[gentoo-project] call for agenda items -- council meeting 2019-04-14

[gentoo-project] call for agenda items -- council meeting 2019-04-14

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

Hi all,

two weeks from today (2019-04-14) the Gentoo Council will meet at
19:00 UTC in the #gentoo-council channel on freenode.

Please reply to this message with any items you would like us to put on
the agenda to discuss or vote on.

Thanks much,

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 827 bytes --]

On Sun, 2019-03-31 at 22:20 -0500, William Hubbs wrote:
> Hi all,
> 
> two weeks from today (2019-04-14) the Gentoo Council will meet at
> 19:00 UTC in the #gentoo-council channel on freenode.
> 
> Please reply to this message with any items you would like us to put on
> the agenda to discuss or vote on.
> 

I have two GLEP-related items for vote:

1. GLEP 80 (identity verification via OpenPGP) [1abc],

2. A small update to GLEP 63 requiring encryption subkey [2ab].

[1a]:https://bugs.gentoo.org/682294
[1b]:https://www.gentoo.org/glep/glep-0080.html
[1c]:https://archives.gentoo.org/gentoo-project/message/9177c3c3dd9eacec4f74b8c9cd38131f
[2a]:https://bugs.gentoo.org/681802
[2b]:https://archives.gentoo.org/gentoo-dev/message/be1f2aa498ebbd7d83110b52c5a9260e

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[NP-Hardass]

[-- Attachment #1.1: Type: text/plain, Size: 882 bytes --]

On 3/31/19 11:20 PM, William Hubbs wrote:
> Hi all,
> 
> two weeks from today (2019-04-14) the Gentoo Council will meet at
> 19:00 UTC in the #gentoo-council channel on freenode.
> 
> Please reply to this message with any items you would like us to put on
> the agenda to discuss or vote on.
> 
> Thanks much,
> 
> William
> 

I'd like the council to discuss the issue and general trend of actions
(particularly recent) to restrict the ability of developers to
contribute to Gentoo.  In my view, efforts are being made to make
contributions as users substantially easier, while efforts are being
made to make being a developer substantially harder.  The months of
studying, quiz taking, and interviews set a bar that should make
contributions from those individuals that become developers easier than
the average user, not more difficult.

-- 
NP-Hardass


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1180 bytes --]

On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org> wrote:

> On 3/31/19 11:20 PM, William Hubbs wrote:
> > Hi all,
> >
> > two weeks from today (2019-04-14) the Gentoo Council will meet at
> > 19:00 UTC in the #gentoo-council channel on freenode.
> >
> > Please reply to this message with any items you would like us to put on
> > the agenda to discuss or vote on.
> >
> > Thanks much,
> >
> > William
> >
>
> I'd like the council to discuss the issue and general trend of actions
> (particularly recent) to restrict the ability of developers to
> contribute to Gentoo.  In my view, efforts are being made to make
> contributions as users substantially easier, while efforts are being
> made to make being a developer substantially harder.  The months of
> studying, quiz taking, and interviews set a bar that should make
> contributions from those individuals that become developers easier than
> the average user, not more difficult.
>

This is a pretty vague statement, are there particular things you want the
council to review; or just the 'general trend'?
I'm not aware of any recent changes to the developer onboarding process.

-A


>
> --
> NP-Hardass
>
>

[-- Attachment #2: Type: text/html, Size: 1832 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[NP-Hardass]

[-- Attachment #1.1: Type: text/plain, Size: 3230 bytes --]

On 4/3/19 8:43 AM, Alec Warner wrote:
> 
> 
> On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
> <mailto:NP-Hardass@gentoo.org>> wrote:
> 
>     On 3/31/19 11:20 PM, William Hubbs wrote:
>     > Hi all,
>     >
>     > two weeks from today (2019-04-14) the Gentoo Council will meet at
>     > 19:00 UTC in the #gentoo-council channel on freenode.
>     >
>     > Please reply to this message with any items you would like us to
>     put on
>     > the agenda to discuss or vote on.
>     >
>     > Thanks much,
>     >
>     > William
>     >
> 
>     I'd like the council to discuss the issue and general trend of actions
>     (particularly recent) to restrict the ability of developers to
>     contribute to Gentoo.  In my view, efforts are being made to make
>     contributions as users substantially easier, while efforts are being
>     made to make being a developer substantially harder.  The months of
>     studying, quiz taking, and interviews set a bar that should make
>     contributions from those individuals that become developers easier than
>     the average user, not more difficult.
> 
> 
> This is a pretty vague statement, are there particular things you want
> the council to review; or just the 'general trend'?
> I'm not aware of any recent changes to the developer onboarding process.
> 
> -A
>  
> 
> 
>     -- 
>     NP-Hardass
> 

Not just the onboarding, but the retention too.  General trend is what
I'm proposing should be discussed publicly during the meeting.

Three points:

At present time, everyone needs a "Real Name" to contribute.  A user,
with a new email address, can allege to be "Foo Bar" and contribute
without impediment, but, as recent proposals would have it, developers
would need to show proof of ID over video call to become part of the web
of trust for committing.  That effectively allows any user to remain
anonymous by using a false name, obviating a huge portion of the alleged
benefit to requiring names in the first place. So, developers can be
held to such a high standard that they can either no longer contribute,
while we trim eligible pool of new developers and compare that to the
ease with which any "named" contributor on github or bugzilla can do as
they please.

We currently have a RFC, just posted two days ago, for developers to be
regularly tested to maintain commit status.  Again, if the developer
feels like it, maybe it is easier for him/her to just become a plain old
user and submit patches, waiting on the (as I see it, dwindling,) amount
of active other developers ready to commit instead.

Totally anecdotal, I've seen developers that have fairly decent QA on
their own commits merge PRs from users without full review and
introducing a whole host of issues because code from users isn't always
vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
of being a dev don't quite apply to you as stringently once you
downgrade to being a user...

At the end of the day, holding developers to higher standards than users
is a given, but it shouldn't be more onerous to be a developer than to
be a user contributing.

-- 
NP-Hardass


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 5161 bytes --]

On Wed, 3 Apr 2019 10:04:36 -0400 NP-Hardass wrote:
> On 4/3/19 8:43 AM, Alec Warner wrote:
> > 
> > 
> > On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
> > <mailto:NP-Hardass@gentoo.org>> wrote:
> > 
> >     On 3/31/19 11:20 PM, William Hubbs wrote:
> >     > Hi all,
> >     >
> >     > two weeks from today (2019-04-14) the Gentoo Council will meet at
> >     > 19:00 UTC in the #gentoo-council channel on freenode.
> >     >
> >     > Please reply to this message with any items you would like us to
> >     put on
> >     > the agenda to discuss or vote on.
> >     >
> >     > Thanks much,
> >     >
> >     > William
> >     >
> > 
> >     I'd like the council to discuss the issue and general trend of actions
> >     (particularly recent) to restrict the ability of developers to
> >     contribute to Gentoo.  In my view, efforts are being made to make
> >     contributions as users substantially easier, while efforts are being
> >     made to make being a developer substantially harder.  The months of
> >     studying, quiz taking, and interviews set a bar that should make
> >     contributions from those individuals that become developers easier than
> >     the average user, not more difficult.
> > 
> > 
> > This is a pretty vague statement, are there particular things you want
> > the council to review; or just the 'general trend'?
> > I'm not aware of any recent changes to the developer onboarding process.
> > 
> > -A
> >  
> > 
> > 
> >     -- 
> >     NP-Hardass
> > 
> 
> Not just the onboarding, but the retention too.  General trend is what
> I'm proposing should be discussed publicly during the meeting.
> 
> Three points:
> 
> At present time, everyone needs a "Real Name" to contribute.  A user,
> with a new email address, can allege to be "Foo Bar" and contribute
> without impediment, but, as recent proposals would have it, developers
> would need to show proof of ID over video call to become part of the web
> of trust for committing.  That effectively allows any user to remain
> anonymous by using a false name, obviating a huge portion of the alleged
> benefit to requiring names in the first place. So, developers can be
> held to such a high standard that they can either no longer contribute,
> while we trim eligible pool of new developers and compare that to the
> ease with which any "named" contributor on github or bugzilla can do as
> they please.
> 
> We currently have a RFC, just posted two days ago, for developers to be
> regularly tested to maintain commit status.  Again, if the developer
> feels like it, maybe it is easier for him/her to just become a plain old
> user and submit patches, waiting on the (as I see it, dwindling,) amount
> of active other developers ready to commit instead.

That RFC was issued on 1st April, so I assume it to be an ill joke.

> Totally anecdotal, I've seen developers that have fairly decent QA on
> their own commits merge PRs from users without full review and
> introducing a whole host of issues because code from users isn't always
> vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
> of being a dev don't quite apply to you as stringently once you
> downgrade to being a user...
> 
> At the end of the day, holding developers to higher standards than users
> is a given, but it shouldn't be more onerous to be a developer than to
> be a user contributing.

As you already noted, users also have to sign-off contributions with
their real names, though we have no way to verify those names, as
well as for developers actually.

Will all due respect GLEP76 was prepared by people without much
legal expertise and creates more problems than solves. The part of
GLEP76 mandating real name signatures *must* be amended.

Why? We have no way to verify that provided names are valid or that
provided ID's are valid. At least in my jurisdiction such
information collected can't be used for legal action or protection
without following established government-assisted verification
procedure. In other jurisdictions similar problems may and will
arise. Additional problem is personal data collection, it is
restricted or heavily regulated in many countries. One can't just
demand to show an ID via electronic means without following
complicated data protection procedures which are likely to be
incompatible between jurisdictions.

So the real name requirement gives us no real protection from
possible cases, but creates real and serious problems by kicking
active developers and contributors from further contributions.
NP-Hardass is not the only one. I invited some gifted people with
high quality out-of-tree work to become contributors or developers,
but due to hostile attitude towards anonymous contributors they
can't join. And people want to stay anonymous for good reasons,
because they are engaged with privacy oriented development.

We are loosing real people, real contributions and real community.
What for? For solving imaginary problems with inappropriate tools.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 7223 bytes --]

On Wed, 3 Apr 2019 17:43:15 +0300 Andrew Savchenko wrote:
> On Wed, 3 Apr 2019 10:04:36 -0400 NP-Hardass wrote:
> > On 4/3/19 8:43 AM, Alec Warner wrote:
> > > 
> > > 
> > > On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
> > > <mailto:NP-Hardass@gentoo.org>> wrote:
> > > 
> > >     On 3/31/19 11:20 PM, William Hubbs wrote:
> > >     > Hi all,
> > >     >
> > >     > two weeks from today (2019-04-14) the Gentoo Council will meet at
> > >     > 19:00 UTC in the #gentoo-council channel on freenode.
> > >     >
> > >     > Please reply to this message with any items you would like us to
> > >     put on
> > >     > the agenda to discuss or vote on.
> > >     >
> > >     > Thanks much,
> > >     >
> > >     > William
> > >     >
> > > 
> > >     I'd like the council to discuss the issue and general trend of actions
> > >     (particularly recent) to restrict the ability of developers to
> > >     contribute to Gentoo.  In my view, efforts are being made to make
> > >     contributions as users substantially easier, while efforts are being
> > >     made to make being a developer substantially harder.  The months of
> > >     studying, quiz taking, and interviews set a bar that should make
> > >     contributions from those individuals that become developers easier than
> > >     the average user, not more difficult.
> > > 
> > > 
> > > This is a pretty vague statement, are there particular things you want
> > > the council to review; or just the 'general trend'?
> > > I'm not aware of any recent changes to the developer onboarding process.
> > > 
> > > -A
> > >  
> > > 
> > > 
> > >     -- 
> > >     NP-Hardass
> > > 
> > 
> > Not just the onboarding, but the retention too.  General trend is what
> > I'm proposing should be discussed publicly during the meeting.
> > 
> > Three points:
> > 
> > At present time, everyone needs a "Real Name" to contribute.  A user,
> > with a new email address, can allege to be "Foo Bar" and contribute
> > without impediment, but, as recent proposals would have it, developers
> > would need to show proof of ID over video call to become part of the web
> > of trust for committing.  That effectively allows any user to remain
> > anonymous by using a false name, obviating a huge portion of the alleged
> > benefit to requiring names in the first place. So, developers can be
> > held to such a high standard that they can either no longer contribute,
> > while we trim eligible pool of new developers and compare that to the
> > ease with which any "named" contributor on github or bugzilla can do as
> > they please.
> > 
> > We currently have a RFC, just posted two days ago, for developers to be
> > regularly tested to maintain commit status.  Again, if the developer
> > feels like it, maybe it is easier for him/her to just become a plain old
> > user and submit patches, waiting on the (as I see it, dwindling,) amount
> > of active other developers ready to commit instead.
> 
> That RFC was issued on 1st April, so I assume it to be an ill joke.
> 
> > Totally anecdotal, I've seen developers that have fairly decent QA on
> > their own commits merge PRs from users without full review and
> > introducing a whole host of issues because code from users isn't always
> > vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
> > of being a dev don't quite apply to you as stringently once you
> > downgrade to being a user...
> > 
> > At the end of the day, holding developers to higher standards than users
> > is a given, but it shouldn't be more onerous to be a developer than to
> > be a user contributing.
> 
> As you already noted, users also have to sign-off contributions with
> their real names, though we have no way to verify those names, as
> well as for developers actually.
> 
> Will all due respect GLEP76 was prepared by people without much
> legal expertise and creates more problems than solves. The part of
> GLEP76 mandating real name signatures *must* be amended.
> 
> Why? We have no way to verify that provided names are valid or that
> provided ID's are valid. At least in my jurisdiction such
> information collected can't be used for legal action or protection
> without following established government-assisted verification
> procedure. In other jurisdictions similar problems may and will
> arise. Additional problem is personal data collection, it is
> restricted or heavily regulated in many countries. One can't just
> demand to show an ID via electronic means without following
> complicated data protection procedures which are likely to be
> incompatible between jurisdictions.
> 
> So the real name requirement gives us no real protection from
> possible cases, but creates real and serious problems by kicking
> active developers and contributors from further contributions.
> NP-Hardass is not the only one. I invited some gifted people with
> high quality out-of-tree work to become contributors or developers,
> but due to hostile attitude towards anonymous contributors they
> can't join. And people want to stay anonymous for good reasons,
> because they are engaged with privacy oriented development.
> 
> We are loosing real people, real contributions and real community.
> What for? For solving imaginary problems with inappropriate tools.

Since the Council usually makes decisions on some specific proposals
and not on vague ideas, here is my proposal on this subject: keep real
name as a recommendation, not as a requirement. See a draft patch to
GLEP 76 below. It is not intended to be a final wording, but it
shows the idea.

diff --git a/glep-0076.rst b/glep-0076.rst
index 9d5aa79..b16fae7 100644
--- a/glep-0076.rst
+++ b/glep-0076.rst
@@ -137,8 +137,9 @@ the Certificate of Origin by adding ::
     Signed-off-by: Name <e-mail>
 
 to the commit message as a separate line.  The sign-off must contain
-the committer's legal name as a natural person, i.e., the name that
-would appear in a government issued document.
+either the committer's legal name as a natural person, i.e., the name
+that would appear in a government issued document or the pseudonym.
+Usage of the legal name is recommended.
 
 The following is the current Gentoo Certificate of Origin, revision 1:
 
@@ -242,10 +243,9 @@ to protect the Gentoo infrastructure owners and improve consistency.
 
 The copyright model is built on the DCO model used by the Linux kernel
 and requires all contributors to certify the legitimacy of their
-contributions.  This also requires that they use their real name for
-signing; an anonymous certification or one under a pseudonym would not
-mean anything.  This policy is derived from the Linux project's policy
-[#SUBMITTING-PATCHES]_.
+contributions. This also requires that they use their real name
+(recommended) or a pseudonym for signing. This policy is derived from the
+Linux project's policy [#SUBMITTING-PATCHES]_.
 
 In the future, a second stage of this policy may use a combination of
 the DCO model and an FLA model [#FLA]_ as it is used by different open


Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michael Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 8291 bytes --]

On 03/04/19 19:12, Andrew Savchenko wrote:
> On Wed, 3 Apr 2019 17:43:15 +0300 Andrew Savchenko wrote:
>> On Wed, 3 Apr 2019 10:04:36 -0400 NP-Hardass wrote:
>>> On 4/3/19 8:43 AM, Alec Warner wrote:
>>>>
>>>> On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
>>>> <mailto:NP-Hardass@gentoo.org>> wrote:
>>>>
>>>>     On 3/31/19 11:20 PM, William Hubbs wrote:
>>>>     > Hi all,
>>>>     >
>>>>     > two weeks from today (2019-04-14) the Gentoo Council will meet at
>>>>     > 19:00 UTC in the #gentoo-council channel on freenode.
>>>>     >
>>>>     > Please reply to this message with any items you would like us to
>>>>     put on
>>>>     > the agenda to discuss or vote on.
>>>>     >
>>>>     > Thanks much,
>>>>     >
>>>>     > William
>>>>     >
>>>>
>>>>     I'd like the council to discuss the issue and general trend of actions
>>>>     (particularly recent) to restrict the ability of developers to
>>>>     contribute to Gentoo.  In my view, efforts are being made to make
>>>>     contributions as users substantially easier, while efforts are being
>>>>     made to make being a developer substantially harder.  The months of
>>>>     studying, quiz taking, and interviews set a bar that should make
>>>>     contributions from those individuals that become developers easier than
>>>>     the average user, not more difficult.
>>>>
>>>>
>>>> This is a pretty vague statement, are there particular things you want
>>>> the council to review; or just the 'general trend'?
>>>> I'm not aware of any recent changes to the developer onboarding process.
>>>>
>>>> -A
>>>>  
>>>>
>>>>
>>>>     -- 
>>>>     NP-Hardass
>>>>
>>> Not just the onboarding, but the retention too.  General trend is what
>>> I'm proposing should be discussed publicly during the meeting.
>>>
>>> Three points:
>>>
>>> At present time, everyone needs a "Real Name" to contribute.  A user,
>>> with a new email address, can allege to be "Foo Bar" and contribute
>>> without impediment, but, as recent proposals would have it, developers
>>> would need to show proof of ID over video call to become part of the web
>>> of trust for committing.  That effectively allows any user to remain
>>> anonymous by using a false name, obviating a huge portion of the alleged
>>> benefit to requiring names in the first place. So, developers can be
>>> held to such a high standard that they can either no longer contribute,
>>> while we trim eligible pool of new developers and compare that to the
>>> ease with which any "named" contributor on github or bugzilla can do as
>>> they please.
>>>
>>> We currently have a RFC, just posted two days ago, for developers to be
>>> regularly tested to maintain commit status.  Again, if the developer
>>> feels like it, maybe it is easier for him/her to just become a plain old
>>> user and submit patches, waiting on the (as I see it, dwindling,) amount
>>> of active other developers ready to commit instead.
>> That RFC was issued on 1st April, so I assume it to be an ill joke.
>>
>>> Totally anecdotal, I've seen developers that have fairly decent QA on
>>> their own commits merge PRs from users without full review and
>>> introducing a whole host of issues because code from users isn't always
>>> vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
>>> of being a dev don't quite apply to you as stringently once you
>>> downgrade to being a user...
>>>
>>> At the end of the day, holding developers to higher standards than users
>>> is a given, but it shouldn't be more onerous to be a developer than to
>>> be a user contributing.
>> As you already noted, users also have to sign-off contributions with
>> their real names, though we have no way to verify those names, as
>> well as for developers actually.
>>
>> Will all due respect GLEP76 was prepared by people without much
>> legal expertise and creates more problems than solves. The part of
>> GLEP76 mandating real name signatures *must* be amended.
>>
>> Why? We have no way to verify that provided names are valid or that
>> provided ID's are valid. At least in my jurisdiction such
>> information collected can't be used for legal action or protection
>> without following established government-assisted verification
>> procedure. In other jurisdictions similar problems may and will
>> arise. Additional problem is personal data collection, it is
>> restricted or heavily regulated in many countries. One can't just
>> demand to show an ID via electronic means without following
>> complicated data protection procedures which are likely to be
>> incompatible between jurisdictions.
>>
>> So the real name requirement gives us no real protection from
>> possible cases, but creates real and serious problems by kicking
>> active developers and contributors from further contributions.
>> NP-Hardass is not the only one. I invited some gifted people with
>> high quality out-of-tree work to become contributors or developers,
>> but due to hostile attitude towards anonymous contributors they
>> can't join. And people want to stay anonymous for good reasons,
>> because they are engaged with privacy oriented development.
>>
>> We are loosing real people, real contributions and real community.
>> What for? For solving imaginary problems with inappropriate tools.
> Since the Council usually makes decisions on some specific proposals
> and not on vague ideas, here is my proposal on this subject: keep real
> name as a recommendation, not as a requirement. See a draft patch to
> GLEP 76 below. It is not intended to be a final wording, but it
> shows the idea.
>
> diff --git a/glep-0076.rst b/glep-0076.rst
> index 9d5aa79..b16fae7 100644
> --- a/glep-0076.rst
> +++ b/glep-0076.rst
> @@ -137,8 +137,9 @@ the Certificate of Origin by adding ::
>      Signed-off-by: Name <e-mail>
>  
>  to the commit message as a separate line.  The sign-off must contain
> -the committer's legal name as a natural person, i.e., the name that
> -would appear in a government issued document.
> +either the committer's legal name as a natural person, i.e., the name
> +that would appear in a government issued document or the pseudonym.
> +Usage of the legal name is recommended.
>  
>  The following is the current Gentoo Certificate of Origin, revision 1:
>  
> @@ -242,10 +243,9 @@ to protect the Gentoo infrastructure owners and improve consistency.
>  
>  The copyright model is built on the DCO model used by the Linux kernel
>  and requires all contributors to certify the legitimacy of their
> -contributions.  This also requires that they use their real name for
> -signing; an anonymous certification or one under a pseudonym would not
> -mean anything.  This policy is derived from the Linux project's policy
> -[#SUBMITTING-PATCHES]_.
> +contributions. This also requires that they use their real name
> +(recommended) or a pseudonym for signing. This policy is derived from the
> +Linux project's policy [#SUBMITTING-PATCHES]_.
>  
>  In the future, a second stage of this policy may use a combination of
>  the DCO model and an FLA model [#FLA]_ as it is used by different open
>
>
> Best regards,
> Andrew Savchenko
I would also note, that I know several people using pseudonyms whose real
identity I don't, and have no wish to, know; who have documents verifying
their right to use said pseudonym as their legal identity. Therefore if you
were insistent on pursuing copyright claims, you could equally use said
identity to carry out such procedures. In reality, I don't see Gentoo
pursuing any legal cases, nor having to address any copyright claims, as I
have certainly seen no requests to either the Council as governing body NOR
trustees as the legal entity representing Gentoo Linux.

