| 1 |
>>>>> On Wed, 28 Jul 2021, Marek Szuba wrote: |
| 2 |
|
| 3 |
> On 2021-07-28 12:22, Ulrich Mueller wrote: |
| 4 |
>> This isn't about defending the copyright of the contributor (for which |
| 5 |
>> a pseudonym would be fine, or at least it would be a problem of the |
| 6 |
>> contributor). It is about due diligence when accepting contributions, |
| 7 |
>> to make sure their origin is traceable. |
| 8 |
|
| 9 |
> I agree with the "due diligence" bit but not with the traceability |
| 10 |
> requirement. The "Certificate of Origin" section of GLEP-76 clearly |
| 11 |
> states that the purpose of the sign-off (which by the way applies only |
| 12 |
> contributions made via VCS commits, as the GLEP stands there are no |
| 13 |
> specific mechanisms described for contributions submitted in forms |
| 14 |
> other than full Git commits, e.g. patches uploaded to Bugzilla or sent |
| 15 |
> by e-mail) is "to declare that the contribution can be modified and |
| 16 |
> redistributed in accordance with the project's license", and nothing |
| 17 |
> in GCOv1 itself appears to me to contradict that statement. Finally, |
| 18 |
> between what GAFAM, NSA/GCHQ, $country government etc. have been doing |
| 19 |
> on the Internet, I am rather allergic to the whole idea of |
| 20 |
> facilitating the tracking of people. |
| 21 |
|
| 22 |
Please read again what I've written. The origin of the contribution |
| 23 |
should be traceable, not the contributor. |
| 24 |
|
| 25 |
> In short, I feel that since a) the whole point here is to establish |
| 26 |
> ground rules for the copyright of Gentoo contributions, b) it is |
| 27 |
> pretty much entirely based on to-the-best-of-one's-knowledge |
| 28 |
> statements and acting in good faith, and c) we've got neither the |
| 29 |
> means nor the authority to verify personal details provided by the |
| 30 |
> contributors, I strongly feel there isn't much point in disallowing |
| 31 |
> pseudonymous contributions. I for one would very much rather accept a |
| 32 |
> steady stream of contributions from a single anonymous entity than |
| 33 |
> have them scattered across fake but ostensibly real-name contributors. |
| 34 |
> And it someone contributes something potentially lifted from |
| 35 |
> proprietary software or otherwise fishy? It's up to the people pushing |
| 36 |
> these commits to our repos to exercise their common sense and due |
| 37 |
> diligence. |
| 38 |
|
| 39 |
We have taken the blueprint for the certificate-of-origin model from |
| 40 |
Linux, and it does have a real name requirement. I'd rather not change |
| 41 |
any element of it without getting legal advice first. |
| 42 |
|
| 43 |
Ulrich |
Archives