1 |
>>>>> On Wed, 28 Jul 2021, Marek Szuba wrote: |
2 |
|
3 |
> On 2021-07-28 12:22, Ulrich Mueller wrote: |
4 |
>> This isn't about defending the copyright of the contributor (for which |
5 |
>> a pseudonym would be fine, or at least it would be a problem of the |
6 |
>> contributor). It is about due diligence when accepting contributions, |
7 |
>> to make sure their origin is traceable. |
8 |
|
9 |
> I agree with the "due diligence" bit but not with the traceability |
10 |
> requirement. The "Certificate of Origin" section of GLEP-76 clearly |
11 |
> states that the purpose of the sign-off (which by the way applies only |
12 |
> contributions made via VCS commits, as the GLEP stands there are no |
13 |
> specific mechanisms described for contributions submitted in forms |
14 |
> other than full Git commits, e.g. patches uploaded to Bugzilla or sent |
15 |
> by e-mail) is "to declare that the contribution can be modified and |
16 |
> redistributed in accordance with the project's license", and nothing |
17 |
> in GCOv1 itself appears to me to contradict that statement. Finally, |
18 |
> between what GAFAM, NSA/GCHQ, $country government etc. have been doing |
19 |
> on the Internet, I am rather allergic to the whole idea of |
20 |
> facilitating the tracking of people. |
21 |
|
22 |
Please read again what I've written. The origin of the contribution |
23 |
should be traceable, not the contributor. |
24 |
|
25 |
> In short, I feel that since a) the whole point here is to establish |
26 |
> ground rules for the copyright of Gentoo contributions, b) it is |
27 |
> pretty much entirely based on to-the-best-of-one's-knowledge |
28 |
> statements and acting in good faith, and c) we've got neither the |
29 |
> means nor the authority to verify personal details provided by the |
30 |
> contributors, I strongly feel there isn't much point in disallowing |
31 |
> pseudonymous contributions. I for one would very much rather accept a |
32 |
> steady stream of contributions from a single anonymous entity than |
33 |
> have them scattered across fake but ostensibly real-name contributors. |
34 |
> And it someone contributes something potentially lifted from |
35 |
> proprietary software or otherwise fishy? It's up to the people pushing |
36 |
> these commits to our repos to exercise their common sense and due |
37 |
> diligence. |
38 |
|
39 |
We have taken the blueprint for the certificate-of-origin model from |
40 |
Linux, and it does have a real name requirement. I'd rather not change |
41 |
any element of it without getting legal advice first. |
42 |
|
43 |
Ulrich |