IANAL, but I certainly agree with the synopsis that the council is somewhat
obsessed with "... solving imaginary problems with inappropriate tools".

Let's see some Real World examples of situations that have caused the
council a problem (no I don't want a whole bunch more straw men made), and
I invite the trustees to present real world cases of enquiries they have
received relating to such issues.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2675 bytes --]

On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
> Why? We have no way to verify that provided names are valid or that
> provided ID's are valid. At least in my jurisdiction such
> information collected can't be used for legal action or protection
> without following established government-assisted verification
> procedure. In other jurisdictions similar problems may and will
> arise.

'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
that someone's giving his real name doesn't imply that everyone is using
fake names.  Or that it makes no sense to use them.

> Additional problem is personal data collection, it is
> restricted or heavily regulated in many countries. One can't just
> demand to show an ID via electronic means without following
> complicated data protection procedures which are likely to be
> incompatible between jurisdictions.

Do you have any proof of that, or are you just basing your comments
on the common concept of misunderstanding GDPR and extending it to match
your private interest?

> So the real name requirement gives us no real protection from
> possible cases, but creates real and serious problems by kicking
> active developers and contributors from further contributions.
> NP-Hardass is not the only one. 

Do you have any proof of that?  As far as I'm concerned, we're pretty
clear that NP-Hardass can't contribute to Gentoo, and that his previous
contributions shouldn't have been accepted in the first place (and why
Trustees agreed to them is another problem).  Are you going to take
legal and financial responsibility if his employer claims copyright to
his contributions?  And if you say yes, are you going to really take it
or go with the forementioned attitude that we can't legally force you
to?

> I invited some gifted people with
> high quality out-of-tree work to become contributors or developers,
> but due to hostile attitude towards anonymous contributors they
> can't join. And people want to stay anonymous for good reasons,
> because they are engaged with privacy oriented development.

This is a very vague statement that sounds like serious overstatement
with no proof, aimed purely to force emotional reaction to support your
proposal.  If you really want to propose something meaningful, I'd
really appreciate if you used real evidence to support it rather than
vague claims.

> We are loosing real people, real contributions and real community.
> What for? For solving imaginary problems with inappropriate tools.
> 

Thank you for telling us that copyright is an imaginary problem.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 5593 bytes --]

On Wed, Apr 3, 2019 at 2:44 PM Michał Górny <mgorny@gentoo.org> wrote:

> On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
> > Why? We have no way to verify that provided names are valid or that
> > provided ID's are valid. At least in my jurisdiction such
> > information collected can't be used for legal action or protection
> > without following established government-assisted verification
> > procedure. In other jurisdictions similar problems may and will
> > arise.
>
> 'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
> that someone's giving his real name doesn't imply that everyone is using
> fake names.  Or that it makes no sense to use them.
>
> > Additional problem is personal data collection, it is
> > restricted or heavily regulated in many countries. One can't just
> > demand to show an ID via electronic means without following
> > complicated data protection procedures which are likely to be
> > incompatible between jurisdictions.
>
> Do you have any proof of that, or are you just basing your comments
> on the common concept of misunderstanding GDPR and extending it to match
> your private interest?
>
> > So the real name requirement gives us no real protection from
> > possible cases, but creates real and serious problems by kicking
> > active developers and contributors from further contributions.
> > NP-Hardass is not the only one.
>
> Do you have any proof of that?  As far as I'm concerned, we're pretty
> clear that NP-Hardass can't contribute to Gentoo, and that his previous
> contributions shouldn't have been accepted in the first place (and why
> Trustees agreed to them is another problem).  Are you going to take
> legal and financial responsibility if his employer claims copyright to
> his contributions?  And if you say yes, are you going to really take it
> or go with the forementioned attitude that we can't legally force you
> to?
>

Under the current policy we do not accept contributions from contributors
whose names we believe are not real identities. The current policy says
nothing about previous contributions; almost everyone who contributed to
Gentoo over the past 20 years did so without signing anything, without
identity verification, and with no DCO. Those commits were accepted and
continue to be accepted until we decide otherwise. I don't like the way you
construe the previous work of hundreds of people who contributed to the
project; I find the idea that we should never have accepted these
contributions to be pretty offensive.

You are free to blame the organization for having bad policies (and you do
and I'm the board President and I will 1000% take the blame) but don't for
a minute blame people who are just trying to contribute and following the
policies that the project had at the time. As you wrote above "perfect is
the enemy of the good" and if we rejected the previous 20 years of work
we'd have basically nothing, so we accept that risk as a cost of continuing
to exist as a Foundation. No business operates with zero risk.


>
> > I invited some gifted people with
> > high quality out-of-tree work to become contributors or developers,
> > but due to hostile attitude towards anonymous contributors they
> > can't join. And people want to stay anonymous for good reasons,
> > because they are engaged with privacy oriented development.
>

> This is a very vague statement that sounds like serious overstatement
> with no proof, aimed purely to force emotional reaction to support your
> proposal.  If you really want to propose something meaningful, I'd
> really appreciate if you used real evidence to support it rather than
> vague claims.
>

> > We are loosing real people, real contributions and real community.
> > What for? For solving imaginary problems with inappropriate tools.
> >
>
> Thank you for telling us that copyright is an imaginary problem.
>

Your words are like knives, and this leads to a perception of antagonism.

1) The policies of the project currently prioritize a knowledge of where
commits come from in order to eventually reduce liability risk for the
project.
2) I firmly do not believe the project has anything against anonymous /
pseudonymous contributors (nor should it; if you think it does I'm happy to
amend bylaws, GLEPs, and any other charter documents to state that we have
nothing against that type of contribution.)
3) The current policy makes it difficult to contribute in this way; because
we have this trade-off we have made where we want to know where commits
come from for legal reasons.)

Its OK to say "Hi X, we cannot accept your anonymous / pseudonymous
contribution because of this policy, and we made this policy to solve a
problem of copyright liability for the organization."
I don't think its OK to say "Hi X, its completely unreasonable to want to
contribute to Gentoo in an Anonymous or Pseudonymous manner; please file
your identity papers to me immediately!"

My reading is your comments are closer to the latter than the former; I'm
just not sure why that is.

I think its perfectly sane to ask "how can we build an organization where
we can accept pseudonymous contributions and contain our liability for code
from unverified contributors?" and have people interested in that write up
and vet proposals. I get that its a complex and difficult problem area;
maybe none of the proposals will work! but that doesn't meant we shouldn't
try to do it.


>
> --
> Best regards,
> Michał Górny
>
>

[-- Attachment #2: Type: text/html, Size: 6894 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michael Everitt]

[-- Attachment #1.1.1: Type: text/plain, Size: 6019 bytes --]

On 03/04/19 23:35, Alec Warner wrote:
> On Wed, Apr 3, 2019 at 2:44 PM Michał Górny <mgorny@gentoo.org
> <mailto:mgorny@gentoo.org>> wrote:
>
>     On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
>     > Why? We have no way to verify that provided names are valid or that
>     > provided ID's are valid. At least in my jurisdiction such
>     > information collected can't be used for legal action or protection
>     > without following established government-assisted verification
>     > procedure. In other jurisdictions similar problems may and will
>     > arise.
>
>     'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
>     that someone's giving his real name doesn't imply that everyone is using
>     fake names.  Or that it makes no sense to use them.
>
>     > Additional problem is personal data collection, it is
>     > restricted or heavily regulated in many countries. One can't just
>     > demand to show an ID via electronic means without following
>     > complicated data protection procedures which are likely to be
>     > incompatible between jurisdictions.
>
>     Do you have any proof of that, or are you just basing your comments
>     on the common concept of misunderstanding GDPR and extending it to match
>     your private interest?
>
>     > So the real name requirement gives us no real protection from
>     > possible cases, but creates real and serious problems by kicking
>     > active developers and contributors from further contributions.
>     > NP-Hardass is not the only one.
>
>     Do you have any proof of that?  As far as I'm concerned, we're pretty
>     clear that NP-Hardass can't contribute to Gentoo, and that his previous
>     contributions shouldn't have been accepted in the first place (and why
>     Trustees agreed to them is another problem).  Are you going to take
>     legal and financial responsibility if his employer claims copyright to
>     his contributions?  And if you say yes, are you going to really take it
>     or go with the forementioned attitude that we can't legally force you
>     to?
>
>
> Under the current policy we do not accept contributions from contributors
> whose names we believe are not real identities. The current policy says
> nothing about previous contributions; almost everyone who contributed to
> Gentoo over the past 20 years did so without signing anything, without
> identity verification, and with no DCO. Those commits were accepted and
> continue to be accepted until we decide otherwise. I don't like the way
> you construe the previous work of hundreds of people who contributed to
> the project; I find the idea that we should never have accepted these
> contributions to be pretty offensive.
>
> You are free to blame the organization for having bad policies (and you
> do and I'm the board President and I will 1000% take the blame) but don't
> for a minute blame people who are just trying to contribute and following
> the policies that the project had at the time. As you wrote above
> "perfect is the enemy of the good" and if we rejected the previous 20
> years of work we'd have basically nothing, so we accept that risk as a
> cost of continuing to exist as a Foundation. No business operates with
> zero risk.
>  
>
>
>     > I invited some gifted people with
>     > high quality out-of-tree work to become contributors or developers,
>     > but due to hostile attitude towards anonymous contributors they
>     > can't join. And people want to stay anonymous for good reasons,
>     > because they are engaged with privacy oriented development.
>
>
>     This is a very vague statement that sounds like serious overstatement
>     with no proof, aimed purely to force emotional reaction to support your
>     proposal.  If you really want to propose something meaningful, I'd
>     really appreciate if you used real evidence to support it rather than
>     vague claims.
>
>
>     > We are loosing real people, real contributions and real community.
>     > What for? For solving imaginary problems with inappropriate tools.
>     >
>
>     Thank you for telling us that copyright is an imaginary problem.
>
>
> Your words are like knives, and this leads to a perception of antagonism.
>
> 1) The policies of the project currently prioritize a knowledge of where
> commits come from in order to eventually reduce liability risk for the
> project.
> 2) I firmly do not believe the project has anything against anonymous /
> pseudonymous contributors (nor should it; if you think it does I'm happy
> to amend bylaws, GLEPs, and any other charter documents to state that we
> have nothing against that type of contribution.)
> 3) The current policy makes it difficult to contribute in this way;
> because we have this trade-off we have made where we want to know where
> commits come from for legal reasons.)
>
> Its OK to say "Hi X, we cannot accept your anonymous / pseudonymous
> contribution because of this policy, and we made this policy to solve a
> problem of copyright liability for the organization."
> I don't think its OK to say "Hi X, its completely unreasonable to want to
> contribute to Gentoo in an Anonymous or Pseudonymous manner; please file
> your identity papers to me immediately!"
>
> My reading is your comments are closer to the latter than the former; I'm
> just not sure why that is.
>
> I think its perfectly sane to ask "how can we build an organization where
> we can accept pseudonymous contributions and contain our liability for
> code from unverified contributors?" and have people interested in that
> write up and vet proposals. I get that its a complex and difficult
> problem area; maybe none of the proposals will work! but that doesn't
> meant we shouldn't try to do it.
>  
>
>
>     -- 
>     Best regards,
>     Michał Górny
>
Thank you, Alec, for your rather-more-balanced approach.

[-- Attachment #1.1.2: Type: text/html, Size: 9594 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 7271 bytes --]

On Wed, 2019-04-03 at 18:35 -0400, Alec Warner wrote:
> On Wed, Apr 3, 2019 at 2:44 PM Michał Górny <mgorny@gentoo.org> wrote:
> 
> > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
> > > Why? We have no way to verify that provided names are valid or that
> > > provided ID's are valid. At least in my jurisdiction such
> > > information collected can't be used for legal action or protection
> > > without following established government-assisted verification
> > > procedure. In other jurisdictions similar problems may and will
> > > arise.
> > 
> > 'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
> > that someone's giving his real name doesn't imply that everyone is using
> > fake names.  Or that it makes no sense to use them.
> > 
> > > Additional problem is personal data collection, it is
> > > restricted or heavily regulated in many countries. One can't just
> > > demand to show an ID via electronic means without following
> > > complicated data protection procedures which are likely to be
> > > incompatible between jurisdictions.
> > 
> > Do you have any proof of that, or are you just basing your comments
> > on the common concept of misunderstanding GDPR and extending it to match
> > your private interest?
> > 
> > > So the real name requirement gives us no real protection from
> > > possible cases, but creates real and serious problems by kicking
> > > active developers and contributors from further contributions.
> > > NP-Hardass is not the only one.
> > 
> > Do you have any proof of that?  As far as I'm concerned, we're pretty
> > clear that NP-Hardass can't contribute to Gentoo, and that his previous
> > contributions shouldn't have been accepted in the first place (and why
> > Trustees agreed to them is another problem).  Are you going to take
> > legal and financial responsibility if his employer claims copyright to
> > his contributions?  And if you say yes, are you going to really take it
> > or go with the forementioned attitude that we can't legally force you
> > to?
> > 
> 
> Under the current policy we do not accept contributions from contributors
> whose names we believe are not real identities. The current policy says
> nothing about previous contributions; almost everyone who contributed to
> Gentoo over the past 20 years did so without signing anything, without
> identity verification, and with no DCO. Those commits were accepted and
> continue to be accepted until we decide otherwise. I don't like the way you
> construe the previous work of hundreds of people who contributed to the
> project; I find the idea that we should never have accepted these
> contributions to be pretty offensive.
> 
> You are free to blame the organization for having bad policies (and you do
> and I'm the board President and I will 1000% take the blame) but don't for
> a minute blame people who are just trying to contribute and following the
> policies that the project had at the time. As you wrote above "perfect is
> the enemy of the good" and if we rejected the previous 20 years of work
> we'd have basically nothing, so we accept that risk as a cost of continuing
> to exist as a Foundation. No business operates with zero risk.

I'm sorry.  I don't know what exact knowledge people who made those
decisions had.  I'm just saying that if you know that someone is hiding
his contributions to Gentoo from his employer, and if you know that
employers often claim copyright to all work their employees do... you
get the picture, right?

And no, I'm not saying people will sue the hell out of us, take all our
money, arrest all developers they can.  What I'm really worried about is
that if they claim copyright to those contributions, we will have to
spend a lot of work finding all his contributions and replacing them
with unencumbered code.  And it will be especially hard to prove we
aren't copying that copyrighted code given that ebuilds are very uniform
by nature.

> > > I invited some gifted people with
> > > high quality out-of-tree work to become contributors or developers,
> > > but due to hostile attitude towards anonymous contributors they
> > > can't join. And people want to stay anonymous for good reasons,
> > > because they are engaged with privacy oriented development.
> > This is a very vague statement that sounds like serious overstatement
> > with no proof, aimed purely to force emotional reaction to support your
> > proposal.  If you really want to propose something meaningful, I'd
> > really appreciate if you used real evidence to support it rather than
> > vague claims.
> > 
> > > We are loosing real people, real contributions and real community.
> > > What for? For solving imaginary problems with inappropriate tools.
> > > 
> > 
> > Thank you for telling us that copyright is an imaginary problem.
> > 
> 
> Your words are like knives, and this leads to a perception of antagonism.

...and accusing Council of 'solving imaginary problems' is not?  As far
as I'm concerned, that's a *very antagonistic* statement, and seriously
undermining Council's professionality.

> 1) The policies of the project currently prioritize a knowledge of where
> commits come from in order to eventually reduce liability risk for the
> project.
> 2) I firmly do not believe the project has anything against anonymous /
> pseudonymous contributors (nor should it; if you think it does I'm happy to
> amend bylaws, GLEPs, and any other charter documents to state that we have
> nothing against that type of contribution.)
> 3) The current policy makes it difficult to contribute in this way; because
> we have this trade-off we have made where we want to know where commits
> come from for legal reasons.)
> 
> Its OK to say "Hi X, we cannot accept your anonymous / pseudonymous
> contribution because of this policy, and we made this policy to solve a
> problem of copyright liability for the organization."
> I don't think its OK to say "Hi X, its completely unreasonable to want to
> contribute to Gentoo in an Anonymous or Pseudonymous manner; please file
> your identity papers to me immediately!"
> 
> My reading is your comments are closer to the latter than the former; I'm
> just not sure why that is.
> 
> I think its perfectly sane to ask "how can we build an organization where
> we can accept pseudonymous contributions and contain our liability for code
> from unverified contributors?" and have people interested in that write up
> and vet proposals. I get that its a complex and difficult problem area;
> maybe none of the proposals will work! but that doesn't meant we shouldn't
> try to do it.

This seems to entirely miss the point taken from Linux policy, and focus
on the 'Gentoo is Foundation' model.  It's not.  Gentoo is distributed
to all our users, and all our users need to be able to verify that
the code comes from contributors who are actually allowed to contribute.
They can't really hit 'Foundation has this data somewhere in secret'
wall.  If not anything else, this makes the project non-transparent,
and raises serious doubts whether users can actually trust it.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Gokturk Yuksek]

[-- Attachment #1.1: Type: text/plain, Size: 4778 bytes --]

Hi,

I'd like to voice my opinion on the matter as well. Full disclosure:
NP-Hardass is my mentor and I also had a co-maintainer who has been
distressed by the enforcement of the GLEP.

Michał Górny:
> On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
>> Why? We have no way to verify that provided names are valid or that
>> provided ID's are valid. At least in my jurisdiction such
>> information collected can't be used for legal action or protection
>> without following established government-assisted verification
>> procedure. In other jurisdictions similar problems may and will
>> arise.
> 
> 'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
> that someone's giving his real name doesn't imply that everyone is using
> fake names.  Or that it makes no sense to use them.
> 

I understand that but it creates problems with the consistent
enforcement of the policy. There are no clear guidelines as to how we
decide who requires identity validation and who doesn't. We don't even
know who is tasked with making the request and performing the
validation. If I work with a user and I am convinced that they provide
their real name, is that sufficient for the foundation? Can I
arbitrarily be suspicious of any user and demand them to provide their
identity?

>> Additional problem is personal data collection, it is
>> restricted or heavily regulated in many countries. One can't just
>> demand to show an ID via electronic means without following
>> complicated data protection procedures which are likely to be
>> incompatible between jurisdictions.
> 
> Do you have any proof of that, or are you just basing your comments
> on the common concept of misunderstanding GDPR and extending it to match
> your private interest?
> 

At the very least, insecure transportation and storage of legal
documents has a potential to lead to identity theft, which makes it a
legal liability in and of itself. I don't think we should be dismissive
on this point.

>> So the real name requirement gives us no real protection from
>> possible cases, but creates real and serious problems by kicking
>> active developers and contributors from further contributions.
>> NP-Hardass is not the only one. 
> 
> Do you have any proof of that?  As far as I'm concerned, we're pretty
> clear that NP-Hardass can't contribute to Gentoo, and that his previous
> contributions shouldn't have been accepted in the first place (and why
> Trustees agreed to them is another problem).  Are you going to take
> legal and financial responsibility if his employer claims copyright to
> his contributions?  And if you say yes, are you going to really take it
> or go with the forementioned attitude that we can't legally force you
> to?
> 

I do disagree on this point. I believe the Foundation did take
appropriate measures to reduce the legal liability when he was
recruited. I think it should have been clearly explained how he has
become a legal liability to the Foundation before his access was taken
away from him.

You also bring up a more interesting point here. If I work with a user
who has lied to me about their identity, and their employer decided to
take it to court, who is liable? Am I at fault for having good faith or
is it a neglect on the Foundation's side?

