1 |
On 28/07/2021 16:47, Ulrich Mueller wrote: |
2 |
>>>>>> On Wed, 28 Jul 2021, Marek Szuba wrote: |
3 |
> |
4 |
>> On 2021-07-28 12:22, Ulrich Mueller wrote: |
5 |
>>> This isn't about defending the copyright of the contributor (for which |
6 |
>>> a pseudonym would be fine, or at least it would be a problem of the |
7 |
>>> contributor). It is about due diligence when accepting contributions, |
8 |
>>> to make sure their origin is traceable. |
9 |
> |
10 |
>> I agree with the "due diligence" bit but not with the traceability |
11 |
>> requirement. The "Certificate of Origin" section of GLEP-76 clearly |
12 |
>> states that the purpose of the sign-off (which by the way applies only |
13 |
>> contributions made via VCS commits, as the GLEP stands there are no |
14 |
>> specific mechanisms described for contributions submitted in forms |
15 |
>> other than full Git commits, e.g. patches uploaded to Bugzilla or sent |
16 |
>> by e-mail) is "to declare that the contribution can be modified and |
17 |
>> redistributed in accordance with the project's license", and nothing |
18 |
>> in GCOv1 itself appears to me to contradict that statement. Finally, |
19 |
>> between what GAFAM, NSA/GCHQ, $country government etc. have been doing |
20 |
>> on the Internet, I am rather allergic to the whole idea of |
21 |
>> facilitating the tracking of people. |
22 |
> |
23 |
> Please read again what I've written. The origin of the contribution |
24 |
> should be traceable, not the contributor. |
25 |
|
26 |
What exactly is the difference? It seems to me that if a contributor |
27 |
authors a commit, then he or she *is* the origin of that commit. |
28 |
|
29 |
>> In short, I feel that since a) the whole point here is to establish |
30 |
>> ground rules for the copyright of Gentoo contributions, b) it is |
31 |
>> pretty much entirely based on to-the-best-of-one's-knowledge |
32 |
>> statements and acting in good faith, and c) we've got neither the |
33 |
>> means nor the authority to verify personal details provided by the |
34 |
>> contributors, I strongly feel there isn't much point in disallowing |
35 |
>> pseudonymous contributions. I for one would very much rather accept a |
36 |
>> steady stream of contributions from a single anonymous entity than |
37 |
>> have them scattered across fake but ostensibly real-name contributors. |
38 |
>> And it someone contributes something potentially lifted from |
39 |
>> proprietary software or otherwise fishy? It's up to the people pushing |
40 |
>> these commits to our repos to exercise their common sense and due |
41 |
>> diligence. |
42 |
> |
43 |
> We have taken the blueprint for the certificate-of-origin model from |
44 |
> Linux, and it does have a real name requirement. I'd rather not change |
45 |
> any element of it without getting legal advice first. |
46 |
|
47 |
It's a rule we cannot enforce and as such it is pointless imho. We can |
48 |
encourage people to use their real name, but unless we start collecting |
49 |
copies of IDs we can never be sure. Besides, how does a legal name make |
50 |
the origin of a contribution more traceable? Say some proprietary code |
51 |
ends up in Gentoo, and we trace this back to some commit which was |
52 |
signed off by an external contributor, then what? How does the 'legal |
53 |
name' help? |
54 |
|
55 |
As a general rule of thumb, one should never collect personal |
56 |
information that one does not strictly require. And at the moment I |
57 |
still don't really understand why we *need* someone's 'legal name' |
58 |
(especially given that we cannot verify it). |