From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A7685138334 for ; Mon, 24 Jun 2019 22:18:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 72F10E094F; Mon, 24 Jun 2019 22:18:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 373F6E0825 for ; Mon, 24 Jun 2019 22:18:41 +0000 (UTC) Received: from localhost (unknown [195.225.108.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id E35D234683A for ; Mon, 24 Jun 2019 22:18:39 +0000 (UTC) Date: Tue, 25 Jun 2019 01:18:18 +0300 From: Andrew Savchenko To: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] Questions for Gentoo Council nominees: GLEP 76 Message-Id: <20190625011818.73fb7c1948a0a3d124a0d9db@gentoo.org> In-Reply-To: <20190615124933.b2f20fde0b47509e6b54f989@gentoo.org> References: <20190615124220.fcf0c08b22481d5bc6c2dbe0@gentoo.org> <20190615124933.b2f20fde0b47509e6b54f989@gentoo.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Tue__25_Jun_2019_01_18_20_+0300_kaJvKN0G5cVngsHJ" X-Archives-Salt: 93d95787-00e9-455f-8a07-2bc3ef79fe22 X-Archives-Hash: b8f4cced119c8b5f8a8fbeca21243cd8 --Signature=_Tue__25_Jun_2019_01_18_20_+0300_kaJvKN0G5cVngsHJ Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all! On Sat, 15 Jun 2019 12:49:33 +0300 Andrew Savchenko wrote: > On Sat, 15 Jun 2019 12:42:20 +0300 Andrew Savchenko wrote: > > Hi all! > >=20 > > Last year we had a good initiative: it addition to (or even instead > > of) manifests nominees were asked questions by voters. So let's > > continue this year. > >=20 > > I propose to have one question per thread spawned by this e-mail to > > keep discussion focused. If you have multiple questions, please > > start multiple threads. If your question was already asked, please > > join a thread. > >=20 > > I'll ask my questions in subsequent e-mails. >=20 > In my opinion GLEP 76 is the most controversial decision made by > running council. While it fixed some long standing issues like > copyright headers and proper acknowledgement of out of the tree > contributors, it created grave problems: now some long-time > contributors and even developer are seriously discriminated because > they want to keep their privacy. >=20 > What is your opinion on this problem? > Should GLEP 76 be left as is? > Should GLEP 76 be cancelled? > Should GLEP 76 be improved and how? Since I've accepted the nomination, it's my turn to answer as well. I'll tell you frankly that GLEP 76 was the main motivation for me to accept the nomination. I consider it =E2=80=94 in the way it exists now = =E2=80=94 harmful and in need to be fixed. This is how free software works: if something is broken and nobody repairs it, go and fix it yourself. What is wrong with GLEP 76? It kicks some active contributors and rejects some of new ones. No, it is not just one developer affected as someone may assume. We have external contributors kicked out, we have at least one high quality maintainer who worked on quizzes, but this work was stopped due to hostility to and further ban on anonymous contributions. I believe that for free software development privacy concern is of paramount importance, especially when we are dealing with security or privacy oriented software. One may argue that ban on anonymous contributions was to protect Gentoo from possible copyright claims in the future. But does it really gives us such protection? In my opinion NO, because: 1. GLEP 76 was prepared without legal expertise from experts in this field. (At least such expertise was not published.) Hereby we have no evidence that it will work if real case will be opened. 2. No law or legal precedent was provided to prove that GLEP 76 will be useful in alleged case or that we have a legal requirement to put such restrictive demand on our contributors. 3. We objectively have no means to verify developer's credentials. Current approach is based on realistic-like approach: if someone names themselve "John Doe" we accept it, if someone names as "qwerty123" we do not recognize this as an ID. But we have no means to verify that "John Doe" is real (natural) name. Even GnuPG Web of Trust doesn't provide such means, because what it really provides is a link between a person and their GnuPG key, as we're not authorized legal entities empowered and fully informed to verify validity of IDs present during GnuPG signing. So in my opinion current state of affairs is not acceptable and must be amended. What I propose to do: 1. To mitigate current crisis we should allow developers to commit under any unique non-offensive id (text string) as long as the trustees know how it maps to a real name. The rationale is that the trustees are the legal body to handle all legal issues of Gentoo, so even if we agree that real names are mandatory, there is no practical legal need for anyone outside of trustees to know them. This way we can include people who agree to keep their privacy from anyone except trustees and in the same way this will keep the legal effect of GLEP 76 intact. 2. Work together with trustees and possibly some external expertise (both legal and risk assessment) to clarify if we are really expected to check all these data and search for a way to accept private contributions. My goal is to help Gentoo to be open and inclusive society and not some bureaucratic club fighting ghosts (I *don't* claim it is that way now, but there are some alarming tendencies...). Best regards, Andrew Savchenko --Signature=_Tue__25_Jun_2019_01_18_20_+0300_kaJvKN0G5cVngsHJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAl0RTCwACgkQ9lNaM7oe 5I1t3BAAlSKV5CkSDctl4Dx/4jRmzgtBjNh2vZgaeRdRU1ZlA0ZALUIU8noK7Igq oybJBKtuCEbmBF8GqIQmMrD2mTFCB1/SIg+opq49PL+j3cD+pq3QMyH8O+3pCLDi 6Rk6Y+e+lqajpBmGN/VOlEkoy4mJB0ShJfWQkVlXEa00rVQV+GIrGHN0ns/fNnrx 5eR+o5zdc2/NJIvaRhdxJqqAA3Cx8E4W+95+Z9Tjz8FclVH04/AxGPjBuccu8JwL jWB+o1X09sh0rhix/hsIBfr6LvHDauROGNta8u2/5ROQy1VrEW9dAsObFjkpBEeR xm8luopdM0S07r4H27hlu8dG000vZgM96zNqXn9QWQBn8cVHY8zfjTGPe9lx2FF/ 0Un/EE5b3klsKsBYQ9HJsOTeM8rZZpxndZmen+pGUPLg82LEEhx1o48zB19qZOAM ZmwWyByR8VM16h2ia4D4yZejuZd5skuWEfnMPq8aly669RPJ0y8FJV/DCHUCTKKg et88qr22hHAVl2uLrGZif1OpGQ/DqdIZs+IccpmkMHo5TG5PXjTteLPhjOtNYHoX XwAOiU7qFeY44hXCpQSUPMKcQ2WTlOAZpQXYnyOqiKZ3YuwsTnmKtQNM6TLDVSIP VMSSW4bRhZ26a3UctiRdCWiLg5UG4CWn0AtItagmFMgTyjliaTI= =JrK+ -----END PGP SIGNATURE----- --Signature=_Tue__25_Jun_2019_01_18_20_+0300_kaJvKN0G5cVngsHJ--