>> I invited some gifted people with
>> high quality out-of-tree work to become contributors or developers,
>> but due to hostile attitude towards anonymous contributors they
>> can't join. And people want to stay anonymous for good reasons,
>> because they are engaged with privacy oriented development.
> 
> This is a very vague statement that sounds like serious overstatement
> with no proof, aimed purely to force emotional reaction to support your
> proposal.  If you really want to propose something meaningful, I'd
> really appreciate if you used real evidence to support it rather than
> vague claims.
> 
>> We are loosing real people, real contributions and real community.
>> What for? For solving imaginary problems with inappropriate tools.
>>
> 
> Thank you for telling us that copyright is an imaginary problem.
> 

I can't help but agree with the point that we are losing real
contributors and real community. And people whom I talked to didn't
oppose the Foundation's attempt to reduce legal liability. They were
frustrated by the arbitrary enforcement and not having their opinions
heard. The fact that people can get away with using a pseudonym as long
as it reads like a normal person name (for which there is no definition)
is something we have to address to the people who weren't as lucky with
their choice of pseudonym and lost their ability to contribute.

--
gokturk


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 7670 bytes --]

On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@gentoo.org> wrote:

> Hi,
>
> I'd like to voice my opinion on the matter as well. Full disclosure:
> NP-Hardass is my mentor and I also had a co-maintainer who has been
> distressed by the enforcement of the GLEP.
>
> Michał Górny:
> > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
> >> Why? We have no way to verify that provided names are valid or that
> >> provided ID's are valid. At least in my jurisdiction such
> >> information collected can't be used for legal action or protection
> >> without following established government-assisted verification
> >> procedure. In other jurisdictions similar problems may and will
> >> arise.
> >
> > 'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
> > that someone's giving his real name doesn't imply that everyone is using
> > fake names.  Or that it makes no sense to use them.
> >
>
> I understand that but it creates problems with the consistent
> enforcement of the policy. There are no clear guidelines as to how we
> decide who requires identity validation and who doesn't. We don't even
> know who is tasked with making the request and performing the
> validation. If I work with a user and I am convinced that they provide
> their real name, is that sufficient for the foundation? Can I
> arbitrarily be suspicious of any user and demand them to provide their
> identity?
>

So first a preface: I would prefer we accept a name until we have some
reasonable suspicion that it is wrong.
If someone submitted as "boaty mcboatface" it might immediately raise such
a suspicion; but a contributor who contributed as "John Doe" might not. Its
very subjective, yes, and we don't offer better guidelines.

So to your first question, yes its sufficient.
To your second question, you could, but I think that would be wrong and if
I found out I'd probably talk to you about it and if it continued, I'd
probably take some kind of remedial action. The intent is to have a
reasonable suspicion of fraud or wrongdoing, not to do just do it willy
nilly.

That being said I don't intend to forge a policy that is bullet-proof. If I
cannot trust fellow project members to act well, they might as well just
leave the project now. If project members are looking for "a list of rules
to follow" my only rules are "don't be an ass" and if you are told you are
being an ass, maybe listen and take that advice as opposed to objecting.


>
> >> Additional problem is personal data collection, it is
> >> restricted or heavily regulated in many countries. One can't just
> >> demand to show an ID via electronic means without following
> >> complicated data protection procedures which are likely to be
> >> incompatible between jurisdictions.
> >
> > Do you have any proof of that, or are you just basing your comments
> > on the common concept of misunderstanding GDPR and extending it to match
> > your private interest?
> >
>
> At the very least, insecure transportation and storage of legal
> documents has a potential to lead to identity theft, which makes it a
> legal liability in and of itself. I don't think we should be dismissive
> on this point.
>

I don't believe any policies require collecting personal data currently.


>
> >> So the real name requirement gives us no real protection from
> >> possible cases, but creates real and serious problems by kicking
> >> active developers and contributors from further contributions.
> >> NP-Hardass is not the only one.
> >
> > Do you have any proof of that?  As far as I'm concerned, we're pretty
> > clear that NP-Hardass can't contribute to Gentoo, and that his previous
> > contributions shouldn't have been accepted in the first place (and why
> > Trustees agreed to them is another problem).  Are you going to take
> > legal and financial responsibility if his employer claims copyright to
> > his contributions?  And if you say yes, are you going to really take it
> > or go with the forementioned attitude that we can't legally force you
> > to?
> >
>
> I do disagree on this point. I believe the Foundation did take
> appropriate measures to reduce the legal liability when he was
> recruited. I think it should have been clearly explained how he has
> become a legal liability to the Foundation before his access was taken
> away from him.
>

The Foundation has always carried legal risk. Only recently have we
(through the awesome work of ulm@ and others) had a policy to help mitigate
it. These contributors have not 'suddenly become a legal risk' but instead
the community (council and foundation combined) have adopted a more
risk-averse stance by adopting GLEP-76 and that results in some
contributors being unable to contribute. I'm not sure what else needs to be
explained.


>
> You also bring up a more interesting point here. If I work with a user
> who has lied to me about their identity, and their employer decided to
> take it to court, who is liable? Am I at fault for having good faith or
> is it a neglect on the Foundation's side?
>

I'm not a lawyer, so I won't speculate on this specific instance. Having a
policy where commits require a DCO and we take some measure to not accept
contributions when we have knowledge that the DCO is wrong / invalid is
clearly better than our previous policy (which was basically "accept all
contributions.") Whether it is sufficient to prevent any specific legal
suit, I couldn't tell you.


>
> >> I invited some gifted people with
> >> high quality out-of-tree work to become contributors or developers,
> >> but due to hostile attitude towards anonymous contributors they
> >> can't join. And people want to stay anonymous for good reasons,
> >> because they are engaged with privacy oriented development.
> >
> > This is a very vague statement that sounds like serious overstatement
> > with no proof, aimed purely to force emotional reaction to support your
> > proposal.  If you really want to propose something meaningful, I'd
> > really appreciate if you used real evidence to support it rather than
> > vague claims.
> >
> >> We are loosing real people, real contributions and real community.
> >> What for? For solving imaginary problems with inappropriate tools.
> >>
> >
> > Thank you for telling us that copyright is an imaginary problem.
> >
>
> I can't help but agree with the point that we are losing real
> contributors and real community. And people whom I talked to didn't
> oppose the Foundation's attempt to reduce legal liability. They were
> frustrated by the arbitrary enforcement and not having their opinions
> heard. The fact that people can get away with using a pseudonym as long
> as it reads like a normal person name (for which there is no definition)
> is something we have to address to the people who weren't as lucky with
> their choice of pseudonym and lost their ability to contribute.
>

If you want to make a point that Gentoo leadership is bad at making
opposing feelings heard, well I'd probably agree with you (this thread is
one such example.) If you want to make some kind of point that "having an
opinion heard means we change the policy to suit that opinion" then I think
we just disagree on that point. Don't make it out like we made the decision
without thinking of anonymous / pseudonymous contributors; numerous
discussions were had about them and we could not find a way to include them
in the policy.

That doesn't mean we didn't hear their thoughts and objections though.

-A


>
> --
> gokturk
>
>

[-- Attachment #2: Type: text/html, Size: 9553 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Rich Freeman]

On Tue, Apr 9, 2019 at 4:45 PM Alec Warner <antarus@gentoo.org> wrote:
>
> That being said I don't intend to forge a policy that is bullet-proof. If I cannot trust fellow project members to act well, they might as well just leave the project now.

++

Ultimately if somebody with commit access wants to create trouble
there are a lot of things they can do that are far more harmful than
using a fake name.  I think we just need to be reasonable.

Usually the standard that is used in courts at least in the US is
reasonable care, and it has no hard definition, other than basically
being the amount of care a normal person would exercise to do the
right thing.  If you want to find out whether something is or isn't
reasonable care the easiest way is to get sued, or sue somebody else,
and then after a few years you get an answer, and maybe a judgment.

I think there are probably some legal benefits to requiring a real
name, but personally I think there are more benefits beyond that.  I
think it tends to create a more professional atmosphere when people
are conversing with "Alec Warner" and not "Boaty McBoatface" or
whatever.  Also, having some kind of reputational risk probably does
help cut down on the trolling somewhat.  Maybe...

If you wanted to put Gentoo on your resume would you really want a
potential employer to Google it and find articles by people like
"420forlife?"  I think this sort of thing can help set the tone for
the community.

That's just my opinion...

--
Rich

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 3199 bytes --]

The only thing that I can say is that obfuscating one's real identity could
cause problems in the following areas:

1. Accountability in terms of any problems caused, either by malice or
incompetence.  For analogy, using caller ID to trace someone who may or may
not have been spoofing their ID
2. copyright law, which is likely to be obvious in terms of grants or
licenses, especially in the face of the GPL (of any version), and who owns
which copyright can possibly be traced by the inclusion of real life
identity.  This also relates to point 1.
3. people doing gentoo work on company time may well forfeit their
copyright interest to their employer under "work for hire", depending on
jurisdiction and/or what arrangements are made.  Said employer may be able
to veto the wishes of the actual author, and may have their own legal
department/law firm on retainer, and have deeper legal pockets to sue with
if they want to object.  In my opinion, having a "paper trail" of sorts to
follow is essential both to track down legal problems and discourage anyone
from causing them, also in relation to points 1 and 2 above.

The details of how this is achieved is of course up to the proper people,
but my personal opinion is that requiring a linux kernel style "sign-off"
that at a minimum includes the real, legal name of the author of the change
being committed is an important part of the process that at a minimum makes
sure that said author is involved in the process of accountability,
especially if any problems arise from it (legal or technical or otherwise)

On Tue, Apr 9, 2019 at 1:56 PM Rich Freeman <rich0@gentoo.org> wrote:

> On Tue, Apr 9, 2019 at 4:45 PM Alec Warner <antarus@gentoo.org> wrote:
> >
> > That being said I don't intend to forge a policy that is bullet-proof.
> If I cannot trust fellow project members to act well, they might as well
> just leave the project now.
>
> ++
>
> Ultimately if somebody with commit access wants to create trouble
> there are a lot of things they can do that are far more harmful than
> using a fake name.  I think we just need to be reasonable.
>
> Usually the standard that is used in courts at least in the US is
> reasonable care, and it has no hard definition, other than basically
> being the amount of care a normal person would exercise to do the
> right thing.  If you want to find out whether something is or isn't
> reasonable care the easiest way is to get sued, or sue somebody else,
> and then after a few years you get an answer, and maybe a judgment.
>
> I think there are probably some legal benefits to requiring a real
> name, but personally I think there are more benefits beyond that.  I
> think it tends to create a more professional atmosphere when people
> are conversing with "Alec Warner" and not "Boaty McBoatface" or
> whatever.  Also, having some kind of reputational risk probably does
> help cut down on the trolling somewhat.  Maybe...
>
> If you wanted to put Gentoo on your resume would you really want a
> potential employer to Google it and find articles by people like
> "420forlife?"  I think this sort of thing can help set the tone for
> the community.
>
> That's just my opinion...
>
> --
> Rich
>
>

[-- Attachment #2: Type: text/html, Size: 3801 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 3822 bytes --]

On Tue, Apr 9, 2019 at 2:03 PM Raymond Jennings <shentino@gmail.com> wrote:

> The only thing that I can say is that obfuscating one's real identity
> could cause problems in the following areas:
>
> 1. Accountability in terms of any problems caused, either by malice or
> incompetence.  For analogy, using caller ID to trace someone who may or may
> not have been spoofing their ID
> 2. copyright law, which is likely to be obvious in terms of grants or
> licenses, especially in the face of the GPL (of any version), and who owns
> which copyright can possibly be traced by the inclusion of real life
> identity.  This also relates to point 1.
> 3. people doing gentoo work on company time may well forfeit their
> copyright interest to their employer under "work for hire", depending on
> jurisdiction and/or what arrangements are made.  Said employer may be able
> to veto the wishes of the actual author, and may have their own legal
> department/law firm on retainer, and have deeper legal pockets to sue with
> if they want to object.  In my opinion, having a "paper trail" of sorts to
> follow is essential both to track down legal problems and discourage anyone
> from causing them, also in relation to points 1 and 2 above.
>
> The details of how this is achieved is of course up to the proper people,
> but my personal opinion is that requiring a linux kernel style "sign-off"
> that at a minimum includes the real, legal name of the author of the change
> being committed is an important part of the process that at a minimum makes
> sure that said author is involved in the process of accountability,
> especially if any problems arise from it (legal or technical or otherwise)
>

Relatedly, I would opine that anyone who intentionally uses a false name
(especially if they get caught) has a possibly rebuttable presumption
against them that they are acting in bad faith and thus less trustworthy.

Accordingly I certainly would not object to punitive/remedial measures
being taken against people who intentionally obfusecate their identity,
especially if it causes problems or makes it harder for them to be held
accountable for it.

>
> On Tue, Apr 9, 2019 at 1:56 PM Rich Freeman <rich0@gentoo.org> wrote:
>
>> On Tue, Apr 9, 2019 at 4:45 PM Alec Warner <antarus@gentoo.org> wrote:
>> >
>> > That being said I don't intend to forge a policy that is bullet-proof.
>> If I cannot trust fellow project members to act well, they might as well
>> just leave the project now.
>>
>> ++
>>
>> Ultimately if somebody with commit access wants to create trouble
>> there are a lot of things they can do that are far more harmful than
>> using a fake name.  I think we just need to be reasonable.
>>
>> Usually the standard that is used in courts at least in the US is
>> reasonable care, and it has no hard definition, other than basically
>> being the amount of care a normal person would exercise to do the
>> right thing.  If you want to find out whether something is or isn't
>> reasonable care the easiest way is to get sued, or sue somebody else,
>> and then after a few years you get an answer, and maybe a judgment.
>>
>> I think there are probably some legal benefits to requiring a real
>> name, but personally I think there are more benefits beyond that.  I
>> think it tends to create a more professional atmosphere when people
>> are conversing with "Alec Warner" and not "Boaty McBoatface" or
>> whatever.  Also, having some kind of reputational risk probably does
>> help cut down on the trolling somewhat.  Maybe...
>>
>> If you wanted to put Gentoo on your resume would you really want a
>> potential employer to Google it and find articles by people like
>> "420forlife?"  I think this sort of thing can help set the tone for
>> the community.
>>
>> That's just my opinion...
>>
>> --
>> Rich
>>
>>

[-- Attachment #2: Type: text/html, Size: 4787 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Gokturk Yuksek]

[-- Attachment #1.1: Type: text/plain, Size: 9267 bytes --]

Alec Warner:
> On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@gentoo.org> wrote:
> 
>> Hi,
>>
>> I'd like to voice my opinion on the matter as well. Full disclosure:
>> NP-Hardass is my mentor and I also had a co-maintainer who has been
>> distressed by the enforcement of the GLEP.
>>
>> Michał Górny:
>>> On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
>>>> Why? We have no way to verify that provided names are valid or that
>>>> provided ID's are valid. At least in my jurisdiction such
>>>> information collected can't be used for legal action or protection
>>>> without following established government-assisted verification
>>>> procedure. In other jurisdictions similar problems may and will
>>>> arise.
>>>
>>> 'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
>>> that someone's giving his real name doesn't imply that everyone is using
>>> fake names.  Or that it makes no sense to use them.
>>>
>>
>> I understand that but it creates problems with the consistent
>> enforcement of the policy. There are no clear guidelines as to how we
>> decide who requires identity validation and who doesn't. We don't even
>> know who is tasked with making the request and performing the
>> validation. If I work with a user and I am convinced that they provide
>> their real name, is that sufficient for the foundation? Can I
>> arbitrarily be suspicious of any user and demand them to provide their
>> identity?
>>
> 
> So first a preface: I would prefer we accept a name until we have some
> reasonable suspicion that it is wrong.
> If someone submitted as "boaty mcboatface" it might immediately raise such
> a suspicion; but a contributor who contributed as "John Doe" might not. Its
> very subjective, yes, and we don't offer better guidelines.
> 
> So to your first question, yes its sufficient.

Thanks for clarifying that.

> To your second question, you could, but I think that would be wrong and if
> I found out I'd probably talk to you about it and if it continued, I'd
> probably take some kind of remedial action. The intent is to have a
> reasonable suspicion of fraud or wrongdoing, not to do just do it willy
> nilly.
> 
> That being said I don't intend to forge a policy that is bullet-proof. If I
> cannot trust fellow project members to act well, they might as well just
> leave the project now. If project members are looking for "a list of rules
> to follow" my only rules are "don't be an ass" and if you are told you are
> being an ass, maybe listen and take that advice as opposed to objecting.
> 

My point about the guidelines is for the concern on the receiving party.
I suspect there may be situations where saying "I'm not convinced that
this is a real name of a person. Would you please provide me a proof of
ID?" is perceived offensive. Guidelines published by the Foundation help
developers justify their stance and ease people into compliance, I think.

> 
>>
>>>> Additional problem is personal data collection, it is
>>>> restricted or heavily regulated in many countries. One can't just
>>>> demand to show an ID via electronic means without following
>>>> complicated data protection procedures which are likely to be
>>>> incompatible between jurisdictions.
>>>
>>> Do you have any proof of that, or are you just basing your comments
>>> on the common concept of misunderstanding GDPR and extending it to match
>>> your private interest?
>>>
>>
>> At the very least, insecure transportation and storage of legal
>> documents has a potential to lead to identity theft, which makes it a
>> legal liability in and of itself. I don't think we should be dismissive
>> on this point.
>>
> 
> I don't believe any policies require collecting personal data currently.
> 

If I have suspicions about a contributor's identity, would you advise me
on a method of validation that doesn't require the electronic transfer
of a government approved identification?

> 
>>
>>>> So the real name requirement gives us no real protection from
>>>> possible cases, but creates real and serious problems by kicking
>>>> active developers and contributors from further contributions.
>>>> NP-Hardass is not the only one.
>>>
>>> Do you have any proof of that?  As far as I'm concerned, we're pretty
>>> clear that NP-Hardass can't contribute to Gentoo, and that his previous
>>> contributions shouldn't have been accepted in the first place (and why
>>> Trustees agreed to them is another problem).  Are you going to take
>>> legal and financial responsibility if his employer claims copyright to
>>> his contributions?  And if you say yes, are you going to really take it
>>> or go with the forementioned attitude that we can't legally force you
>>> to?
>>>
>>
>> I do disagree on this point. I believe the Foundation did take
>> appropriate measures to reduce the legal liability when he was
>> recruited. I think it should have been clearly explained how he has
>> become a legal liability to the Foundation before his access was taken
>> away from him.
>>
> 
> The Foundation has always carried legal risk. Only recently have we
> (through the awesome work of ulm@ and others) had a policy to help mitigate
> it. These contributors have not 'suddenly become a legal risk' but instead
> the community (council and foundation combined) have adopted a more
> risk-averse stance by adopting GLEP-76 and that results in some
> contributors being unable to contribute. I'm not sure what else needs to be
> explained.
> 
> 

To the best of my knowledge, the Foundation has a long established
practice of allowing developers to use pseudonyms on the condition that
they reveal their legal identity to the Foundation for legal protection.
Was the exclusion of developers with pseudonyms as per GLEP76 a result
of a conclusion that the Foundation being informed about developers
legal identity wrt copyright infringement carries more risk compared to
their total exclusion from development?

>>
>> You also bring up a more interesting point here. If I work with a user
>> who has lied to me about their identity, and their employer decided to
>> take it to court, who is liable? Am I at fault for having good faith or
>> is it a neglect on the Foundation's side?
>>
> 
> I'm not a lawyer, so I won't speculate on this specific instance. Having a
> policy where commits require a DCO and we take some measure to not accept
> contributions when we have knowledge that the DCO is wrong / invalid is
> clearly better than our previous policy (which was basically "accept all
> contributions.") Whether it is sufficient to prevent any specific legal
> suit, I couldn't tell you.
> 
> 
>>
>>>> I invited some gifted people with
>>>> high quality out-of-tree work to become contributors or developers,
>>>> but due to hostile attitude towards anonymous contributors they
>>>> can't join. And people want to stay anonymous for good reasons,
>>>> because they are engaged with privacy oriented development.
>>>
>>> This is a very vague statement that sounds like serious overstatement
>>> with no proof, aimed purely to force emotional reaction to support your
>>> proposal.  If you really want to propose something meaningful, I'd
>>> really appreciate if you used real evidence to support it rather than
>>> vague claims.
>>>
>>>> We are loosing real people, real contributions and real community.
>>>> What for? For solving imaginary problems with inappropriate tools.
>>>>
>>>
>>> Thank you for telling us that copyright is an imaginary problem.
>>>
>>
>> I can't help but agree with the point that we are losing real
>> contributors and real community. And people whom I talked to didn't
>> oppose the Foundation's attempt to reduce legal liability. They were
>> frustrated by the arbitrary enforcement and not having their opinions
>> heard. The fact that people can get away with using a pseudonym as long
>> as it reads like a normal person name (for which there is no definition)
>> is something we have to address to the people who weren't as lucky with
>> their choice of pseudonym and lost their ability to contribute.
>>
> 
> If you want to make a point that Gentoo leadership is bad at making
> opposing feelings heard, well I'd probably agree with you (this thread is
> one such example.) If you want to make some kind of point that "having an
> opinion heard means we change the policy to suit that opinion" then I think
> we just disagree on that point. Don't make it out like we made the decision
> without thinking of anonymous / pseudonymous contributors; numerous
> discussions were had about them and we could not find a way to include them
> in the policy.
> 
> That doesn't mean we didn't hear their thoughts and objections though.
> 
> -A
> 

Perhaps the people I talked to didn't find the right people to talk to
before me. I'm not trying to paint the leadership as ignorant or bad. I
understand that this is all volunteer work first and foremost. I wasn't
implying to enact a change in the policy on the basis that people's
opinions haven't been sufficiently heard.

