due to the use of a 3-word |
| 24 |
term to mean something quite legally complicated when it has a trivial |
| 25 |
native-English meaning with no relationship to the legal meaning that the |
| 26 |
project (Gentoo) chooses to use it for. |
| 27 |
|
| 28 |
Further considering that they are merely text-lines in a commit statement, |
| 29 |
it's rather silly that "signed-off by" is used by Gentoo to have *more* |
| 30 |
meaning than the built-in git-commit fields for author name and email. |
| 31 |
Though, in fairness, a lot of projects abuse this concept, instead of |
| 32 |
adding these custom fields to Git directly. |
| 33 |
|
| 34 |
On Sun, Jun 19, 2022 at 5:33 AM Ulrich Mueller <ulm@g.o> wrote: |
| 35 |
|
| 36 |
> >>>>> On Sun, 19 Jun 2022, Anna Vyalkova wrote: |
| 37 |
> |
| 38 |
> > On 2022-06-18 19:35, Michael Jones wrote: |
| 39 |
> >> Re-evaluating your "signed off by" requirements on github, when |
| 40 |
> >> that's legally meaningless, and already covered by the existing |
| 41 |
> >> github terms of use, would also go a long way. |
| 42 |
> >> |
| 43 |
> >> I explicitly will not contribute to a project that has that |
| 44 |
> >> requirement. |
| 45 |
> >> |
| 46 |
> >> |
| 47 |
> https://docs.github.com/en/site-policy/github-terms/github-terms-of-service#d-user-generated-content |
| 48 |
> |
| 49 |
> Maybe I am missing something, but where do the GitHub ToS say that we |
| 50 |
> can take a contribution from a GitHub PR and distribute it outside? |
| 51 |
> |
| 52 |
> |
| 53 |
From the linked terms of use page. |
| 54 |
3. Ownership of Content, Right to Post, and License Grants |
| 55 |
|
| 56 |
You retain ownership of and responsibility for Your Content. If you're |
| 57 |
posting anything you did not create yourself or do not own the rights to, |
| 58 |
you agree that you are responsible for any Content you post; that you will |
| 59 |
only submit Content that you have the right to post; and that you will |
| 60 |
fully comply with any third party licenses relating to Content you post. |
| 61 |
|
| 62 |
Because you retain ownership of and responsibility for Your Content, we |
| 63 |
need you to grant us — and other GitHub Users — certain legal permissions, |
| 64 |
listed in Sections D.4 — D.7. These license grants apply to Your Content. |
| 65 |
If you upload Content that already comes with a license granting GitHub the |
| 66 |
permissions we need to run our Service, no additional license is required. |
| 67 |
You understand that you will not receive any payment for any of the rights |
| 68 |
granted in Sections D.4 — D.7. The licenses you grant to us will end when |
| 69 |
you remove Your Content from our servers, unless other Users have forked it. |
| 70 |
No one may post a pull request to a project hosted on github that they do |
| 71 |
not hold the right to post, whether they are the author, or merely posting |
| 72 |
on behalf of another. |
| 73 |
|
| 74 |
6. Contributions Under Repository License |
| 75 |
|
| 76 |
Whenever you add Content to a repository containing notice of a license, |
| 77 |
you license that Content under the same terms, and you agree that you have |
| 78 |
the right to license that Content under those terms. If you have a separate |
| 79 |
agreement to license that Content under different terms, such as a |
| 80 |
contributor license agreement, that agreement will supersede. |
| 81 |
|
| 82 |
Isn't this just how it works already? Yep. This is widely accepted as the |
| 83 |
norm in the open-source community; it's commonly referred to by the |
| 84 |
shorthand "inbound=outbound". We're just making it explicit. |
| 85 |
|
| 86 |
Contributions made to a repository that have an explicitly configured |
| 87 |
license in the github project's settings are licensed under the terms of |
| 88 |
that project's license, unless otherwise explicitly stated or agreed to via |
| 89 |
