| 1 |
On 28/07/2021 16:47, Ulrich Mueller wrote: |
| 2 |
>>>>>> On Wed, 28 Jul 2021, Marek Szuba wrote: |
| 3 |
> |
| 4 |
>> On 2021-07-28 12:22, Ulrich Mueller wrote: |
| 5 |
>>> This isn't about defending the copyright of the contributor (for which |
| 6 |
>>> a pseudonym would be fine, or at least it would be a problem of the |
| 7 |
>>> contributor). It is about due diligence when accepting contributions, |
| 8 |
>>> to make sure their origin is traceable. |
| 9 |
> |
| 10 |
>> I agree with the "due diligence" bit but not with the traceability |
| 11 |
>> requirement. The "Certificate of Origin" section of GLEP-76 clearly |
| 12 |
>> states that the purpose of the sign-off (which by the way applies only |
| 13 |
>> contributions made via VCS commits, as the GLEP stands there are no |
| 14 |
>> specific mechanisms described for contributions submitted in forms |
| 15 |
>> other than full Git commits, e.g. patches uploaded to Bugzilla or sent |
| 16 |
>> by e-mail) is "to declare that the contribution can be modified and |
| 17 |
>> redistributed in accordance with the project's license", and nothing |
| 18 |
>> in GCOv1 itself appears to me to contradict that statement. Finally, |
| 19 |
>> between what GAFAM, NSA/GCHQ, $country government etc. have been doing |
| 20 |
>> on the Internet, I am rather allergic to the whole idea of |
| 21 |
>> facilitating the tracking of people. |
| 22 |
> |
| 23 |
> Please read again what I've written. The origin of the contribution |
| 24 |
> should be traceable, not the contributor. |
| 25 |
|
| 26 |
What exactly is the difference? It seems to me that if a contributor |
| 27 |
authors a commit, then he or she *is* the origin of that commit. |
| 28 |
|
| 29 |
>> In short, I feel that since a) the whole point here is to establish |
| 30 |
>> ground rules for the copyright of Gentoo contributions, b) it is |
| 31 |
>> pretty much entirely based on to-the-best-of-one's-knowledge |
| 32 |
>> statements and acting in good faith, and c) we've got neither the |
| 33 |
>> means nor the authority to verify personal details provided by the |
| 34 |
>> contributors, I strongly feel there isn't much point in disallowing |
| 35 |
>> pseudonymous contributions. I for one would very much rather accept a |
| 36 |
>> steady stream of contributions from a single anonymous entity than |
| 37 |
>> have them scattered across fake but ostensibly real-name contributors. |
| 38 |
>> And it someone contributes something potentially lifted from |
| 39 |
>> proprietary software or otherwise fishy? It's up to the people pushing |
| 40 |
>> these commits to our repos to exercise their common sense and due |
| 41 |
>> diligence. |
| 42 |
> |
| 43 |
> We have taken the blueprint for the certificate-of-origin model from |
| 44 |
> Linux, and it does have a real name requirement. I'd rather not change |
| 45 |
> any element of it without getting legal advice first. |
| 46 |
|
| 47 |
It's a rule we cannot enforce and as such it is pointless imho. We can |
| 48 |
encourage people to use their real name, but unless we start collecting |
| 49 |
copies of IDs we can never be sure. Besides, how does a legal name make |
| 50 |
the origin of a contribution more traceable? Say some proprietary code |
| 51 |
ends up in Gentoo, and we trace this back to some commit which was |
| 52 |
signed off by an external contributor, then what? How does the 'legal |
| 53 |
name' help? |
| 54 |
|
| 55 |
As a general rule of thumb, one should never collect personal |
| 56 |
information that one does not strictly require. And at the moment I |
| 57 |
still don't really understand why we *need* someone's 'legal name' |
| 58 |
(especially given that we cannot verify it). |
Archives