> 
>>
>> --
>> gokturk
>>
>>


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 5580 bytes --]

On Tue, 2019-04-09 at 21:13 +0000, Gokturk Yuksek wrote:
> > To your second question, you could, but I think that would be wrong and if
> > I found out I'd probably talk to you about it and if it continued, I'd
> > probably take some kind of remedial action. The intent is to have a
> > reasonable suspicion of fraud or wrongdoing, not to do just do it willy
> > nilly.
> > 
> > That being said I don't intend to forge a policy that is bullet-proof. If I
> > cannot trust fellow project members to act well, they might as well just
> > leave the project now. If project members are looking for "a list of rules
> > to follow" my only rules are "don't be an ass" and if you are told you are
> > being an ass, maybe listen and take that advice as opposed to objecting.
> > 
> 
> My point about the guidelines is for the concern on the receiving party.
> I suspect there may be situations where saying "I'm not convinced that
> this is a real name of a person. Would you please provide me a proof of
> ID?" is perceived offensive. Guidelines published by the Foundation help
> developers justify their stance and ease people into compliance, I think.
> 
> > > > > Additional problem is personal data collection, it is
> > > > > restricted or heavily regulated in many countries. One can't just
> > > > > demand to show an ID via electronic means without following
> > > > > complicated data protection procedures which are likely to be
> > > > > incompatible between jurisdictions.
> > > > 
> > > > Do you have any proof of that, or are you just basing your comments
> > > > on the common concept of misunderstanding GDPR and extending it to match
> > > > your private interest?
> > > > 
> > > 
> > > At the very least, insecure transportation and storage of legal
> > > documents has a potential to lead to identity theft, which makes it a
> > > legal liability in and of itself. I don't think we should be dismissive
> > > on this point.
> > > 
> > 
> > I don't believe any policies require collecting personal data currently.
> > 
> 
> If I have suspicions about a contributor's identity, would you advise me
> on a method of validation that doesn't require the electronic transfer
> of a government approved identification?

My suggestion would be to use the solution that's been there for years
-- OpenPGP web of trust.  Establish a path of trust and/or keysign with
the person in question.  This naturally involves verifying one's ID,
and reduces the risk of stealing personal data to the minimum.

> > The Foundation has always carried legal risk. Only recently have we
> > (through the awesome work of ulm@ and others) had a policy to help mitigate
> > it. These contributors have not 'suddenly become a legal risk' but instead
> > the community (council and foundation combined) have adopted a more
> > risk-averse stance by adopting GLEP-76 and that results in some
> > contributors being unable to contribute. I'm not sure what else needs to be
> > explained.
> > 
> > 
> 
> To the best of my knowledge, the Foundation has a long established
> practice of allowing developers to use pseudonyms on the condition that
> they reveal their legal identity to the Foundation for legal protection.
> Was the exclusion of developers with pseudonyms as per GLEP76 a result
> of a conclusion that the Foundation being informed about developers
> legal identity wrt copyright infringement carries more risk compared to
> their total exclusion from development?

Did you read the Linux policy?  It is clear: the problem's not
Foundation knowing, it's *community* knowing.  Foundation is just
a temporary opaque body that's going to be dissolved one day.  Code's
going to live much longer, and it needs to be sustainable without having
to refer to secret records of the Foundation.

> > If you want to make a point that Gentoo leadership is bad at making
> > opposing feelings heard, well I'd probably agree with you (this thread is
> > one such example.) If you want to make some kind of point that "having an
> > opinion heard means we change the policy to suit that opinion" then I think
> > we just disagree on that point. Don't make it out like we made the decision
> > without thinking of anonymous / pseudonymous contributors; numerous
> > discussions were had about them and we could not find a way to include them
> > in the policy.
> > 
> > That doesn't mean we didn't hear their thoughts and objections though.
> > 
> Perhaps the people I talked to didn't find the right people to talk to
> before me. I'm not trying to paint the leadership as ignorant or bad. I
> understand that this is all volunteer work first and foremost. I wasn't
> implying to enact a change in the policy on the basis that people's
> opinions haven't been sufficiently heard.
> 

Perhaps the person you talked to don't 'take no for an answer'.
If the policy works for the majority of people, and there are only few
who disagree with it (no matter how much they try to exaggerate it),
and most of those few so far have failed to provide a really good
argument why they can't do it, then I'm sorry but that's just how things
work.

I'm certainly against changing the policy on arguments like 'but I want
to brand myself as X' or 'but you can't prove people are using fake
identities'.  If you really want to push for the latter, I wouldn't mind
making some form of identity verification obligatory for everyone. 
However, I doubt that's the result you want.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alice Ferrazzi]

The 04/10/2019 09:13, Michał Górny wrote:
> On Tue, 2019-04-09 at 21:13 +0000, Gokturk Yuksek wrote:
> > > To your second question, you could, but I think that would be wrong and if
> > > I found out I'd probably talk to you about it and if it continued, I'd
> > > probably take some kind of remedial action. The intent is to have a
> > > reasonable suspicion of fraud or wrongdoing, not to do just do it willy
> > > nilly.
> > > 
> > > That being said I don't intend to forge a policy that is bullet-proof. If I
> > > cannot trust fellow project members to act well, they might as well just
> > > leave the project now. If project members are looking for "a list of rules
> > > to follow" my only rules are "don't be an ass" and if you are told you are
> > > being an ass, maybe listen and take that advice as opposed to objecting.
> > > 
> > 
> > My point about the guidelines is for the concern on the receiving party.
> > I suspect there may be situations where saying "I'm not convinced that
> > this is a real name of a person. Would you please provide me a proof of
> > ID?" is perceived offensive. Guidelines published by the Foundation help
> > developers justify their stance and ease people into compliance, I think.
> > 
> > > > > > Additional problem is personal data collection, it is
> > > > > > restricted or heavily regulated in many countries. One can't just
> > > > > > demand to show an ID via electronic means without following
> > > > > > complicated data protection procedures which are likely to be
> > > > > > incompatible between jurisdictions.
> > > > > 
> > > > > Do you have any proof of that, or are you just basing your comments
> > > > > on the common concept of misunderstanding GDPR and extending it to match
> > > > > your private interest?
> > > > > 
> > > > 
> > > > At the very least, insecure transportation and storage of legal
> > > > documents has a potential to lead to identity theft, which makes it a
> > > > legal liability in and of itself. I don't think we should be dismissive
> > > > on this point.
> > > > 
> > > 
> > > I don't believe any policies require collecting personal data currently.
> > > 
> > 
> > If I have suspicions about a contributor's identity, would you advise me
> > on a method of validation that doesn't require the electronic transfer
> > of a government approved identification?
> 
> My suggestion would be to use the solution that's been there for years
> -- OpenPGP web of trust.  Establish a path of trust and/or keysign with
> the person in question.  This naturally involves verifying one's ID,
> and reduces the risk of stealing personal data to the minimum.

I'm interested in using OpenPGP for verifying the identity.

> 
> > > The Foundation has always carried legal risk. Only recently have we
> > > (through the awesome work of ulm@ and others) had a policy to help mitigate
> > > it. These contributors have not 'suddenly become a legal risk' but instead
> > > the community (council and foundation combined) have adopted a more
> > > risk-averse stance by adopting GLEP-76 and that results in some
> > > contributors being unable to contribute. I'm not sure what else needs to be
> > > explained.
> > > 
> > > 
> > 
> > To the best of my knowledge, the Foundation has a long established
> > practice of allowing developers to use pseudonyms on the condition that
> > they reveal their legal identity to the Foundation for legal protection.
> > Was the exclusion of developers with pseudonyms as per GLEP76 a result
> > of a conclusion that the Foundation being informed about developers
> > legal identity wrt copyright infringement carries more risk compared to
> > their total exclusion from development?
> 
> Did you read the Linux policy?  It is clear: the problem's not
> Foundation knowing, it's *community* knowing.  Foundation is just
> a temporary opaque body that's going to be dissolved one day.  Code's
> going to live much longer, and it needs to be sustainable without having
> to refer to secret records of the Foundation.

For example the debian project got in same problems in this last 10years
about real names.
In the end they decided to accept pseudonym.
https://nm.debian.org/process/610/keycheck

> 
> > > If you want to make a point that Gentoo leadership is bad at making
> > > opposing feelings heard, well I'd probably agree with you (this thread is
> > > one such example.) If you want to make some kind of point that "having an
> > > opinion heard means we change the policy to suit that opinion" then I think
> > > we just disagree on that point. Don't make it out like we made the decision
> > > without thinking of anonymous / pseudonymous contributors; numerous
> > > discussions were had about them and we could not find a way to include them
> > > in the policy.
> > > 
> > > That doesn't mean we didn't hear their thoughts and objections though.
> > > 
> > Perhaps the people I talked to didn't find the right people to talk to
> > before me. I'm not trying to paint the leadership as ignorant or bad. I
> > understand that this is all volunteer work first and foremost. I wasn't
> > implying to enact a change in the policy on the basis that people's
> > opinions haven't been sufficiently heard.
> > 
> 
> Perhaps the person you talked to don't 'take no for an answer'.
> If the policy works for the majority of people, and there are only few
> who disagree with it (no matter how much they try to exaggerate it),
> and most of those few so far have failed to provide a really good
> argument why they can't do it, then I'm sorry but that's just how things
> work.

If you have any better data, that is not just a presumption please show us.
saying that the majority of people is contributing in Gentoo, is no
meaning. On how many people you are talking about ? you are taking in 
consideration all the Gentoo users?
For me having people quitting Gentoo devs or Gentoo contribution for a
change in GLEP is a big deal, we are already not that many.

That is just how things works for you.

> 
> I'm certainly against changing the policy on arguments like 'but I want
> to brand myself as X' or 'but you can't prove people are using fake
> identities'.  If you really want to push for the latter, I wouldn't mind
> making some form of identity verification obligatory for everyone. 
> However, I doubt that's the result you want.

Happy to ear your personal opinion but not everyone thinks in the same
way as you.
I think the opinion of other people is a valuable opinion whathever they
say.

What I think we want, is more people contributing in Gentoo.



-- 
======================================
Thanks,
Alice Ferrazzi

Gentoo Kernel Project Leader
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
======================================

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2748 bytes --]

On Wed, 2019-04-10 at 16:36 +0900, Alice Ferrazzi wrote:
> > Perhaps the person you talked to don't 'take no for an answer'.
> > If the policy works for the majority of people, and there are only few
> > who disagree with it (no matter how much they try to exaggerate it),
> > and most of those few so far have failed to provide a really good
> > argument why they can't do it, then I'm sorry but that's just how things
> > work.
> 
> If you have any better data, that is not just a presumption please show us.
> saying that the majority of people is contributing in Gentoo, is no
> meaning. On how many people you are talking about ? you are taking in 
> consideration all the Gentoo users?

I'm talking about the cases I know of, i.e. cases that were explicitly
raised, including developers and proxy-maint.  If I'm counting
correctly, there were less than 10 of them.  I'm not going to make
a shame list here.  If people want to express their opinion, they are
free to do so.  However, so far it seems that the most people expressing
opinions are 'advocates' who have a lot of nameless claims.

> For me having people quitting Gentoo devs or Gentoo contribution for a
> change in GLEP is a big deal, we are already not that many.

What really matters are users.  One person 'quitting Gentoo devs' is
a small price to pay for a better chance that our users will not be
suddenly hit by a destructive copyright pursuit.

> I'm certainly against changing the policy on arguments like 'but I want
> > to brand myself as X' or 'but you can't prove people are using fake
> > identities'.  If you really want to push for the latter, I wouldn't mind
> > making some form of identity verification obligatory for everyone. 
> > However, I doubt that's the result you want.
> 
> Happy to ear your personal opinion but not everyone thinks in the same
> way as you.
> I think the opinion of other people is a valuable opinion whathever they
> say.

This doesn't add anything.  Just because other people have other
opinions, it doesn't mean their opinions are to be considered higher
than mine.  Or anyone else.

> What I think we want, is more people contributing in Gentoo.

No.  What we want, is improvement for the users.  Improvement is made by
more good activity.  Which may or may not involve 'more people
contributing'.

I know it's not cool to value person's contributions but I'm going to be
blunt: one person doing a lot of good work is worth more than three
contributors who do very little work and a lot of noise about using
their pseudonyms.

And yes, that's my opinion which -- as you have implied -- is not
as valuable as the opinions of those few.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michael Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 1512 bytes --]

On 10/04/19 08:45, Michał Górny wrote:
> And yes, that's my opinion which -- as you have implied -- is not
> as valuable as the opinions of those few.
>
This and this precisely ... there is a blind assumption, and far too many
records of such, that your opinion carries a disproportionate weight.
Unfortunately for you, this is simply because the other voices are much
quieter, and don't get the 'time of day' and validation that yours do, but
this is not lost on the wider "community". Why should one individual,
whether supported or not, get 'special treatment' over many others, simply
because their voice is loudest, whilst other 'loud voices' are simply
shunned because "they're not Me"...

I'm not putting this very well into English, and the loss in translation is
probably great .. but I think that perhaps a more widely consulted opinion
might be appreciated by the 'wider community' than the same one/two/three
people who constantly have their names in email lists, commit logs and
meeting minutes. Give Someone Else a Try. What's the worst that can
[really] happen??? And if that [actually] happens, how much of it can still
be reverted?? What's the real risk here .. that we've made a straw man or
we might actually solved a [real] problem?? Be daring, be risky, it's this
that has enabled organisations like Google and Facebook to even exist, do
we want to consign Gentoo to the history books for being dogmatic and
inflexible? This is the 21st century, not the 19th ...


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Mikle Kolyada]

[-- Attachment #1.1: Type: text/plain, Size: 634 bytes --]



On 10.04.2019 10:13, Michał Górny wrote:
> If the policy works for the majority of people
Majority of what? Council or Trustees?

If the majority keeps silence it does not mean the policy works for
them, but they can just comply without going into details (and you did
not take this into account).
Also, why do you think that legal kind of polices can be accepted by the
people without (as far as I am aware) any legal experience (I mean on
the professional basis)
without prior consulting with people that have professional experience
in the area.

Only if this seems to work does not mean this really works :)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 955 bytes --]

> 
> So first a preface: I would prefer we accept a name until we have some
> reasonable suspicion that it is wrong.
> If someone submitted as "boaty mcboatface" it might immediately raise such
> a suspicion; but a contributor who contributed as "John Doe" might not. Its
> very subjective, yes, and we don't offer better guidelines.
> 

This.

> If you want to make some kind of point that "having an
> opinion heard means we change the policy to suit that opinion" then I think
> we just disagree on that point. Don't make it out like we made the decision
> without thinking of anonymous / pseudonymous contributors; numerous
> discussions were had about them and we could not find a way to include them
> in the policy.
> 
> That doesn't mean we didn't hear their thoughts and objections though.

And this.

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer 
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1547 bytes --]

>>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:

> I understand that but it creates problems with the consistent
> enforcement of the policy. There are no clear guidelines as to how we
> decide who requires identity validation and who doesn't. We don't even
> know who is tasked with making the request and performing the
> validation. If I work with a user and I am convinced that they provide
> their real name, is that sufficient for the foundation? Can I
> arbitrarily be suspicious of any user and demand them to provide their
> identity?

> [...]

> I can't help but agree with the point that we are losing real
> contributors and real community.

So, "real" contributors, but they don't have a real name?

> And people whom I talked to didn't oppose the Foundation's attempt to
> reduce legal liability. They were frustrated by the arbitrary
> enforcement and not having their opinions heard. The fact that people
> can get away with using a pseudonym as long as it reads like a normal
> person name (for which there is no definition) is something we have to
> address to the people who weren't as lucky with their choice of
> pseudonym and lost their ability to contribute.

Really, all these points had been raised before the copyright policy was
approved, and I am sure that both the Council and the Board have
considered them.

Also, what would be the alternative? Signed-off-by lines without a real
name would be meaningless, which basically means that we would accept
any contribution without being able to track its origin.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Gokturk Yuksek]

[-- Attachment #1.1: Type: text/plain, Size: 3085 bytes --]



Ulrich Mueller:
>>>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
> 
>> I understand that but it creates problems with the consistent
>> enforcement of the policy. There are no clear guidelines as to how we
>> decide who requires identity validation and who doesn't. We don't even
>> know who is tasked with making the request and performing the
>> validation. If I work with a user and I am convinced that they provide
>> their real name, is that sufficient for the foundation? Can I
>> arbitrarily be suspicious of any user and demand them to provide their
>> identity?
> 
>> [...]
> 
>> I can't help but agree with the point that we are losing real
>> contributors and real community.
> 
> So, "real" contributors, but they don't have a real name?
> 

I think you're attributing malicious intent to using a pseudonym. There
are various social and legal reasons as to why someone would use a
pseudonym (that does not include infringing the copyright of an
employer). I was making the argument that people who contribute under a
pseudonym are just as "real" as the contributors who use their legal names.

>> And people whom I talked to didn't oppose the Foundation's attempt to
>> reduce legal liability. They were frustrated by the arbitrary
>> enforcement and not having their opinions heard. The fact that people
>> can get away with using a pseudonym as long as it reads like a normal
>> person name (for which there is no definition) is something we have to
>> address to the people who weren't as lucky with their choice of
>> pseudonym and lost their ability to contribute.
> 
> Really, all these points had been raised before the copyright policy was
> approved, and I am sure that both the Council and the Board have
> considered them.
> 
> Also, what would be the alternative? Signed-off-by lines without a real
> name would be meaningless, which basically means that we would accept
> any contribution without being able to track its origin.
> 

I'd like to (informally) propose the following, for which I'm willing to
formulate as a GLEP proposal if there is interest:

The Foundation has an established practice of storing the legal names of
developers who join under a pseudonym. The infrastructure is already in
place for this. I think that allowing these developers to commit using
their pseudonyms as long as the Foundation is informed their real
identity does not exacerbate the legal risks they already pose. The
foundation may decide their arbitrary criteria on who is eligible for
this type of protection, including requiring sound legal reasons for
them to keep their identities hidden. I understand that the maintenance
of this could be a burden for the Foundation in theory, but in practice
I suspect this number is very low already.

Although it does not address the issue for user contributors who would
like to use a pseudonym, I believe it would still be a step in the right
direction by being more inclusive to existing developers who have been
helping Gentoo for years.

> Ulrich
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1972 bytes --]

On 4/9/19 11:30 PM, Gokturk Yuksek wrote:
> I'd like to (informally) propose the following, for which I'm willing to
> formulate as a GLEP proposal if there is interest:
> 
> The Foundation has an established practice of storing the legal names of
> developers who join under a pseudonym. The infrastructure is already in
> place for this. I think that allowing these developers to commit using
> their pseudonyms as long as the Foundation is informed their real
> identity does not exacerbate the legal risks they already pose. The
> foundation may decide their arbitrary criteria on who is eligible for
> this type of protection, including requiring sound legal reasons for
> them to keep their identities hidden. I understand that the maintenance
> of this could be a burden for the Foundation in theory, but in practice
> I suspect this number is very low already.
> 
> Although it does not address the issue for user contributors who would
> like to use a pseudonym, I believe it would still be a step in the right
> direction by being more inclusive to existing developers who have been
> helping Gentoo for years.

If you are to provide anything related to this, I'd suggest also
providing (i) a template copyright assignment document that assigns the
copyright of any work to the foundation (will only be valid in countries
where this is allowed, including US), and (ii) a policy document when
the real name can be disclosed when needed (e.g in a court case
disputing the copyright).

There are several non-legal reasons for not allowing pseudonyms as to
how it impacts the community, expectations of security, etc, but from
the legal point of view one thing to consider is e.g
https://cpb-us-e1.wpmucdn.com/sites.suffolk.edu/dist/5/1153/files/2014/12/McJohn-THE-GPL-MEETS-THE-UCC.pdf

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Rich Freeman]

On Tue, Apr 9, 2019 at 5:46 PM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>
> If you are to provide anything related to this, I'd suggest also
> providing (i) a template copyright assignment document that assigns the
> copyright of any work to the foundation (will only be valid in countries
> where this is allowed, including US), and (ii) a policy document when
> the real name can be disclosed when needed (e.g in a court case
> disputing the copyright).
>

I think that this is starting to go off on a tangent, but a lot has
already been done on that front using the FSFe FLA as a starting
point.  I wouldn't suggest that somebody just create something from
scratch.  (And for those who are worried, the general thinking to date
is that it would be 100% voluntary.)

That said, I really don't see how assignment helps here.  I suggest
taking any discussion around that to a separate thread unless there is
a clear tie-in, and I don't think this is a direction Council is
likely to go in anyway.