some other mechanism (e.g. the commit message or contents of the commit |
| 90 |
have wording to indicate an alternative license). It's the project's |
| 91 |
responsibility to ensure that pull requests / commits that have wording to |
| 92 |
indicate an explicit license are not merged unless the explicitly specified |
| 93 |
license is acceptable. If no explicit license wording is present, then the |
| 94 |
Github project's configured license (e.g. whatever Gentoo set on github) is |
| 95 |
explicitly the license for the contribution. |
| 96 |
|
| 97 |
As such, there is no need to use "signed-off by" for contributions made on |
| 98 |
github, as the same legal infrastructure for assuring that commits are |
| 99 |
legally/rightfully contributed by random internet strangers that Github has |
| 100 |
also applies to the Gentoo project (mirror or otherwise) on Github. |
| 101 |
|
| 102 |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 103 |
|
| 104 |
From this point, it appears you're responding to someone else, but I'll |
| 105 |
attempt to answer. |
| 106 |
|
| 107 |
> 1) We can't see if a commit comes from GitHub or somewhere else in the |
| 108 |
> > git history. This not only makes verification but also breaks |
| 109 |
> > verification tools (commit without signoff are rejected by gitolite's |
| 110 |
> > pre-push hook, github is just a mirror). |
| 111 |
> |
| 112 |
|
| 113 |
That's something that could be solved by tooling, either by changing the |
| 114 |
license that's configured on github to say that any PRs will be modified to |
| 115 |
include the "signed-off by" line, or by using Merge commits from the PR -> |
| 116 |
the official git repository done by an automated system that contains |
| 117 |
wording like "This was a contribution made under the github.com terms of |
| 118 |
use, blahblahblah". |
| 119 |
|
| 120 |
Many (most?) drive-by contributors won't have any interest in contributing |
| 121 |
to Gentoo via gitolite. If you don't plan to accept PRs on github in the |
| 122 |
future, then this discussion is rather irrelevant, and I'm sorry for |
| 123 |
stirring the pot. |
| 124 |
|
| 125 |
But since we are discussing in the original thread how to improve external |
| 126 |
contributions, I advise adjusting your tooling to be more welcoming, rather |
| 127 |
than insisting external contributors accept your tooling's limitations. |
| 128 |
|
| 129 |
|
| 130 |
> > 2) Gentoo has plans to move to their own GitLab instance. So binding |
| 131 |
> > themselves to GitHub ToS (that can be changes at any time and controlled |
| 132 |
> > by Miscro$oft) is stupid. |
| 133 |
> |
| 134 |
|
| 135 |
I don't think this is very helpful to the stated intention of improving the |
| 136 |
situation with external contributions. Moving to GitLab doesn't do anything |
| 137 |
useful from the perspective of external contributors. I have a github |
| 138 |
account. I won't be making one on the Gentoo GitLab, unless it's.... via |
| 139 |
logging into Github, which many GitLab instances allow. |
| 140 |
|
| 141 |
The Github terms of use are basically harmless to Gentoo, and they provide |
| 142 |
Gentoo with plenty of legal backing in terms of attesting that a |
| 143 |
contribution was done legitimately. Which asking for random internet people |
| 144 |
to add "signed-off by" does *not* provide. When I was asked to add |
| 145 |
"signed-off by" for multiple projects, including Gentoo, no explanation of |
| 146 |
the legal meaning behind that was given. I *assumed* they were asking me to |
| 147 |
attest that the PR wouldn't introduce any QA problems, which is the plain |
| 148 |
meaning of "signed-off by" in English to non-legal experts. Rather the |
| 149 |
opposite of what Gentoo wants to use it for. |
| 150 |
|
| 151 |
However, the Github terms of use are quite clear and easy to understand. No |
| 152 |
one can be confused by what the expectations are for contributions made on |
