From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-project+bounces-7691-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8B021138330 for <garchives@archives.gentoo.org>; Thu, 31 May 2018 09:34:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7C678E08EB; Thu, 31 May 2018 09:34:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 38DE3E0880 for <gentoo-project@lists.gentoo.org>; Thu, 31 May 2018 09:34:53 +0000 (UTC) Received: from a1i15.kph.uni-mainz.de (host2092.kph.uni-mainz.de [134.93.134.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ulm) by smtp.gentoo.org (Postfix) with ESMTPSA id 6022B335C2C; Thu, 31 May 2018 09:34:51 +0000 (UTC) Message-ID: <23311.49590.759730.51775@a1i15.kph.uni-mainz.de> Date: Thu, 31 May 2018 11:34:46 +0200 To: Greg KH <gregkh@gentoo.org> Cc: gentoo-project@lists.gentoo.org Subject: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement? In-Reply-To: <20180531070321.GC7744@kroah.com> References: <23310.46809.293787.611345@a1i15.kph.uni-mainz.de> <20180530182136.GB18004@kroah.com> <23311.6978.886855.373818@a1i15.kph.uni-mainz.de> <20180531070321.GC7744@kroah.com> X-Mailer: VM 8.2.0b under 24.3.1 (x86_64-pc-linux-gnu) From: Ulrich Mueller <ulm@gentoo.org> Precedence: bulk List-Post: <mailto:gentoo-project@lists.gentoo.org> List-Help: <mailto:gentoo-project+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-project+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-project+subscribe@lists.gentoo.org> List-Id: Gentoo Project discussion list <gentoo-project.gentoo.org> X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="pgp+signed+Jn3UnZ5eKbFoZwI"; micalg=pgp-sha256; protocol="application/pgp-signature" X-Archives-Salt: d141395c-99e4-4175-8150-3853d8995e8a X-Archives-Hash: f0bc596ccc0faa4b33fdb88a895e6955 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --pgp+signed+Jn3UnZ5eKbFoZwI Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit >>>>> On Thu, 31 May 2018, Greg KH wrote: >> We simply cannot. We have files in the Gentoo repository that are not >> under a free software license, and for these we need an extra clause. > Your "extra clause" is pretty odd. You took out the c) clause of the > original DCO for some unknown reason as well, which is going to cause > you big problems. No, previous clause (c) has been moved to (d). And previous clause (d) is a separate paragraph below the list, because the logical structure of it made no sense before. In the original DCO, "I certify that" refers to items (a) to (c) only, but (d) is separate from it. (So while at it, we have fixed this as well, in order to make the structure consistent with the meaning.) > Was this vetted by a lawyer? Again, this is going to cause companies > to have to spend lots of time and money to be able to get anyone to > use this, do not change things lightly. Huh? The wording is quite simple, and it won't take anybody with even half a brain more than 2 minutes to figure it out. > [...] > Are you _sure_ you need this change? Pretty sure, yes. The alternative would be to have exceptions to the S-o-b policy, and it would be a nightmare to verify that. >> How is it a copyright violation? We create a modified version of >> a document that was released under a Creative Commons Attribution- >> ShareAlike 2.5 License. Distribution of modified versions is >> allowed under this license, and I believe that we include proper >> attribution. Also section 4b of CC-BY-SA-2.5 explicitly allows >> distribution of a modified work under CC-BY-SA-3.0. > Fair enough, but please be sure to run the fact that you are > changing something is obviously copyrighted by someone else with a > declaration that it can not be changed, by relying on the wayback > machine to make that change past a copyright lawyer. There is a > reason that the DCO is not under such a license anymore, as this > "respin" proves it :) "The CC licenses are irrevocable. This means that once you receive material under a CC license, you will always have the right to use it under those license terms, even if the licensor changes his or her mind and stops distributing under the CC license terms." https://creativecommons.org/faq/ Plus, if the DCO would be under a non-free license, then by its own terms we won't be able to commit it to our documentation. :) And in fact, also our Social Contract requires our documentation to be under a free license. >> > Again, just use the DCO, please. >> >> See above, the simple reason is that we need an exception for license >> files. >> >> Then again, Linux might profit from such a clause too. See for example >> the following commit: >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/LICENSES/preferred/GPL-2.0?id=255247c2770ada6edace04173b35307869b47d99 >> >> The commit message carries two Signed-off-by lines (and a Reviewed-by >> by yourself). But let's look what the document says about its license: >> >> + Everyone is permitted to copy and distribute verbatim copies >> + of this license document, but changing it is not allowed. >> >> Clearly, this isn't an open source license, because it doesn't allow >> modifications. So I wonder how the committer could certify agreement >> to the DCO 1.1 there? > Section b) should cover this nicely. Section (b) says "covered under an appropriate free software license", and this condition is obviously not fulfilled. > If your lawyers somehow feel it does not, I will be glad to consult > with the LF lawyers about this and have them discuss the matter. > Also note that I really doubt that the fact that you can include > verbatim copies of a license in a repo is going to make anyone upset > at all, unless you modify that license text. So you might all be > worried about nothing "real" at all here. License files are not > code, just like documentation is not code, and almost all open > source licenses do not cover either of them well, if at all. I agree to all of this, but it is not the question at hand. The question is if a developer can certify a commit of an immutable license file, and I don't see how he could certify it with the original DCO, which unconditionally requires an open source license. Also we want people to actually think about what they certify. IANAL, but wouldn't it weaken one's legal position if someone found commits of non-open-source material certified by the original DCO (which requires open source)? Might it not even be taken as a sign that developers add these Signed-off-by lines carelessly? > As an armchair thought experiment of this, how would the overall > license of a GNU project's tarball release such as bash, which is > GPLv3, cover the license file of the GPLv3 text that is included in > the tarball? GNU projects usually have a license notice in every file. For bash it is GPL-3+ for most of the files, but some (like README or NEWS) are distributed under more relaxed terms, and COPYING allows only its verbatim distribution. So no, GPL-3 doesn't cover its own license text. > Would the inclusion of a file in the tarball that is obviously not > under a free software license cause that project's license to > somehow not be "free software"? > It's a fun rabit hole to go down, but one that I think you will have > to do on your own :) Other distros are aware of the problem, too: https://lists.debian.org/debian-legal/2018/04/msg00006.html Ulrich --pgp+signed+Jn3UnZ5eKbFoZwI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJbD8G1AAoJEMMJBoUcYcJzV/wH/3woveH7+1AdF5XZ3xtcL9mG yrg5baxwrhSwfS224qlg8JqgxCBD/wQWSCfFYGIPGq+fhYJoKlvgQnJeEcFQgfe5 R6xRZQISnHcaOWw4fo/8UCbN6Obos9N/iNgnIXpUS8ZrfnelyfmEnE8WAGuUq2vB ZK6sbMwM0XNoITZtd2jwQx/Y5DjXBS9fFgqaPsDdsCsGu8sNUPfQDOjTE0/40cmv 1xx1NGOmSbXmPie4m0gvLQv9VaXBH5kkTAxoWN+E906IT0mLCGT3kXXzJVxcKaNu A2O+8FFmlhR90HuBcn1qh44Y3BJRgEt95MUIfhgoxfgWFKCm9ft/4dCFQjIcEYM= =MHpa -----END PGP SIGNATURE----- --pgp+signed+Jn3UnZ5eKbFoZwI--