-- 
Rich

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1600 bytes --]

On 4/9/19 11:50 PM, Rich Freeman wrote:
> On Tue, Apr 9, 2019 at 5:46 PM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>>
>> If you are to provide anything related to this, I'd suggest also
>> providing (i) a template copyright assignment document that assigns the
>> copyright of any work to the foundation (will only be valid in countries
>> where this is allowed, including US), and (ii) a policy document when
>> the real name can be disclosed when needed (e.g in a court case
>> disputing the copyright).
>>
> 
> I think that this is starting to go off on a tangent, but a lot has
> already been done on that front using the FSFe FLA as a starting
> point.  I wouldn't suggest that somebody just create something from
> scratch.  (And for those who are worried, the general thinking to date
> is that it would be 100% voluntary.)
> 
> That said, I really don't see how assignment helps here.  I suggest
> taking any discussion around that to a separate thread unless there is
> a clear tie-in, and I don't think this is a direction Council is
> likely to go in anyway.
> 

if the foundation approves pseudonym actors, an assignment from said
person could have legal bearing but the identify wouldn't necessarily
need to be immediately disclosed except an additional tag that the
person has signed an assignment document. of course that presumes that
the rationale for pseudonym isn't copyright avoidance to begin with.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1714 bytes --]

On 4/9/19 11:53 PM, Kristian Fiskerstrand wrote:
> On 4/9/19 11:50 PM, Rich Freeman wrote:
>> On Tue, Apr 9, 2019 at 5:46 PM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>>>
>>> If you are to provide anything related to this, I'd suggest also
>>> providing (i) a template copyright assignment document that assigns the
>>> copyright of any work to the foundation (will only be valid in countries
>>> where this is allowed, including US), and (ii) a policy document when
>>> the real name can be disclosed when needed (e.g in a court case
>>> disputing the copyright).
>>>
>>
>> I think that this is starting to go off on a tangent, but a lot has
>> already been done on that front using the FSFe FLA as a starting
>> point.  I wouldn't suggest that somebody just create something from
>> scratch.  (And for those who are worried, the general thinking to date
>> is that it would be 100% voluntary.)
>>
>> That said, I really don't see how assignment helps here.  I suggest
>> taking any discussion around that to a separate thread unless there is
>> a clear tie-in, and I don't think this is a direction Council is
>> likely to go in anyway.
>>
> 
> if the foundation approves pseudonym actors, an assignment from said
> person could have legal bearing but the identify wouldn't necessarily

s/identify/identity/

> need to be immediately disclosed except an additional tag that the
> person has signed an assignment document. of course that presumes that
> the rationale for pseudonym isn't copyright avoidance to begin with.
> 


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michael Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 2568 bytes --]

On 09/04/19 22:53, Kristian Fiskerstrand wrote:
> On 4/9/19 11:50 PM, Rich Freeman wrote:
>> On Tue, Apr 9, 2019 at 5:46 PM Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>>> If you are to provide anything related to this, I'd suggest also
>>> providing (i) a template copyright assignment document that assigns the
>>> copyright of any work to the foundation (will only be valid in countries
>>> where this is allowed, including US), and (ii) a policy document when
>>> the real name can be disclosed when needed (e.g in a court case
>>> disputing the copyright).
>>>
>> I think that this is starting to go off on a tangent, but a lot has
>> already been done on that front using the FSFe FLA as a starting
>> point.  I wouldn't suggest that somebody just create something from
>> scratch.  (And for those who are worried, the general thinking to date
>> is that it would be 100% voluntary.)
>>
>> That said, I really don't see how assignment helps here.  I suggest
>> taking any discussion around that to a separate thread unless there is
>> a clear tie-in, and I don't think this is a direction Council is
>> likely to go in anyway.
>>
> if the foundation approves pseudonym actors, an assignment from said
> person could have legal bearing but the identify wouldn't necessarily
> need to be immediately disclosed except an additional tag that the
> person has signed an assignment document. of course that presumes that
> the rationale for pseudonym isn't copyright avoidance to begin with.
>
Can I take the opportunity to point out, that if legalities are involved, I
am aware of several people who have taken the necessary procedures (and in
some cases, paid for the 'privilege') in order to use their chosen
pseudonym as a legal form of identity. In this case (IANAL), were the
courts to be instructed, I'm sure there would be valid justification for an
appropriate disclosure of required identity documentation to whatever party
it was deemed necessary.

Not all cases are simply ones where a person does not wish to use their
full given name, there are perfectly decent arguments for using a pseudonym
when there could be mild or severe ramifications if their true identity was
in the public domain. I'm thinking as obvious examples of those involved in
security/penetration work, where it may be required, and not simply
desirable to keep ones primary identity confidential. Are we really so
draconian to eliminate these (often very well-skilled individuals) for
making a specialist contribution to Gentoo Linux?!


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1398 bytes --]

On 4/10/19 12:05 AM, Michael Everitt wrote:
> Not all cases are simply ones where a person does not wish to use their
> full given name, there are perfectly decent arguments for using a pseudonym
> when there could be mild or severe ramifications if their true identity was
> in the public domain. I'm thinking as obvious examples of those involved in
> security/penetration work, where it may be required, and not simply
> desirable to keep ones primary identity confidential. Are we really so
> draconian to eliminate these (often very well-skilled individuals) for
> making a specialist contribution to Gentoo Linux?!

The ultimate goal is to ensure that contributions are actually by the
ones holding a valid copyright, or the contribution being of a license
that is allowed under a license from the copyright holder. As mentioned
in the link in prior post, GPL itself doesn't explicitly exclude the
warranty of non-infridgement under UCC which can have severe legal
consequences if a third party relies on the contribution, and as such
puts Gentoo in a legal liability if we can't reasonably explain such
contributions. As long as the copyright is valid and we can document it,
it is fine, but as soon as things gets murky...

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Chris Reffett]

On 4/9/2019 6:10 PM, Kristian Fiskerstrand wrote:
> On 4/10/19 12:05 AM, Michael Everitt wrote:
>> Not all cases are simply ones where a person does not wish to use their
>> full given name, there are perfectly decent arguments for using a pseudonym
>> when there could be mild or severe ramifications if their true identity was
>> in the public domain. I'm thinking as obvious examples of those involved in
>> security/penetration work, where it may be required, and not simply
>> desirable to keep ones primary identity confidential. Are we really so
>> draconian to eliminate these (often very well-skilled individuals) for
>> making a specialist contribution to Gentoo Linux?!
> 
> The ultimate goal is to ensure that contributions are actually by the
> ones holding a valid copyright, or the contribution being of a license
> that is allowed under a license from the copyright holder. As mentioned
> in the link in prior post, GPL itself doesn't explicitly exclude the
> warranty of non-infridgement under UCC which can have severe legal
> consequences if a third party relies on the contribution, and as such
> puts Gentoo in a legal liability if we can't reasonably explain such
> contributions. As long as the copyright is valid and we can document it,
> it is fine, but as soon as things gets murky...
> 

(Picking one thread to reply to, but this applies to the discussion as a 
whole)

Instead of arguing endlessly about the topic of pseudonyms as a bunch of 
non-experts, why don't we look into having the Foundation pay an 
intellectual property attorney for an opinion on the matter of 
pseudonymous copyright? That would at least get us a somewhat informed 
opinion on the matter.

-creffett

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1594 bytes --]

On Tue, Apr 09, 2019 at 06:49:11PM -0400, Chris Reffett wrote:
> 
> On 4/9/2019 6:10 PM, Kristian Fiskerstrand wrote:
> > On 4/10/19 12:05 AM, Michael Everitt wrote:
> >> Not all cases are simply ones where a person does not wish to use their
> >> full given name, there are perfectly decent arguments for using a pseudonym
> >> when there could be mild or severe ramifications if their true identity was
> >> in the public domain. I'm thinking as obvious examples of those involved in
> >> security/penetration work, where it may be required, and not simply
> >> desirable to keep ones primary identity confidential. Are we really so
> >> draconian to eliminate these (often very well-skilled individuals) for
> >> making a specialist contribution to Gentoo Linux?!
> > 
> > The ultimate goal is to ensure that contributions are actually by the
> > ones holding a valid copyright, or the contribution being of a license
> > that is allowed under a license from the copyright holder. As mentioned
> > in the link in prior post, GPL itself doesn't explicitly exclude the
> > warranty of non-infridgement under UCC which can have severe legal
> > consequences if a third party relies on the contribution, and as such
> > puts Gentoo in a legal liability if we can't reasonably explain such
> > contributions. As long as the copyright is valid and we can document it,
> > it is fine, but as soon as things gets murky...
> > 
> 

Michael, I would be very intrigued to read about such pseudonyms being
required by cybersecurity folks... references?

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michael Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 1965 bytes --]

On 10/04/19 01:17, Aaron Bauman wrote:
> On Tue, Apr 09, 2019 at 06:49:11PM -0400, Chris Reffett wrote:
>> On 4/9/2019 6:10 PM, Kristian Fiskerstrand wrote:
>>> On 4/10/19 12:05 AM, Michael Everitt wrote:
>>>> Not all cases are simply ones where a person does not wish to use their
>>>> full given name, there are perfectly decent arguments for using a pseudonym
>>>> when there could be mild or severe ramifications if their true identity was
>>>> in the public domain. I'm thinking as obvious examples of those involved in
>>>> security/penetration work, where it may be required, and not simply
>>>> desirable to keep ones primary identity confidential. Are we really so
>>>> draconian to eliminate these (often very well-skilled individuals) for
>>>> making a specialist contribution to Gentoo Linux?!
>>> The ultimate goal is to ensure that contributions are actually by the
>>> ones holding a valid copyright, or the contribution being of a license
>>> that is allowed under a license from the copyright holder. As mentioned
>>> in the link in prior post, GPL itself doesn't explicitly exclude the
>>> warranty of non-infridgement under UCC which can have severe legal
>>> consequences if a third party relies on the contribution, and as such
>>> puts Gentoo in a legal liability if we can't reasonably explain such
>>> contributions. As long as the copyright is valid and we can document it,
>>> it is fine, but as soon as things gets murky...
>>>
> Michael, I would be very intrigued to read about such pseudonyms being
> required by cybersecurity folks... references?
>
I was only using that as a [poor] example of ramifications of persons in
high security fields having their public identity freely waved around ..
(depending very much on what that particular field happened to be, and who
you're working for; but now we're splitting hairs as well as building straw
men .. and I'm not sure how thin this straw is ........)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alice Ferrazzi]

[-- Attachment #1: Type: text/plain, Size: 2850 bytes --]



On April 10, 2019 9:31:26 AM GMT+09:00, Michael Everitt <m.j.everitt@iee.org> wrote:
>On 10/04/19 01:17, Aaron Bauman wrote:
>> On Tue, Apr 09, 2019 at 06:49:11PM -0400, Chris Reffett wrote:
>>> On 4/9/2019 6:10 PM, Kristian Fiskerstrand wrote:
>>>> On 4/10/19 12:05 AM, Michael Everitt wrote:
>>>>> Not all cases are simply ones where a person does not wish to use
>their
>>>>> full given name, there are perfectly decent arguments for using a
>pseudonym
>>>>> when there could be mild or severe ramifications if their true
>identity was
>>>>> in the public domain. I'm thinking as obvious examples of those
>involved in
>>>>> security/penetration work, where it may be required, and not
>simply
>>>>> desirable to keep ones primary identity confidential. Are we
>really so
>>>>> draconian to eliminate these (often very well-skilled individuals)
>for
>>>>> making a specialist contribution to Gentoo Linux?!
>>>> The ultimate goal is to ensure that contributions are actually by
>the
>>>> ones holding a valid copyright, or the contribution being of a
>license
>>>> that is allowed under a license from the copyright holder. As
>mentioned
>>>> in the link in prior post, GPL itself doesn't explicitly exclude
>the
>>>> warranty of non-infridgement under UCC which can have severe legal
>>>> consequences if a third party relies on the contribution, and as
>such
>>>> puts Gentoo in a legal liability if we can't reasonably explain
>such
>>>> contributions. As long as the copyright is valid and we can
>document it,
>>>> it is fine, but as soon as things gets murky...
>>>>
>> Michael, I would be very intrigued to read about such pseudonyms
>being
>> required by cybersecurity folks... references?
>>
>I was only using that as a [poor] example of ramifications of persons
>in
>high security fields having their public identity freely waved around
>..
>(depending very much on what that particular field happened to be, and
>who
>you're working for; but now we're splitting hairs as well as building
>straw
>men .. and I'm not sure how thin this straw is ........)

maybe we could also try contacting the Free Software Foundation on the matters.
This is probably what they are doing.
"""
If a contributor wants the FSF to publish only a pseudonym, that is ok. The contributor should say this, and state the desired pseudonym, when answering the request- form. The actual legal papers will use the real name, but the FSF will publish only the pseudonym. When using one of the other forms, fill in the real name but ask the contributor to discuss the use of a pseudonym with assign@gnu.org before sending back the signed form. [1]
"""
［1］https://www.gnu.org/prep/maintain/html_node/Copyright-Papers.html




-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[-- Attachment #2: Type: text/html, Size: 79 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]

> 
> maybe we could also try contacting the Free Software Foundation on the
> matters. This is probably what they are doing.
> """
> If a contributor wants the FSF to publish only a pseudonym, that is ok. The
> contributor should say this, and state the desired pseudonym, when
> answering the request- form. The actual legal papers will use the real
> name, but the FSF will publish only the pseudonym. When using one of the
> other forms, fill in the real name but ask the contributor to discuss the
> use of a pseudonym with assign@gnu.org before sending back the signed form.
> [1] """
> ［1］https://www.gnu.org/prep/maintain/html_node/Copyright-Papers.html

As a side note, this concerns the FSF *copyright assignment*. 

We deliberately decided *not* to do any such assignment (which is void in 
parts of the world anyway) or a FLA (which would be the legally saner 
alternative) since that involves even more paperwork and legalities that can 
be debated to death. 

Now, if someone transfers under a pseudonym his/her rights to a known legal 
body, and that body accepts usage of the pseudonym, then that body can 
contribute the code under its name with the DCO. This just shifts 
accountability though.

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer 
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michael Orlitzky]

On 4/9/19 6:49 PM, Chris Reffett wrote:
> 
> (Picking one thread to reply to, but this applies to the discussion as a 
> whole)
> 

Same. This is a tough one.

I don't care much at all about the copyright angle. Copyright has always
been a fundamentally inconsistent concept. We all violate copyright law
millions of times a day, and there's no way to avoid that in modern
society. This campaign is simply doing what everyone else does in that
regard: pretend we give a shit, so people don't see us as heretics. The
fact that we've gotten ourselves into a logical pickle here is not
unexpected given that we're trying to play a game that doesn't make any
sense. I'll sleep fine either way.

What I do care about is that ultimately the only form of trust our users
have is based on our reputations. I'm a real person: you can search for
my name, find out where I work, who my friends are, call my girlfriend
and tell her I suck. That's *not* what's keeping me from committing a
backdoor to Gentoo. But that *is* why you trust me not to do it. I have
a few simplified-to-the-point-of-absurdity computer security rules, one
of which goes like "don't run code from anyone you can't find and punch
in the face." To that end, not having a real identity associated with a
developer account is troubling.

But, of course, I like having our pseudonymous contributors around
fixing stuff too.

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1741 bytes --]

On Tue, Apr 09, 2019 at 09:58:39PM -0400, Michael Orlitzky wrote:
> On 4/9/19 6:49 PM, Chris Reffett wrote:
> > 
> > (Picking one thread to reply to, but this applies to the discussion as a 
> > whole)
> > 
> 
> Same. This is a tough one.
> 
> I don't care much at all about the copyright angle. Copyright has always
> been a fundamentally inconsistent concept. We all violate copyright law
> millions of times a day, and there's no way to avoid that in modern
> society. This campaign is simply doing what everyone else does in that
> regard: pretend we give a shit, so people don't see us as heretics. The
> fact that we've gotten ourselves into a logical pickle here is not
> unexpected given that we're trying to play a game that doesn't make any
> sense. I'll sleep fine either way.
> 
> What I do care about is that ultimately the only form of trust our users
> have is based on our reputations. I'm a real person: you can search for
> my name, find out where I work, who my friends are, call my girlfriend
> and tell her I suck. That's *not* what's keeping me from committing a
> backdoor to Gentoo. But that *is* why you trust me not to do it. I have
> a few simplified-to-the-point-of-absurdity computer security rules, one
> of which goes like "don't run code from anyone you can't find and punch
> in the face." To that end, not having a real identity associated with a
> developer account is troubling.
> 
> But, of course, I like having our pseudonymous contributors around
> fixing stuff too.
> 
> 

We all violate laws everyday too, but that doesn't mean the cop won't
stop you for speeding and then do the same when he is off duty.

It is a crazy world we live in.

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1895 bytes --]

On Tue, 2019-04-09 at 22:07 -0400, Aaron Bauman wrote:
> On Tue, Apr 09, 2019 at 09:58:39PM -0400, Michael Orlitzky wrote:
> > On 4/9/19 6:49 PM, Chris Reffett wrote:
> > > (Picking one thread to reply to, but this applies to the discussion as a 
> > > whole)
> > > 
> > 
> > Same. This is a tough one.
> > 
> > I don't care much at all about the copyright angle. Copyright has always
> > been a fundamentally inconsistent concept. We all violate copyright law
> > millions of times a day, and there's no way to avoid that in modern
> > society. This campaign is simply doing what everyone else does in that
> > regard: pretend we give a shit, so people don't see us as heretics. The
> > fact that we've gotten ourselves into a logical pickle here is not
> > unexpected given that we're trying to play a game that doesn't make any
> > sense. I'll sleep fine either way.
> > 
> > What I do care about is that ultimately the only form of trust our users
> > have is based on our reputations. I'm a real person: you can search for
> > my name, find out where I work, who my friends are, call my girlfriend
> > and tell her I suck. That's *not* what's keeping me from committing a
> > backdoor to Gentoo. But that *is* why you trust me not to do it. I have
> > a few simplified-to-the-point-of-absurdity computer security rules, one
> > of which goes like "don't run code from anyone you can't find and punch
> > in the face." To that end, not having a real identity associated with a
> > developer account is troubling.
> > 
> > But, of course, I like having our pseudonymous contributors around
> > fixing stuff too.
> > 
> > 
> 
> We all violate laws everyday too, but that doesn't mean the cop won't
> stop you for speeding and then do the same when he is off duty.
> 

Now that's an insulting generalization, Sir!


-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 685 bytes --]

> Instead of arguing endlessly about the topic of pseudonyms as a bunch of
> non-experts, why don't we look into having the Foundation pay an
> intellectual property attorney for an opinion on the matter of
> pseudonymous copyright? That would at least get us a somewhat informed
> opinion on the matter.

I tried going this route behind the scenes long ago.

The two things I learned is
* finding a good lawyer who understands what we need and is willing to give an 
opinion is not easy
* you will get as many different answers as lawyers you ask

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer 
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alice Ferrazzi]

[-- Attachment #1: Type: text/plain, Size: 3378 bytes --]



On April 10, 2019 6:30:00 AM GMT+09:00, Gokturk Yuksek <gokturk@gentoo.org> wrote:
>
>
>Ulrich Mueller:
>>>>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
>> 
>>> I understand that but it creates problems with the consistent
>>> enforcement of the policy. There are no clear guidelines as to how
>we
>>> decide who requires identity validation and who doesn't. We don't
>even
>>> know who is tasked with making the request and performing the
>>> validation. If I work with a user and I am convinced that they
>provide
>>> their real name, is that sufficient for the foundation? Can I
>>> arbitrarily be suspicious of any user and demand them to provide
>their
>>> identity?
>> 
>>> [...]
>> 
>>> I can't help but agree with the point that we are losing real
>>> contributors and real community.
>> 
>> So, "real" contributors, but they don't have a real name?
>> 
>
>I think you're attributing malicious intent to using a pseudonym. There
>are various social and legal reasons as to why someone would use a
>pseudonym (that does not include infringing the copyright of an
>employer). I was making the argument that people who contribute under a
>pseudonym are just as "real" as the contributors who use their legal
>names.
>
>>> And people whom I talked to didn't oppose the Foundation's attempt
>to
>>> reduce legal liability. They were frustrated by the arbitrary
>>> enforcement and not having their opinions heard. The fact that
>people
>>> can get away with using a pseudonym as long as it reads like a
>normal
>>> person name (for which there is no definition) is something we have
>to
>>> address to the people who weren't as lucky with their choice of
>>> pseudonym and lost their ability to contribute.
>> 
>> Really, all these points had been raised before the copyright policy
>was
>> approved, and I am sure that both the Council and the Board have
>> considered them.
>> 
>> Also, what would be the alternative? Signed-off-by lines without a
>real
>> name would be meaningless, which basically means that we would accept
>> any contribution without being able to track its origin.
>> 
>
>I'd like to (informally) propose the following, for which I'm willing
>to
>formulate as a GLEP proposal if there is interest:
>
>The Foundation has an established practice of storing the legal names
>of
>developers who join under a pseudonym. The infrastructure is already in
>place for this. I think that allowing these developers to commit using
>their pseudonyms as long as the Foundation is informed their real
>identity does not exacerbate the legal risks they already pose. The
>foundation may decide their arbitrary criteria on who is eligible for
>this type of protection, including requiring sound legal reasons for
>them to keep their identities hidden. I understand that the maintenance
>of this could be a burden for the Foundation in theory, but in practice
>I suspect this number is very low already.
>
>Although it does not address the issue for user contributors who would
>like to use a pseudonym, I believe it would still be a step in the
>right
>direction by being more inclusive to existing developers who have been
>helping Gentoo for years.
>

I support the idea of Gentoo being more inclusive.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[-- Attachment #2: Type: text/html, Size: 79 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 494 bytes --]

On Wed, Apr 10, 2019 at 10:15:26AM +0900, Alice Ferrazzi wrote:
> 
> I support the idea of Gentoo being more inclusive.
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Simply stating that someone or something should be more inclusive does
not make it legal or remove potential ramifications.