| 153 |
Github, and you'd be able to point any legal trouble at the Github legal |
| 154 |
team for violations of the Github TOS. Since Github's entire business model |
| 155 |
requires that their terms of use apply properly, they would have a heavy |
| 156 |
incentive to defend Gentoo on that issue if the commit came from a Github |
| 157 |
PR. |
| 158 |
|
| 159 |
Further, Microsoft hosts and accepts PRs for some of its own commercial |
| 160 |
products like Visual Studio's standard library for C++, without a CLA as |
| 161 |
far as I know. How is this legally fine for Microsoft for a product they |
| 162 |
commercially sell, but not for Gentoo which does not commercially sell |
| 163 |
anything (that I know of, anyway)? |
| 164 |
|
| 165 |
|
| 166 |
|
| 167 |
> > 3) Commit author != GitHub user. |
| 168 |
> |
| 169 |
> I think it's even three entities: author, committer, and GitHub user, |
| 170 |
> which can all be different. |
| 171 |
> |
| 172 |
> |
| 173 |
That seems accurate. |
| 174 |
|
| 175 |
|
| 176 |
> > 4) **Most important point!** These ToS apply only to content hosted on |
| 177 |
> > GitHub! And you retain ownership only on github PRs, not the canonical |
| 178 |
> > repo. |
| 179 |
> |
| 180 |
|
| 181 |
I don't see how this is accurate. Gentoo doesn't own any of the PRs or |
| 182 |
commits or patches submitted to it in the first place. That ownership is |
| 183 |
retained by the original author, or whoever they've assigned the ownership |
| 184 |
of. Are you telling me that the handful of patches / ebuilds that I've sent |
| 185 |
to Bugzilla are somehow no longer owned by me? That's a surprise... |
| 186 |
|
| 187 |
"signed-off by" is not a transfer of ownership, even in the flawed way that |
| 188 |
Gentoo is trying to use it. |
| 189 |
|
| 190 |
If you're expecting to see ownership transfer, you need a real contributor |
| 191 |
license agreement that explicitly transfers ownership, which I've not seen |
| 192 |
anyone ever discussing on the Gentoo mailing list (which could mean I |
| 193 |
simply missed the discussion). |
| 194 |
|
| 195 |
Once the commit is made on GitHub, the GitHub TOS assures Gentoo that the |
| 196 |
person who submitted the PR had the right to do so under the Github TOS and |
| 197 |
the license that the PR was submitted as. Now that the license is |
| 198 |
established, Gentoo can do whatever Gentoo want's to with that PR, so long |
| 199 |
as the license it was submitted under allows it. No need for "signed-off |
| 200 |
by" or ownership transfer, unless you're planning to re-license things? |
| 201 |
|
| 202 |
|
| 203 |
|
| 204 |
> > * the only thing I dislike and sabotage in Gentoo's signoff policy is |
| 205 |
> > that uses "legal name" instead of "real name" - change that already... |
| 206 |
> |
| 207 |
> That wording went through several iterations, the last of which changed |
| 208 |
> it from "real name" to "legal name" [1]. |
| 209 |
> |
| 210 |
> IIRC, the rationale behind this change was that "real name" was deemed |
| 211 |
> to vague, and to account for officially registered pseudonyms. |
| 212 |
> For example, the German passport has an optional field "religious name |
| 213 |
> or pseudonym" [2]. |
| 214 |
> |
| 215 |
> Ulrich |
| 216 |
> |
| 217 |
> [1] |
| 218 |
> https://gitweb.gentoo.org/data/glep.git/commit/glep-0076.rst?id=dcc841a715dfa077258fa3f8bef5f15ee22148cb |
| 219 |
> [2] https://en.wikipedia.org/wiki/German_passport#Following_page |
| 220 |
|
| 221 |
|
| 222 |
I find it really weird that I was able to make an account on Github, and |
| 223 |
submit code through them, without needing to provide my real *or* legal |
| 224 |
name. |
| 225 |
|
| 226 |
What makes Gentoo special that it needs this additional information, when |
| 227 |
Github (and thus Microsoft) does not, even for Microsoft's own commercial |
| 228 |
products hosted on Github? |
Archives