As most that voted "yay" for GLEP76 have stated, they would enjoy more
inclusiveness as well.  We don't make the laws unfortunately.

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alice Ferrazzi]

The 04/09/2019 21:30, Aaron Bauman wrote:
> On Wed, Apr 10, 2019 at 10:15:26AM +0900, Alice Ferrazzi wrote:
> > 
> > I support the idea of Gentoo being more inclusive.
> > 
> > -- 
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> Simply stating that someone or something should be more inclusive does
> not make it legal or remove potential ramifications.
> 
> As most that voted "yay" for GLEP76 have stated, they would enjoy more
> inclusiveness as well.  We don't make the laws unfortunately.
> 

I was just stating my personal opinion on the matter
and my support on what Gokturk wrote.


-- 
======================================
Thanks,
Alice Ferrazzi

Gentoo Kernel Project Leader
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
======================================

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1103 bytes --]

On Wed, Apr 10, 2019 at 10:47:11AM +0900, Alice Ferrazzi wrote:
> The 04/09/2019 21:30, Aaron Bauman wrote:
> > On Wed, Apr 10, 2019 at 10:15:26AM +0900, Alice Ferrazzi wrote:
> > > 
> > > I support the idea of Gentoo being more inclusive.
> > > 
> > > -- 
> > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> > 
> > Simply stating that someone or something should be more inclusive does
> > not make it legal or remove potential ramifications.
> > 
> > As most that voted "yay" for GLEP76 have stated, they would enjoy more
> > inclusiveness as well.  We don't make the laws unfortunately.
> > 
> 
> I was just stating my personal opinion on the matter
> and my support on what Gokturk wrote.
> 
> 
> -- 
> ======================================
> Thanks,
> Alice Ferrazzi
> 
> Gentoo Kernel Project Leader
> PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
> ======================================
> 

Understood.  I agree with you as well and I stand with Alec when stating
that if there is a way then let's do it.

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 231 bytes --]

> 
> I support the idea of Gentoo being more inclusive.

Can we please keep irrelevant buzzwords out?

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer 
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 508 bytes --]

On Sun, 14 Apr 2019 16:11:50 +0200 Andreas K. Huettel wrote:
> > 
> > I support the idea of Gentoo being more inclusive.
> 
> Can we please keep irrelevant buzzwords out?

There is nothing irrelevant here. Gentoo is kicking people who
want to contribute because doesn't want to respect their privacy
because of some imaginary problems which were never appeared or
tested in real life. This makes Gentoo exclusive to those who want
their authorship to be public.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]

On Sun, Apr 14, 2019 at 06:28:15PM +0300, Andrew Savchenko wrote:
> On Sun, 14 Apr 2019 16:11:50 +0200 Andreas K. Huettel wrote:
> > > 
> > > I support the idea of Gentoo being more inclusive.
> > 
> > Can we please keep irrelevant buzzwords out?
> 
> There is nothing irrelevant here. Gentoo is kicking people who
> want to contribute because doesn't want to respect their privacy
> because of some imaginary problems which were never appeared or
> tested in real life. This makes Gentoo exclusive to those who want
> their authorship to be public.
> 
> Best regards,
> Andrew Savchenko

Andrew, it is not imaginary.  Playing the emotional game doesn't help
either.  I am fairly certain all of those who had to make this decision
have expressed their willingness to change it should it be supported
legally.  It simply is not.

If you believe it is supported legally then please provide such
evidence.  This decision was not arrived at lightly and I am confident
enough to state that on behalf of both bodies involved.

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

On Sun, 14 Apr 2019 11:48:06 -0400 Aaron Bauman wrote:
> On Sun, Apr 14, 2019 at 06:28:15PM +0300, Andrew Savchenko wrote:
> > On Sun, 14 Apr 2019 16:11:50 +0200 Andreas K. Huettel wrote:
> > > > 
> > > > I support the idea of Gentoo being more inclusive.
> > > 
> > > Can we please keep irrelevant buzzwords out?
> > 
> > There is nothing irrelevant here. Gentoo is kicking people who
> > want to contribute because doesn't want to respect their privacy
> > because of some imaginary problems which were never appeared or
> > tested in real life. This makes Gentoo exclusive to those who want
> > their authorship to be public.
> > 
> > Best regards,
> > Andrew Savchenko
> 
> Andrew, it is not imaginary.  Playing the emotional game doesn't help
> either.  I am fairly certain all of those who had to make this decision
> have expressed their willingness to change it should it be supported
> legally.  It simply is not.

If it is not imaginary please provide a court case against Gentoo
or other free software distribution on this matter and some
evidence that proposed signed-off real name attribution played a
measurable effect.

As far as I can see this whole story is pure speculation of:
1) what may happen
2) what will help if 1) is to happen.

So far I saw zero practical evidence on both points.

> If you believe it is supported legally then please provide such
> evidence.  This decision was not arrived at lightly and I am confident
> enough to state that on behalf of both bodies involved.

I see no evidence that we have a mandatory legal requirement to put
real names under commit attributions in the first place. 

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1715 bytes --]

On Sun, 2019-04-14 at 19:13 +0300, Andrew Savchenko wrote:
> On Sun, 14 Apr 2019 11:48:06 -0400 Aaron Bauman wrote:
> > On Sun, Apr 14, 2019 at 06:28:15PM +0300, Andrew Savchenko wrote:
> > > On Sun, 14 Apr 2019 16:11:50 +0200 Andreas K. Huettel wrote:
> > > > > I support the idea of Gentoo being more inclusive.
> > > > 
> > > > Can we please keep irrelevant buzzwords out?
> > > 
> > > There is nothing irrelevant here. Gentoo is kicking people who
> > > want to contribute because doesn't want to respect their privacy
> > > because of some imaginary problems which were never appeared or
> > > tested in real life. This makes Gentoo exclusive to those who want
> > > their authorship to be public.
> > > 
> > > Best regards,
> > > Andrew Savchenko
> > 
> > Andrew, it is not imaginary.  Playing the emotional game doesn't help
> > either.  I am fairly certain all of those who had to make this decision
> > have expressed their willingness to change it should it be supported
> > legally.  It simply is not.
> 
> If it is not imaginary please provide a court case against Gentoo
> or other free software distribution on this matter and some
> evidence that proposed signed-off real name attribution played a
> measurable effect.
> 
> As far as I can see this whole story is pure speculation of:
> 1) what may happen
> 2) what will help if 1) is to happen.
> 
> So far I saw zero practical evidence on both points.

So to summarize, you're claiming that you're allowed to do anything
as long as the other person can't prove somebody has already been
punished for the same thing?  I suppose that's a pretty interesting
concept of law.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1993 bytes --]

On Sun, 14 Apr 2019 18:41:13 +0200 Michał Górny wrote:
> On Sun, 2019-04-14 at 19:13 +0300, Andrew Savchenko wrote:
> > On Sun, 14 Apr 2019 11:48:06 -0400 Aaron Bauman wrote:
> > > On Sun, Apr 14, 2019 at 06:28:15PM +0300, Andrew Savchenko wrote:
> > > > On Sun, 14 Apr 2019 16:11:50 +0200 Andreas K. Huettel wrote:
> > > > > > I support the idea of Gentoo being more inclusive.
> > > > > 
> > > > > Can we please keep irrelevant buzzwords out?
> > > > 
> > > > There is nothing irrelevant here. Gentoo is kicking people who
> > > > want to contribute because doesn't want to respect their privacy
> > > > because of some imaginary problems which were never appeared or
> > > > tested in real life. This makes Gentoo exclusive to those who want
> > > > their authorship to be public.
> > > > 
> > > > Best regards,
> > > > Andrew Savchenko
> > > 
> > > Andrew, it is not imaginary.  Playing the emotional game doesn't help
> > > either.  I am fairly certain all of those who had to make this decision
> > > have expressed their willingness to change it should it be supported
> > > legally.  It simply is not.
> > 
> > If it is not imaginary please provide a court case against Gentoo
> > or other free software distribution on this matter and some
> > evidence that proposed signed-off real name attribution played a
> > measurable effect.
> > 
> > As far as I can see this whole story is pure speculation of:
> > 1) what may happen
> > 2) what will help if 1) is to happen.
> > 
> > So far I saw zero practical evidence on both points.
> 
> So to summarize, you're claiming that you're allowed to do anything
> as long as the other person can't prove somebody has already been
> punished for the same thing?  I suppose that's a pretty interesting
> concept of law.

Do not twist my words. I'm asking for either a court case or an
exact citation of the law which demands us to provide real names
for all commits.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 2295 bytes --]

>>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:

> Ulrich Mueller:
>> So, "real" contributors, but they don't have a real name?

> I think you're attributing malicious intent to using a pseudonym.

I haven't said that.

> There are various social and legal reasons as to why someone would use
> a pseudonym (that does not include infringing the copyright of an
> employer). I was making the argument that people who contribute under
> a pseudonym are just as "real" as the contributors who use their legal
> names.

That might well be, but the point is that we cannot verify it, which
means that the copyright status of such anonymous or pseudonymous
contributions is basically unknown.

> I'd like to (informally) propose the following, for which I'm willing
> to formulate as a GLEP proposal if there is interest:

> The Foundation has an established practice of storing the legal names
> of developers who join under a pseudonym. The infrastructure is
> already in place for this. I think that allowing these developers to
> commit using their pseudonyms as long as the Foundation is informed
> their real identity does not exacerbate the legal risks they already
> pose. The foundation may decide their arbitrary criteria on who is
> eligible for this type of protection, including requiring sound legal
> reasons for them to keep their identities hidden. I understand that
> the maintenance of this could be a burden for the Foundation in
> theory, but in practice I suspect this number is very low already.

That doesn't work, because there would be no way for a person outside of
the Foundation to verify such identities.

Again, all of this had been discussed before the policy was accepted.
Neither are real names a new thing introduced by GLEP 76, but they were
required for ebuild developers since 15 years by recruiters' policy [1]:

   "Real names must be provided for all developers, including
   infrastructure and documentation. Any exceptions to this for
   extenuating circumstances will be considered on a case-by-case basis.
   No exceptions will be made for people doing copyrightable work
   (ebuilds, software, scripts, etc.)."

Ulrich

[1] https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/xml/htdocs/proj/en/devrel/recruiters/index.xml?revision=1.15&view=markup#l71

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]

>>>>> On Wed, 10 Apr 2019, Ulrich Mueller wrote:

>>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:

> I'd like to (informally) propose the following, for which I'm willing
> to formulate as a GLEP proposal if there is interest:

> The Foundation has an established practice of storing the legal names
> of developers who join under a pseudonym. The infrastructure is
> already in place for this. I think that allowing these developers to
> commit using their pseudonyms as long as the Foundation is informed
> their real identity does not exacerbate the legal risks they already
> pose. The foundation may decide their arbitrary criteria on who is
> eligible for this type of protection, including requiring sound legal
> reasons for them to keep their identities hidden. I understand that
> the maintenance of this could be a burden for the Foundation in
> theory, but in practice I suspect this number is very low already.

That doesn't work, because there would be no way for a person outside of
the Foundation to verify such identities.

To clarify, I won't be opposed against making a specific exception and
"grandfathering" any devs who had commit access before the cut-off date
when GLEP 76 was implemented.

However, going forward, we shouldn't allow any further exceptions from
the real name policy.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alice Ferrazzi]

The 04/10/2019 07:59, Ulrich Mueller wrote:
> >>>>> On Wed, 10 Apr 2019, Ulrich Mueller wrote:
> 
> >>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
> 
> > I'd like to (informally) propose the following, for which I'm willing
> > to formulate as a GLEP proposal if there is interest:
> 
> > The Foundation has an established practice of storing the legal names
> > of developers who join under a pseudonym. The infrastructure is
> > already in place for this. I think that allowing these developers to
> > commit using their pseudonyms as long as the Foundation is informed
> > their real identity does not exacerbate the legal risks they already
> > pose. The foundation may decide their arbitrary criteria on who is
> > eligible for this type of protection, including requiring sound legal
> > reasons for them to keep their identities hidden. I understand that
> > the maintenance of this could be a burden for the Foundation in
> > theory, but in practice I suspect this number is very low already.
> 
> That doesn't work, because there would be no way for a person outside of
> the Foundation to verify such identities.
> 
There is no way also for foundation to check all sign-off are assigned
to real legal names.

> To clarify, I won't be opposed against making a specific exception and
> "grandfathering" any devs who had commit access before the cut-off date
> when GLEP 76 was implemented.
> 

I propose foundation to vote for add the use of pseudonym in the GLEP 76.
For keeping Gentoo a confortable and inclusive place.

> However, going forward, we shouldn't allow any further exceptions from
> the real name policy.
> 

who said that we cannot allow any further excepions from the real name
policy?

-- 
======================================
Thanks,
Alice Ferrazzi

Gentoo Kernel Project Leader
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
======================================

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 873 bytes --]

>>>>> On Wed, 10 Apr 2019, Alice Ferrazzi wrote:

> The 04/10/2019 07:59, Ulrich Mueller wrote:
>> To clarify, I won't be opposed against making a specific exception
>> and "grandfathering" any devs who had commit access before the
>> cut-off date when GLEP 76 was implemented.

> I propose foundation to vote for add the use of pseudonym in the GLEP 76.
> For keeping Gentoo a confortable and inclusive place.

If case that would be accepted, I would ask to be taken off its author
list. I don't want to be associated with a policy that has been watered
down into meaninglessness.

>> However, going forward, we shouldn't allow any further exceptions
>> from the real name policy.

> who said that we cannot allow any further excepions from the real name
> policy?

IMHO it is a decision by the same bodies that have accepted GLEP 76,
namely Council and Trustees.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 3789 bytes --]

On Wed, Apr 10, 2019 at 2:17 AM Alice Ferrazzi <alicef@gentoo.org> wrote:

> The 04/10/2019 07:59, Ulrich Mueller wrote:
> > >>>>> On Wed, 10 Apr 2019, Ulrich Mueller wrote:
> >
> > >>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
> >
> > > I'd like to (informally) propose the following, for which I'm willing
> > > to formulate as a GLEP proposal if there is interest:
> >
> > > The Foundation has an established practice of storing the legal names
> > > of developers who join under a pseudonym. The infrastructure is
> > > already in place for this. I think that allowing these developers to
> > > commit using their pseudonyms as long as the Foundation is informed
> > > their real identity does not exacerbate the legal risks they already
> > > pose. The foundation may decide their arbitrary criteria on who is
> > > eligible for this type of protection, including requiring sound legal
> > > reasons for them to keep their identities hidden. I understand that
> > > the maintenance of this could be a burden for the Foundation in
> > > theory, but in practice I suspect this number is very low already.
> >
> > That doesn't work, because there would be no way for a person outside of
> > the Foundation to verify such identities.
> >
> There is no way also for foundation to check all sign-off are assigned
> to real legal names.
>

So these are two separate points. I don't quite understand Ulm's point but
it is different than the point you are raising.

Your point seems to be that somehow the "Foundation must be able to check
if all sign-offs are signed by a legal name." We already made it clear we
don't do this checking. That doesn't mean its OK to use an pseudonym (it is
not, and doing so violates the policy.) If we later find out people violate
the policy, we don't accept commits from them anymore. You can call the
system crappy or whatever, but its the system we have in place. today.

Ulm's point seems to be about transparency: "there would be no way for a
person outside of the Foundation to verify such identities." I'm not sure
the entire usefulness of such a use case (do people care about being able
to do this?)

Putting the above points aside for a moment the Foundation has had a policy
of shielding specific contributors from having their identity made public.
I can't say with a straight face that "the infrastructure is already in
place for this" (it really isn't) nor can I say that the Foundation has any
written policies about how to safeguard, share, divulge, or otherwise use
this information and instead it has ridden on the spoken words of various
Foundation officials in the past. Its not something I'd want to build upon.


> > To clarify, I won't be opposed against making a specific exception and
> > "grandfathering" any devs who had commit access before the cut-off date
> > when GLEP 76 was implemented.
> >
>
> I propose foundation to vote for add the use of pseudonym in the GLEP 76.
> For keeping Gentoo a confortable and inclusive place.
>
> > However, going forward, we shouldn't allow any further exceptions from
> > the real name policy.
> >
>

I'm not especially keen on grandfathering people into the project in this
way because I think it defers the problem. Pseudonymous contributors want
to contribute but cannot. Letting in people who happened to be contributors
before glep 76 doesn't solve this problem, it just defers it in the hopes
that new contributors who fall into this bucket get dissuaded before they
push for changes.


>
> who said that we cannot allow any further excepions from the real name
> policy?
>
> --
> ======================================
> Thanks,
> Alice Ferrazzi
>
> Gentoo Kernel Project Leader
> PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
> ======================================
>
>

[-- Attachment #2: Type: text/html, Size: 4921 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Gokturk Yuksek]

[-- Attachment #1.1: Type: text/plain, Size: 5265 bytes --]



Alec Warner:
> On Wed, Apr 10, 2019 at 2:17 AM Alice Ferrazzi <alicef@gentoo.org> wrote:
> 
>> The 04/10/2019 07:59, Ulrich Mueller wrote:
>>>>>>>> On Wed, 10 Apr 2019, Ulrich Mueller wrote:
>>>
>>>>>>>> On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
>>>
>>>> I'd like to (informally) propose the following, for which I'm willing
>>>> to formulate as a GLEP proposal if there is interest:
>>>
>>>> The Foundation has an established practice of storing the legal names
>>>> of developers who join under a pseudonym. The infrastructure is
>>>> already in place for this. I think that allowing these developers to
>>>> commit using their pseudonyms as long as the Foundation is informed
>>>> their real identity does not exacerbate the legal risks they already
>>>> pose. The foundation may decide their arbitrary criteria on who is
>>>> eligible for this type of protection, including requiring sound legal
>>>> reasons for them to keep their identities hidden. I understand that
>>>> the maintenance of this could be a burden for the Foundation in
>>>> theory, but in practice I suspect this number is very low already.
>>>
>>> That doesn't work, because there would be no way for a person outside of
>>> the Foundation to verify such identities.
>>>
>> There is no way also for foundation to check all sign-off are assigned
>> to real legal names.
>>
> 
> So these are two separate points. I don't quite understand Ulm's point but
> it is different than the point you are raising.
> 
> Your point seems to be that somehow the "Foundation must be able to check
> if all sign-offs are signed by a legal name." We already made it clear we
> don't do this checking. That doesn't mean its OK to use an pseudonym (it is
> not, and doing so violates the policy.) If we later find out people violate
> the policy, we don't accept commits from them anymore. You can call the
> system crappy or whatever, but its the system we have in place. today.
> 
> Ulm's point seems to be about transparency: "there would be no way for a
> person outside of the Foundation to verify such identities." I'm not sure
> the entire usefulness of such a use case (do people care about being able
> to do this?)
> 
> Putting the above points aside for a moment the Foundation has had a policy
> of shielding specific contributors from having their identity made public.
> I can't say with a straight face that "the infrastructure is already in
> place for this" (it really isn't) nor can I say that the Foundation has any
> written policies about how to safeguard, share, divulge, or otherwise use
> this information and instead it has ridden on the spoken words of various
> Foundation officials in the past. Its not something I'd want to build upon.
> 
> 
>>> To clarify, I won't be opposed against making a specific exception and
>>> "grandfathering" any devs who had commit access before the cut-off date
>>> when GLEP 76 was implemented.
>>>
>>
>> I propose foundation to vote for add the use of pseudonym in the GLEP 76.
>> For keeping Gentoo a confortable and inclusive place.
>>
>>> However, going forward, we shouldn't allow any further exceptions from
>>> the real name policy.
>>>
>>
> 
> I'm not especially keen on grandfathering people into the project in this
> way because I think it defers the problem. Pseudonymous contributors want
> to contribute but cannot. Letting in people who happened to be contributors
> before glep 76 doesn't solve this problem, it just defers it in the hopes
> that new contributors who fall into this bucket get dissuaded before they
> push for changes.
> 
> 

I see the concern of setting a precedent here. I also support more
transparency, and am not advocating that we include more anonymous
developers. I'd like to make a few clarifications:

- I believe the necessity for a pseudonym must be justified to the
Foundation. Therefore, I'm not suggesting that people should remain
anonymous for arbitrary reasons. I am also **not** suggesting that we
get rid of the DCO.

- Grandfathering the existing devs does not set a precedent for future
devs who'd like to join under a pseudonym. The situation is more complex
than that: since users are not allowed to contribute under a pseudonym,
they'd have to disclose their legal name even before they become a
developer. In the rare case that a user with no contributions somehow
finds a mentor and applies to become a dev, the recruitment process
requires the candidate to submit a fix to an existing bug (unless this
process has changed). The fix would naturally require them to disclose
their real name, and would defeat the purpose of joining under a
pseudonym. I hope this addresses the concern about setting a precedent.

- I'm only advocating for repurposing an already existing system (that
is the pseudonym mechanism offered by the Foundation) to bring back
developers who have been impacted by GLEP 76, so long as they have valid
reasons (based on what the Foundation deems "valid") to maintain their
pseudonymity. As such, I expect the extra maintenance burden on the
Foundation to be minimal and I'm willing to work out the details (such
as what k_f brought up before).

--
gokturk


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 718 bytes --]

> - I believe the necessity for a pseudonym must be justified to the
> Foundation. Therefore, I'm not suggesting that people should remain
> anonymous for arbitrary reasons. I am also **not** suggesting that we
> get rid of the DCO.

So let's assume I'm a foundation officer, sign some non-disclosure papers, and 
get told in detail why someone absolutely has to use a pseudonym. 

I can't tell my trustee colleagues the details. The final decision has to be 
made by a vote though, since that's how decisions are made there. On what base 
should my colleagues make their decision?

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer 
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2196 bytes --]

On Wed, 2019-04-10 at 15:27 +0900, Alice Ferrazzi wrote:
> The 04/10/2019 07:59, Ulrich Mueller wrote:
> > > > > > > On Wed, 10 Apr 2019, Ulrich Mueller wrote:
> > > > > > > On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
> > > I'd like to (informally) propose the following, for which I'm willing
> > > to formulate as a GLEP proposal if there is interest:
> > > The Foundation has an established practice of storing the legal names
> > > of developers who join under a pseudonym. The infrastructure is
> > > already in place for this. I think that allowing these developers to
> > > commit using their pseudonyms as long as the Foundation is informed
> > > their real identity does not exacerbate the legal risks they already
> > > pose. The foundation may decide their arbitrary criteria on who is
> > > eligible for this type of protection, including requiring sound legal
> > > reasons for them to keep their identities hidden. I understand that
> > > the maintenance of this could be a burden for the Foundation in
> > > theory, but in practice I suspect this number is very low already.
> > 
> > That doesn't work, because there would be no way for a person outside of
> > the Foundation to verify such identities.
> > 
> There is no way also for foundation to check all sign-off are assigned
> to real legal names.
> 
> > To clarify, I won't be opposed against making a specific exception and
> > "grandfathering" any devs who had commit access before the cut-off date
> > when GLEP 76 was implemented.
> > 
> 
> I propose foundation to vote for add the use of pseudonym in the GLEP 76.
> For keeping Gentoo a confortable and inclusive place.
> 

If Foundation decides to arbitrarily change a policy that's been
initially approved both by Council and Foundation, then I propose that
the Council rejects changes to the policy and blocks such contributions.
 
Furthermore, I will propose that we actively pursue removing Foundation
from Gentoo as apparently Trustees once again are trying to abuse
the power that they've only gotten because nobody else wanted to take
legal risk from negligence of previous Boards.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 2877 bytes --]

On Wed, Apr 10, 2019 at 3:28 AM Michał Górny <mgorny@gentoo.org> wrote:

> On Wed, 2019-04-10 at 15:27 +0900, Alice Ferrazzi wrote:
> > The 04/10/2019 07:59, Ulrich Mueller wrote:
> > > > > > > > On Wed, 10 Apr 2019, Ulrich Mueller wrote:
> > > > > > > > On Tue, 09 Apr 2019, Gokturk Yuksek wrote:
> > > > I'd like to (informally) propose the following, for which I'm willing
> > > > to formulate as a GLEP proposal if there is interest:
> > > > The Foundation has an established practice of storing the legal names
> > > > of developers who join under a pseudonym. The infrastructure is
> > > > already in place for this. I think that allowing these developers to
> > > > commit using their pseudonyms as long as the Foundation is informed
> > > > their real identity does not exacerbate the legal risks they already
> > > > pose. The foundation may decide their arbitrary criteria on who is
> > > > eligible for this type of protection, including requiring sound legal
> > > > reasons for them to keep their identities hidden. I understand that
> > > > the maintenance of this could be a burden for the Foundation in
> > > > theory, but in practice I suspect this number is very low already.
> > >
> > > That doesn't work, because there would be no way for a person outside
> of
> > > the Foundation to verify such identities.
> > >
> > There is no way also for foundation to check all sign-off are assigned
> > to real legal names.
> >
> > > To clarify, I won't be opposed against making a specific exception and
> > > "grandfathering" any devs who had commit access before the cut-off date
> > > when GLEP 76 was implemented.
> > >
> >
> > I propose foundation to vote for add the use of pseudonym in the GLEP 76.
> > For keeping Gentoo a confortable and inclusive place.
> >
>
> If Foundation decides to arbitrarily change a policy that's been
> initially approved both by Council and Foundation, then I propose that
> the Council rejects changes to the policy and blocks such contributions.
>
> Furthermore, I will propose that we actively pursue removing Foundation
> from Gentoo as apparently Trustees once again are trying to abuse
> the power that they've only gotten because nobody else wanted to take
> legal risk from negligence of previous Boards.
>

I want to separate talking about things (which is happening on this thread)
and actually making and passing foundation motions (which doesn't happen on
this list, but does happen on bugzilla.) Alice is in fact a board member
(as am I!) and should be free to talk about whatever she likes here.
Talking about something is different than "the trustees apparently once
again abusing their power." Talking about a concept, even a controversial
one, is not an abuse of power; its a free exchange of ideas.

-A


> --
> Best regards,
> Michał Górny
>
>

[-- Attachment #2: Type: text/html, Size: 3677 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Rich Freeman]

On Wed, Apr 10, 2019 at 8:47 AM Alec Warner <antarus@gentoo.org> wrote:
>
> I want to separate talking about things (which is happening on this
> thread) and actually making and passing foundation motions (which
> doesn't happen on this list, but does happen on bugzilla.) Alice is
> in fact a board member (as am I!) and should be free to talk about
> whatever she likes here. Talking about something is different than
> "the trustees apparently once again abusing their power." Talking
> about a concept, even a controversial one, is not an abuse of power;
> its a free exchange of ideas.
>

++

The same applies to mgorny making proposals which was the subject of a
separate critique which doesn't need a separate reply.  The
Council/Trustees are fairly reasonable people for the most part which
is why we all voted for them.  You don't need to be fearful that they
only listen to one person.

mgorny just happens to make a lot of proposals, and most of them tend
to be non-controversial so they get adopted.  The ones that are more
controversial, in my experience, tend to go through more change if
they are accepted.  Nobody needs to censor themselves if they're being
constructive.  Likewise, we can just voice our opinions and have some
faith that those in charge will bother to read them so we don't need
to get too worked up about it.

I'll also note that in my experience many people tend to be more free
with casual discussion than their decision-making.  The fact that a
Council/Trustee member talks about an idea doesn't mean that they're
going to end up voting for that idea.  I know I've talked out loud
about things that I've ended up not supporting in the end - this is
just how we collaborate and how good decisions get made.  We don't
want people so afraid of ridicule that they just keep their thoughts
to themselves and just vote seemingly-randomly without the opportunity
for input.

--
Rich

-- 
Rich

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]

On Wed, Apr 10, 2019 at 09:28:07AM +0200, Michał Górny wrote:
> On Wed, 2019-04-10 at 15:27 +0900, Alice Ferrazzi wrote:
> > The 04/10/2019 07:59, Ulrich Mueller wrote:
> > 
> > I propose foundation to vote for add the use of pseudonym in the GLEP 76.
> > For keeping Gentoo a confortable and inclusive place.
> > 
> 
> If Foundation decides to arbitrarily change a policy that's been
> initially approved both by Council and Foundation, then I propose that
> the Council rejects changes to the policy and blocks such contributions.
>  
> Furthermore, I will propose that we actively pursue removing Foundation
> from Gentoo as apparently Trustees once again are trying to abuse
> the power that they've only gotten because nobody else wanted to take
> legal risk from negligence of previous Boards.
> 
> -- 
> Best regards,
> Michał Górny
> 

I don't know why there is so much animosity towards the foundation from
you.  No one said we would change the policy.  Given the past record of
both bodies working together... it is shallow to think we would do so
anyway.  Can we just stop the stupidity? I, personally, would just like
to do the job of a trustee and support the distribution.  You know, let
the council handle the technical things and let the foundation do the
legal and money...

We get it... many don't want the Foundation.  Regardless, some body will
step in anyway and implement the same sets of rules.  As mentioned many
times on this thread... there is precedent against allowing pseudonyms.
Furthermore, anyone who has said otherwise has yet to produce real world
use cases of such a thing being allowed.  The exception (which I have
validated) is Debian.  Of course, the person still needs to "reveal"
themselves to the legal entity.  Of course, I don't think this will
stand in a court of law anyhow.

Let's all just work together and perform our individual functions.

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 667 bytes --]

> If Foundation decides to arbitrarily change a policy that's been
> initially approved both by Council and Foundation, then I propose that
> the Council rejects changes to the policy and blocks such contributions.

Take it slow... we're discussing here, we're not voting or even proposing 
detailed votes. 

I would somewhat implicitly assume that a policy set by council and trustees 
together needs also the agreement of both bodies for modifications.

Let's not discuss the tug-of-war details before even anyone starts one. :P

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer 
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1750 bytes --]

>>>>> On Wed, 03 Apr 2019, NP-Hardass  wrote:

> At present time, everyone needs a "Real Name" to contribute. A user,
> with a new email address, can allege to be "Foo Bar" and contribute
> without impediment, but, as recent proposals would have it, developers
> would need to show proof of ID over video call to become part of the
> web of trust for committing. That effectively allows any user to
> remain anonymous by using a false name, obviating a huge portion of
> the alleged benefit to requiring names in the first place.

I don't think that is true. GLEP 76 is very clear on it:

| For commits made using a VCS, the committer shall certify agreement
| to the Certificate of Origin by adding
|
| Signed-off-by: Name <e-mail>
|
| to the commit message as a separate line. The sign-off must contain
| the committer's legal name as a natural person, i.e., the name that
| would appear in a government issued document. 

There is no difference between developers and users there, a real name
is required in either case.

We assume good faith and therefore don't require proof of contributors'
identities (and again, no difference between developers and users
there). That is, unless there is evidence that a name is a pseudonym.
Also I am pretty sure that a commit signed off by "Foo Bar" would be
rejected, because it obviously isn't a real name.

> So, developers can be held to such a high standard that they can
> either no longer contribute, while we trim eligible pool of new
> developers and compare that to the ease with which any "named"
> contributor on github or bugzilla can do as they please.

Do you have any evidence of contributors that are deceiving us about
their real identities?

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Mikle Kolyada]

[-- Attachment #1.1: Type: text/plain, Size: 491 bytes --]



On 03.04.2019 17:56, Ulrich Mueller wrote:
> We assume good faith and therefore don't require proof of contributors'

And that is why we have the policy that accepts everything that does not
look like an invalid name? Say, if np-hardass will change his identity
to "John Smith"  (I took a random now), will this be ok as per the policy?

Good illusion of being legal.

> Do you have any evidence of contributors that are deceiving us about
> their real identities?

I do


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 558 bytes --]

>>>>> On Thu, 04 Apr 2019, Mikle Kolyada wrote:

> On 03.04.2019 17:56, Ulrich Mueller wrote:
>> We assume good faith and therefore don't require proof of contributors'

> And that is why we have the policy that accepts everything that does
> not look like an invalid name? Say, if np-hardass will change his
> identity to "John Smith" (I took a random now), will this be ok as
> per the policy?

Obviously not, because we know that "John Smith" is not his real name.

> Good illusion of being legal.

It boils down to "due diligence" from our side.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Mikle Kolyada]

[-- Attachment #1.1: Type: text/plain, Size: 1081 bytes --]



On 04.04.2019 10:47, Ulrich Mueller wrote:
>>>>>> On Thu, 04 Apr 2019, Mikle Kolyada wrote:
>> On 03.04.2019 17:56, Ulrich Mueller wrote:
>>> We assume good faith and therefore don't require proof of contributors'
>> And that is why we have the policy that accepts everything that does
>> not look like an invalid name? Say, if np-hardass will change his
>> identity to "John Smith" (I took a random now), will this be ok as
>> per the policy?
> Obviously not, because we know that "John Smith" is not his real name.

Why not? He can claim he has changed his name, and by the "good faith"
you should trust him, or is this selective now?
Even more, we know his name only because he had submitted his identity
to the trustees before.
People can also create virtuals with different names pretending they are
real.

This now works as described in "shut the stable door when the steed is
stolen"

The glep allows any level of absurd, while this should not.

>> Good illusion of being legal.
> It boils down to "due diligence" from our side.
>
> Ulrich



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 4347 bytes --]

On Wed, Apr 3, 2019 at 10:04 AM NP-Hardass <NP-Hardass@gentoo.org> wrote:

> On 4/3/19 8:43 AM, Alec Warner wrote:
> >
> >
> > On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
> > <mailto:NP-Hardass@gentoo.org>> wrote:
> >
> >     On 3/31/19 11:20 PM, William Hubbs wrote:
> >     > Hi all,
> >     >
> >     > two weeks from today (2019-04-14) the Gentoo Council will meet at
> >     > 19:00 UTC in the #gentoo-council channel on freenode.
> >     >
> >     > Please reply to this message with any items you would like us to
> >     put on
> >     > the agenda to discuss or vote on.
> >     >
> >     > Thanks much,
> >     >
> >     > William
> >     >
> >
> >     I'd like the council to discuss the issue and general trend of
> actions
> >     (particularly recent) to restrict the ability of developers to
> >     contribute to Gentoo.  In my view, efforts are being made to make
> >     contributions as users substantially easier, while efforts are being
> >     made to make being a developer substantially harder.  The months of
> >     studying, quiz taking, and interviews set a bar that should make
> >     contributions from those individuals that become developers easier
> than
> >     the average user, not more difficult.
> >
> >
> > This is a pretty vague statement, are there particular things you want
> > the council to review; or just the 'general trend'?
> > I'm not aware of any recent changes to the developer onboarding process.
> >
> > -A
> >
> >
> >
> >     --
> >     NP-Hardass
> >
>
> Not just the onboarding, but the retention too.  General trend is what
> I'm proposing should be discussed publicly during the meeting.
>
> Three points:
>
> At present time, everyone needs a "Real Name" to contribute.  A user,
> with a new email address, can allege to be "Foo Bar" and contribute
> without impediment, but, as recent proposals would have it, developers
> would need to show proof of ID over video call to become part of the web
> of trust for committing.  That effectively allows any user to remain
> anonymous by using a false name, obviating a huge portion of the alleged
> benefit to requiring names in the first place. So, developers can be
> held to such a high standard that they can either no longer contribute,
> while we trim eligible pool of new developers and compare that to the
> ease with which any "named" contributor on github or bugzilla can do as
> they please.
>

I think it is reasonable to try to pursue a more inclusive policy where
identity is more flexible (as I discussed in a different message on this
thread), but keep in mind the Council (and really a few key members) spent
over a year working on the policy we have; so I'm not certain its a trivial
change. You are free to dislike the policy we have and you are free to
suggest we pursue a more inclusive policy, but at least here as a trustee
who voted for it we made a deliberate choice here and barring some middle
ground where we somehow understand that contributions to Gentoo are done in
a low-risk way, we will continue to reject commits from obvious
contributors.

What I refuse to engage in is an incessant debate about the policy we have;
please accept that we made it in good faith to reduce legal risk for the
project and, if an alternative is presented that keeps risk low while
accepting a broader set of contributions we will consider it in the same
good faith.

-A


> We currently have a RFC, just posted two days ago, for developers to be
> regularly tested to maintain commit status.  Again, if the developer
> feels like it, maybe it is easier for him/her to just become a plain old
> user and submit patches, waiting on the (as I see it, dwindling,) amount
> of active other developers ready to commit instead.
>
> Totally anecdotal, I've seen developers that have fairly decent QA on
> their own commits merge PRs from users without full review and
> introducing a whole host of issues because code from users isn't always
> vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
> of being a dev don't quite apply to you as stringently once you
> downgrade to being a user...
>
> At the end of the day, holding developers to higher standards than users
> is a given, but it shouldn't be more onerous to be a developer than to
> be a user contributing.
>
> --
> NP-Hardass
>
>

[-- Attachment #2: Type: text/html, Size: 5573 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 4656 bytes --]

On Wed, Apr 3, 2019 at 7:05 PM Alec Warner <antarus@gentoo.org> wrote:

>
>
> On Wed, Apr 3, 2019 at 10:04 AM NP-Hardass <NP-Hardass@gentoo.org> wrote:
>
>> On 4/3/19 8:43 AM, Alec Warner wrote:
>> >
>> >
>> > On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
>> > <mailto:NP-Hardass@gentoo.org>> wrote:
>> >
>> >     On 3/31/19 11:20 PM, William Hubbs wrote:
>> >     > Hi all,
>> >     >
>> >     > two weeks from today (2019-04-14) the Gentoo Council will meet at
>> >     > 19:00 UTC in the #gentoo-council channel on freenode.
>> >     >
>> >     > Please reply to this message with any items you would like us to
>> >     put on
>> >     > the agenda to discuss or vote on.
>> >     >
>> >     > Thanks much,
>> >     >
>> >     > William
>> >     >
>> >
>> >     I'd like the council to discuss the issue and general trend of
>> actions
>> >     (particularly recent) to restrict the ability of developers to
>> >     contribute to Gentoo.  In my view, efforts are being made to make
>> >     contributions as users substantially easier, while efforts are being
>> >     made to make being a developer substantially harder.  The months of
>> >     studying, quiz taking, and interviews set a bar that should make
>> >     contributions from those individuals that become developers easier
>> than
>> >     the average user, not more difficult.
>> >
>> >
>> > This is a pretty vague statement, are there particular things you want
>> > the council to review; or just the 'general trend'?
>> > I'm not aware of any recent changes to the developer onboarding process.
>> >
>> > -A
>> >
>> >
>> >
>> >     --
>> >     NP-Hardass
>> >
>>
>> Not just the onboarding, but the retention too.  General trend is what
>> I'm proposing should be discussed publicly during the meeting.
>>
>> Three points:
>>
>> At present time, everyone needs a "Real Name" to contribute.  A user,
>> with a new email address, can allege to be "Foo Bar" and contribute
>> without impediment, but, as recent proposals would have it, developers
>> would need to show proof of ID over video call to become part of the web
>> of trust for committing.  That effectively allows any user to remain
>> anonymous by using a false name, obviating a huge portion of the alleged
>> benefit to requiring names in the first place. So, developers can be
>> held to such a high standard that they can either no longer contribute,
>> while we trim eligible pool of new developers and compare that to the
>> ease with which any "named" contributor on github or bugzilla can do as
>> they please.
>>
>
> I think it is reasonable to try to pursue a more inclusive policy where
> identity is more flexible (as I discussed in a different message on this
> thread), but keep in mind the Council (and really a few key members) spent
> over a year working on the policy we have; so I'm not certain its a trivial
> change. You are free to dislike the policy we have and you are free to
> suggest we pursue a more inclusive policy, but at least here as a trustee
> who voted for it we made a deliberate choice here and barring some middle
> ground where we somehow understand that contributions to Gentoo are done in
> a low-risk way, we will continue to reject commits from obvious
> contributors.
>

Er, not obvious contributors, but contributors committing obvious
violations of the policy, sorry ;)

-A


>
> What I refuse to engage in is an incessant debate about the policy we
> have; please accept that we made it in good faith to reduce legal risk for
> the project and, if an alternative is presented that keeps risk low while
> accepting a broader set of contributions we will consider it in the same
> good faith.
>
> -A
>
>
>> We currently have a RFC, just posted two days ago, for developers to be
>> regularly tested to maintain commit status.  Again, if the developer
>> feels like it, maybe it is easier for him/her to just become a plain old
>> user and submit patches, waiting on the (as I see it, dwindling,) amount
>> of active other developers ready to commit instead.
>>
>> Totally anecdotal, I've seen developers that have fairly decent QA on
>> their own commits merge PRs from users without full review and
>> introducing a whole host of issues because code from users isn't always
>> vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
>> of being a dev don't quite apply to you as stringently once you
>> downgrade to being a user...
>>
>> At the end of the day, holding developers to higher standards than users
>> is a given, but it shouldn't be more onerous to be a developer than to
>> be a user contributing.
>>
>> --
>> NP-Hardass
>>
>>

[-- Attachment #2: Type: text/html, Size: 6319 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Gokturk Yuksek]

[-- Attachment #1.1: Type: text/plain, Size: 6129 bytes --]

Hi,

Alec Warner:
> On Wed, Apr 3, 2019 at 10:04 AM NP-Hardass <NP-Hardass@gentoo.org> wrote:
> 
>> On 4/3/19 8:43 AM, Alec Warner wrote:
>>>
>>>
>>> On Wed, Apr 3, 2019 at 7:31 AM NP-Hardass <NP-Hardass@gentoo.org
>>> <mailto:NP-Hardass@gentoo.org>> wrote:
>>>
>>>     On 3/31/19 11:20 PM, William Hubbs wrote:
>>>     > Hi all,
>>>     >
>>>     > two weeks from today (2019-04-14) the Gentoo Council will meet at
>>>     > 19:00 UTC in the #gentoo-council channel on freenode.
>>>     >
>>>     > Please reply to this message with any items you would like us to
>>>     put on
>>>     > the agenda to discuss or vote on.
>>>     >
>>>     > Thanks much,
>>>     >
>>>     > William
>>>     >
>>>
>>>     I'd like the council to discuss the issue and general trend of
>> actions
>>>     (particularly recent) to restrict the ability of developers to
>>>     contribute to Gentoo.  In my view, efforts are being made to make
>>>     contributions as users substantially easier, while efforts are being
>>>     made to make being a developer substantially harder.  The months of
>>>     studying, quiz taking, and interviews set a bar that should make
>>>     contributions from those individuals that become developers easier
>> than
>>>     the average user, not more difficult.
>>>
>>>
>>> This is a pretty vague statement, are there particular things you want
>>> the council to review; or just the 'general trend'?
>>> I'm not aware of any recent changes to the developer onboarding process.
>>>
>>> -A
>>>
>>>
>>>
>>>     --
>>>     NP-Hardass
>>>
>>
>> Not just the onboarding, but the retention too.  General trend is what
>> I'm proposing should be discussed publicly during the meeting.
>>
>> Three points:
>>
>> At present time, everyone needs a "Real Name" to contribute.  A user,
>> with a new email address, can allege to be "Foo Bar" and contribute
>> without impediment, but, as recent proposals would have it, developers
>> would need to show proof of ID over video call to become part of the web
>> of trust for committing.  That effectively allows any user to remain
>> anonymous by using a false name, obviating a huge portion of the alleged
>> benefit to requiring names in the first place. So, developers can be
>> held to such a high standard that they can either no longer contribute,
>> while we trim eligible pool of new developers and compare that to the
>> ease with which any "named" contributor on github or bugzilla can do as
>> they please.
>>
> 
> I think it is reasonable to try to pursue a more inclusive policy where
> identity is more flexible (as I discussed in a different message on this
> thread), but keep in mind the Council (and really a few key members) spent
> over a year working on the policy we have; so I'm not certain its a trivial
> change. You are free to dislike the policy we have and you are free to
> suggest we pursue a more inclusive policy, but at least here as a trustee
> who voted for it we made a deliberate choice here and barring some middle
> ground where we somehow understand that contributions to Gentoo are done in
> a low-risk way, we will continue to reject commits from obvious
> contributors.
> 
> What I refuse to engage in is an incessant debate about the policy we have;
> please accept that we made it in good faith to reduce legal risk for the
> project and, if an alternative is presented that keeps risk low while
> accepting a broader set of contributions we will consider it in the same
> good faith.
> 
> -A
> 

I don't doubt people's good faith in proposing this policy and I'm sure
it's done with the best interest in mind. I apologize for not doing the
homework for the following question: did the Foundation pay for any kind
of legal counsel on this matter? I think one thing most of us struggle
with is that we are not lawyers. It would help to put people's mind at
ease if the Foundation consulted a lawyer that clearly explained:

- What exactly is the legal liability being addressed here?
- Have there been any precedent cases of copyright infringement
(constrained to the context of copyrighted ebuilds, or code of similar
nature) to make this a more realistic threat for the Foundation?
- In the case of a potential court case, how is the liability
distributed among involved parties? Would we be legally required to
track down the contributor (whose identity we may or may not have
confirmed yet)?

The reason why I'm suggesting this is because I've talked to a friend of
mine, who is a software patent lawyer, about the DCO and GLEP. Their
first impression was that the DCO itself has no clause for requiring a
legal name, so signing it with a fake name may not violate the DCO
itself. So the (informal) conclusion is that as long as nobody sues you
for copyright infringement, there is no legal problem with using a fake
name to sign the DCO. I know it sounds very obvious but the point is
that legal people have a better grip of the situation than we do, and
the community is more likely to take their word and justification for it.

> 
>> We currently have a RFC, just posted two days ago, for developers to be
>> regularly tested to maintain commit status.  Again, if the developer
>> feels like it, maybe it is easier for him/her to just become a plain old
>> user and submit patches, waiting on the (as I see it, dwindling,) amount
>> of active other developers ready to commit instead.
>>
>> Totally anecdotal, I've seen developers that have fairly decent QA on
>> their own commits merge PRs from users without full review and
>> introducing a whole host of issues because code from users isn't always
>> vetted as thoroughly as ones own work.  So, I'd argue, the QA standards
>> of being a dev don't quite apply to you as stringently once you
>> downgrade to being a user...
>>
>> At the end of the day, holding developers to higher standards than users
>> is a given, but it shouldn't be more onerous to be a developer than to
>> be a user contributing.
>>
>> --
>> NP-Hardass
>>
>>


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 3622 bytes --]

On Tue, Apr 09, 2019 at 08:46:00PM +0000, Gokturk Yuksek wrote:
> Hi,
> 
> Alec Warner:
> > On Wed, Apr 3, 2019 at 10:04 AM NP-Hardass <NP-Hardass@gentoo.org> wrote:

[snip]

> 
> I don't doubt people's good faith in proposing this policy and I'm sure
> it's done with the best interest in mind. I apologize for not doing the
> homework for the following question: did the Foundation pay for any kind
> of legal counsel on this matter? I think one thing most of us struggle
> with is that we are not lawyers. It would help to put people's mind at
> ease if the Foundation consulted a lawyer that clearly explained:
> 
> - What exactly is the legal liability being addressed here?
> - Have there been any precedent cases of copyright infringement
> (constrained to the context of copyrighted ebuilds, or code of similar
> nature) to make this a more realistic threat for the Foundation?
> - In the case of a potential court case, how is the liability
> distributed among involved parties? Would we be legally required to
> track down the contributor (whose identity we may or may not have
> confirmed yet)?
>

There is precent with the Linux Foundation and the DCO being enforced.
That is why they spent so much time and effort in preparing the DCO...
to guard the Linux Foundation from any copyright cases.  I think it is
safe to say that other precendents wrt copyrights can be seen in recent
things like VMWare (sued in German court), SCO, etc.  There are plenty
of situations out there.

> The reason why I'm suggesting this is because I've talked to a friend of
> mine, who is a software patent lawyer, about the DCO and GLEP. Their
> first impression was that the DCO itself has no clause for requiring a
> legal name, so signing it with a fake name may not violate the DCO
> itself. So the (informal) conclusion is that as long as nobody sues you
> for copyright infringement, there is no legal problem with using a fake
> name to sign the DCO. I know it sounds very obvious but the point is
> that legal people have a better grip of the situation than we do, and
> the community is more likely to take their word and justification for it.
> 

Is your friend interested in being retained? :)

No, the DCO does not have an *explicit* clause mandating that a "real
name" be used. I am not going to debate the interpretation of it by
others, but if I *certify* something under a pseudonym or false name
then how can I possibly be held responsible for it?  The very essence of
names are to associate things to someone.  Drivers licenses, passports,
library cards, and the list goes on...

Note: If found to be using a pseudonym to sign the Linux Kernel DCO... I
am quite sure you will be dismissed (I will find the real world example
of that happening).

If someone were too take you to court could you be held responsible
under the guise of a pseudonym or false name?  I am not aware of any
countries that allow such proceedings, but ultimately I believe the
first task would be to *prove* that you were the one involved before
proceeding further.  Of course, that most likely is some sort of
physical attestation that must occur.

This is all circumvented by simply using a "believeable" name and
staying silent.  I could easily submit patches to Gentoo as someone else
and certify the DCO.  Of course, this simply means that Gentoo can claim
some form of ignorance/plausible deniability in the end.  Ultimately,
this would likely result (IANAL) in the false contributor being held
accountable for any potential wrong-doing.

-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Gokturk Yuksek]

[-- Attachment #1.1: Type: text/plain, Size: 2556 bytes --]



Aaron Bauman:
> On Tue, Apr 09, 2019 at 08:46:00PM +0000, Gokturk Yuksek wrote:
>> Hi,
>>
>> Alec Warner:
>>> On Wed, Apr 3, 2019 at 10:04 AM NP-Hardass <NP-Hardass@gentoo.org> wrote:
> 
> [snip]
> 
>>
>> I don't doubt people's good faith in proposing this policy and I'm sure
>> it's done with the best interest in mind. I apologize for not doing the
>> homework for the following question: did the Foundation pay for any kind
>> of legal counsel on this matter? I think one thing most of us struggle
>> with is that we are not lawyers. It would help to put people's mind at
>> ease if the Foundation consulted a lawyer that clearly explained:
>>
>> - What exactly is the legal liability being addressed here?
>> - Have there been any precedent cases of copyright infringement
>> (constrained to the context of copyrighted ebuilds, or code of similar
>> nature) to make this a more realistic threat for the Foundation?
>> - In the case of a potential court case, how is the liability
>> distributed among involved parties? Would we be legally required to
>> track down the contributor (whose identity we may or may not have
>> confirmed yet)?
>>
> 
> There is precent with the Linux Foundation and the DCO being enforced.
> That is why they spent so much time and effort in preparing the DCO...
> to guard the Linux Foundation from any copyright cases.  I think it is
> safe to say that other precendents wrt copyrights can be seen in recent
> things like VMWare (sued in German court), SCO, etc.  There are plenty
> of situations out there.
> 
>> The reason why I'm suggesting this is because I've talked to a friend of
>> mine, who is a software patent lawyer, about the DCO and GLEP. Their
>> first impression was that the DCO itself has no clause for requiring a
>> legal name, so signing it with a fake name may not violate the DCO
>> itself. So the (informal) conclusion is that as long as nobody sues you
>> for copyright infringement, there is no legal problem with using a fake
>> name to sign the DCO. I know it sounds very obvious but the point is
>> that legal people have a better grip of the situation than we do, and
>> the community is more likely to take their word and justification for it.
>>
> 
> Is your friend interested in being retained? :)

Just to re-iterate: it was not a legal advice or opinion on their part.
It was there to demonstrate that paying for legal counsel may be worth
it for the Foundation because lawyers have a different perspective on
things than we do.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[gentoo-project] GLEP76, legal liability around misrepresentation in copyright, real names, how it's handled at FSF, SFC & at the US copyright office!

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 11916 bytes --]

(I think I need to have lots more IANAL disclaimers in every paragraph
of this).

I apologize for the late response, but giant threads on the mailing list
have NOT been high on my priority list. I do have some answers for you,
but also further points to make.

Please read on for my inputs about examples of legal liability around
the DCO, as well as how other organizations handle it.

On Tue, Apr 09, 2019 at 08:46:00PM +0000, Gokturk Yuksek wrote:
> Alec Warner:
> > I think it is reasonable to try to pursue a more inclusive policy where
> > identity is more flexible (as I discussed in a different message on this
> > thread), but keep in mind the Council (and really a few key members) spent
> > over a year working on the policy we have; so I'm not certain its a trivial
> > change. You are free to dislike the policy we have and you are free to
> > suggest we pursue a more inclusive policy, but at least here as a trustee
> > who voted for it we made a deliberate choice here and barring some middle
> > ground where we somehow understand that contributions to Gentoo are done in
> > a low-risk way, we will continue to reject commits from obvious
> > contributors.
I would like this part to be heard and followed. I too have personal
objections against publicly disclosing the identity of people who have
genuine reasons to not have that public (In a very recent example, I
have a coworker who can't contribute to open source anymore due to
harassment from a ex-spouse).

At the same time, the steps for another body to REALLY safely shield
their identity are not trivial, and have not really been done in a
sustainable manner before.

I don't LIKE the real name requirement, and I will help pursue a better
policy, but I also object to moving backwards, including the suggestions
of grandfathering in existing developers.

> > What I refuse to engage in is an incessant debate about the policy we have;
> > please accept that we made it in good faith to reduce legal risk for the
> > project and, if an alternative is presented that keeps risk low while
> > accepting a broader set of contributions we will consider it in the same
> > good faith.
If there were some identity escrow service, that provided reliable
pseudonymous identities, and it met the standards of law, while not
exposing further liability issues, I would be VERY happy to use it and
enable more contributions to Gentoo. This IS a hot field of business:
https://securid.ca/ is one local Vancouver startup that I'm personally
aware of looking at the concept (disclaimer: the CEO is a friend, and I
have answered his questions about conceptual ways to protect privacy
within the scope of court-demanded access to data).

> I don't doubt people's good faith in proposing this policy and I'm sure
> it's done with the best interest in mind. I apologize for not doing the
> homework for the following question: did the Foundation pay for any kind
> of legal counsel on this matter? 
As the Foundation treasurer, to the best of my knowledge, the Foundation
did not pay for any legal counsel on this matter. I cannot state with
certainty if any Council member or Trustee other than myself consulted
legal counsel (and if they paid for the answer or not).

While at a open source conference, I did informally consult two lawyers
who specialize or previously specialized in the field of open source
licensing. I "paid" each of them with a drink, at my own expense (cash
to the bar, no paper trail), and got 3 different opinions. I did ask
about a formal opinion, but they were NOT willing to issue a full formal
opinion, as it didn't align with their interests at the time.

IANAL, but I will summarize their informal opinions. They did also point
me to written material that was superb:
"Practical Guide to Software Licensing: For Licensees and Licensors",
published by the American Bar Association, ISBN 978-1616328139

> I think one thing most of us struggle
> with is that we are not lawyers. It would help to put people's mind at
> ease if the Foundation consulted a lawyer that clearly explained:
> 
> - What exactly is the legal liability being addressed here?
To put a specific concern to words:
- "A" is a legal entity, individual or corporate.
- Work "X" is copyrightable work, with a COMPLETED copyright
  registration held** by "A", in the form of source code.
- Work "X" has NOT been released publicly at all, esp. has not been
  released under an open source license by "A"
- Entity "M" contributes work "X" to Gentoo, claiming terms (a) or (b)
  of the DCO. "M" could be identified, anonymous or pseudonymous (see
  below).
- "A" discovers Gentoo distributing "X", and sues Gentoo for copyright
  infringement.

** "Copyright held": This enters the debate of EU moral rights. Debate
over the semantics of the term is not relevant to this point.
** The copyright registration MUST be completed; there is caselaw

What laws & regulations have been violated here? These are primarily
civil infringements.
This is NOT a complete list, only a potential list.
- 17 U.S.C. § 504(c)(2); Gentoo is an "innocent" copyright infringer:
  https://www.law.cornell.edu/uscode/text/17/504
  "infringer was not aware and had no reason to believe that his or her
  acts constituted an infringement of copyright"
- 17 U.S.C. § 504(c)(2); "M" is a "willful" copyright infringer: they KNEW about the origin &
  license of the work.
- 15 U.S.C. § 1125(a) (Lanham act, section 43(a), "False designations of
  Origin, False Descriptions, and Dilution Forbidden"): 
  Both "Gentoo" and "M" have made false claims. 
- § 525. Liability For Fraudulent Misrepresentation
  http://blogs.kentlaw.iit.edu/perrittcivpro/fraudulent-misrep-rest525-html/
  "M" has fraudulently misrepresented themselves under the DCO.
- Negligent misrepresentation:
  This is where the anonymous/pseudonymous side comes back. Was Gentoo
  negligent by not verifying the identity 

Depending on how much preparation "A" does, their lawyers could start
off just filing lawsuit against Gentoo for the above portions, and later
amending the lawsuit to also include "M"; or naming "M" up-front.

Gentoo could also file lawsuit(s) against "M".

What could the outcomes be? It would come down to penalties as well as
the damages suffered by "A" in the publication of Work "X". 

The one thing you can be certain of is that lawyers and the legal system
will walk away being paid, and somebody else's bank account will be
emptier!


> - Have there been any precedent cases of copyright infringement
> (constrained to the context of copyrighted ebuilds, or code of similar
> nature) to make this a more realistic threat for the Foundation?
In an open source context specifically, not that I'm aware of, or found
in generous searching.

In commercial software, YES, there have been lawsuits claiming copyright
infringement via stolen source code. They sound like they have ALL been
messy.

> - In the case of a potential court case, how is the liability
> distributed among involved parties? Would we be legally required to
> track down the contributor (whose identity we may or may not have
> confirmed yet)?
Yes, the Foundation could be forced to disclose what we know, and/or
share liability that could not otherwise be transferred.

> The reason why I'm suggesting this is because I've talked to a friend of
> mine, who is a software patent lawyer, about the DCO and GLEP. Their
> first impression was that the DCO itself has no clause for requiring a
> legal name, so signing it with a fake name may not violate the DCO
> itself. So the (informal) conclusion is that as long as nobody sues you
> for copyright infringement, there is no legal problem with using a fake
> name to sign the DCO. I know it sounds very obvious but the point is
> that legal people have a better grip of the situation than we do, and
> the community is more likely to take their word and justification for it.
They are correct: the DCO itself doesn't have any clause to that effect.
This is why lawyers can be pedantic about the questions you ask.

In the case of the kernel it's not the DCO specifically that prohibits
pseudonyms or anonymous contributions, it's the tiny line of POLICY just
below it:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst#n462
"using your real name (sorry, no pseudonyms or anonymous contributions.)"

Similarly, GLEP76 is the equivalent Gentoo policy that requires real
names.

Many others have raised that the Foundation can/should/does accept
contributions if the Foundation is itself aware of the real identity of
the contributor.

This DOES have a legal standing:
The Berne Convention does state that anonymous & pseudonymous
copyright is possible. It does not go into an implementation detail
about how to achieve it.

Copyright registration in many countries, even for anonymous &
pseudonymous requires SOME identifying information:
- US & Canadian law don't require the real name registering copyright,
  but they do require you to give a real address and pay registration
  fees. BUT...
- Check out the form: https://www.copyright.gov/forms/formtx.pdf
  Section 2(a) NAME OF AUTHOR is optional
  Section 8 & 9, name and address ARE required.

As such, while the registration itself is anonymous/pseudonymous, the
government DOES know the identity of the copyright registrant.

Other open source organizations DO accept it, but place disclaimers on
it. Besides copyright assignments, CLAs, there are ALSO copyright
enforcement agreements.

The Software Freedom Conservancy has a very good example of this
in the context of their Linux Enforcement Agreement:
https://sfconservancy.org/docs/blank_anonymous-linux-enforcement-agreement.pdf
"The parties acknowldege that Conservancy may be required to disclose
Contributor's identity and participation in the Project in the context of
litigation. Contributor hereby releases Conservancy from any liability
associated with the disclosure of Contributor's identity in the
context of litigation and/or any discussions related hereto."

I believe that their Debian Copyright Enforcement Agreement 
https://sfconservancy.org/news/2015/aug/17/debian/
is available with similar language, but I have not been able to find a
copy of that document.

As dilfridge noted, the FSF also has a process for the work to be known
under a pseudonym: the FSF publishes the pseudonym, but registers under
the real name.
https://www.gnu.org/prep/maintain/html_node/Copyright-Papers.html

This only transfers accountability. The FSF does NOT accept anonymous
contributions. The rest of that link suggests that the FSF also has a
verification process in place that the FSF ensures they have sufficient
legal standing for a copyright assignment, and THEIR process can require
a copy of your employment contract. It doesn't specify if it includes
asking for ID, but it doesn't rule it out either.

The Foundation does know the identity of some past contributors who did
not disclose their identity publicly at the time; some of these
contributors later DID disclose their identity. This pretty much exists
only in old email; and is probably a privacy and GDPR mess (I could
assert it comes under something we are required to hold onto out of
legal need right?)

This comes back to what I said much earlier about an identity escrow
service: the Foundation would not be the holder of the identity
information (and probably shouldn't be).

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

Re: [gentoo-project] GLEP76, legal liability around misrepresentation in copyright, real names, how it's handled at FSF, SFC & at the US copyright office!

[Rich Freeman]

On Fri, Apr 19, 2019 at 2:50 AM Robin H. Johnson <robbat2@gentoo.org> wrote:
>
> What could the outcomes be? It would come down to penalties as well as
> the damages suffered by "A" in the publication of Work "X".
>
> The one thing you can be certain of is that lawyers and the legal system
> will walk away being paid, and somebody else's bank account will be
> emptier!
>

People need to keep in mind that there hasn't been a ton of litigation
over this stuff in the context of open source software projects.  That
means that there is a ton of conjecture, and very little in the way of
actual case law.  That doesn't mean that lawyers can't offer good
advice in general, based on part on case law in similar domains where
it exists, but it is very hard for any expert to offer certainty when
ultimately the decisions are in the hands of a court.

I'm not saying that legal advice isn't a good thing. I'm just pointing
out that the average lawyer doesn't deal with open source intellectual
property law, and the few experts that exist in this space are largely
going off of common/best practices.  I'm sure most of them would have
said that you can't copyright an API until a court ruled that
Sun/Oracle did (a ruling many would disagree with, and which another
court might disagree with, but it is a ruling all the same).

Nobody can offer certainty in this space.  You just do your best in
good faith and hope that being a good neighbor pays off.  IMO our
biggest defense is that anybody going after us would look bad as long
as we're generally trying to do the right thing, and since we aren't
profiting from our code really there isn't much a suit would actually
accomplish since any code we publish is already public.  Still, if
somebody wanted to throw a lot of money at suing us then it isn't like
we could afford a strong defense unless somebody came to our aid or a
lot of donors stepped up.

Again, not my call and I think there is plenty of room for
disagreement, but there is also something to be said about
professionalism in an environment where Boaty McBoatface isn't one of
your top committers...

-- 
Rich

Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

On Sun, 2019-03-31 at 22:20 -0500, William Hubbs wrote:
> Hi all,
> 
> two weeks from today (2019-04-14) the Gentoo Council will meet at
> 19:00 UTC in the #gentoo-council channel on freenode.
> 
> Please reply to this message with any items you would like us to put on
> the agenda to discuss or vote on.
> 

I would like to request the Council to debate and vote on supporting
the idea of pushing for disbanding or better specialization of herd-like 
projects (i.e. projects covering a very broad scope of packages that
have very little in common, and therefore are unlikely to be all
maintained by the same people).  I've started the original discussion
on gentoo-dev:

https://archives.gentoo.org/gentoo-dev/message/5a6ae394023c56a4830b4e2e9472a6bd

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]