On Tue, Apr 9, 2019 at 4:18 PM Gokturk Yuksek <gokturk@gentoo.org> wrote:

> Hi,
>
> I'd like to voice my opinion on the matter as well. Full disclosure:
> NP-Hardass is my mentor and I also had a co-maintainer who has been
> distressed by the enforcement of the GLEP.
>
> Michał Górny:
> > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote:
> >> Why? We have no way to verify that provided names are valid or that
> >> provided ID's are valid. At least in my jurisdiction such
> >> information collected can't be used for legal action or protection
> >> without following established government-assisted verification
> >> procedure. In other jurisdictions similar problems may and will
> >> arise.
> >
> > 'Perfect is the enemy of good'.  Claiming that you can't be 100% sure
> > that someone's giving his real name doesn't imply that everyone is using
> > fake names.  Or that it makes no sense to use them.
> >
>
> I understand that but it creates problems with the consistent
> enforcement of the policy. There are no clear guidelines as to how we
> decide who requires identity validation and who doesn't. We don't even
> know who is tasked with making the request and performing the
> validation. If I work with a user and I am convinced that they provide
> their real name, is that sufficient for the foundation? Can I
> arbitrarily be suspicious of any user and demand them to provide their
> identity?
>

So first a preface: I would prefer we accept a name until we have some
reasonable suspicion that it is wrong.
If someone submitted as "boaty mcboatface" it might immediately raise such
a suspicion; but a contributor who contributed as "John Doe" might not. Its
very subjective, yes, and we don't offer better guidelines.

So to your first question, yes its sufficient.
To your second question, you could, but I think that would be wrong and if
I found out I'd probably talk to you about it and if it continued, I'd
probably take some kind of remedial action. The intent is to have a
reasonable suspicion of fraud or wrongdoing, not to do just do it willy
nilly.

That being said I don't intend to forge a policy that is bullet-proof. If I
cannot trust fellow project members to act well, they might as well just
leave the project now. If project members are looking for "a list of rules
to follow" my only rules are "don't be an ass" and if you are told you are
being an ass, maybe listen and take that advice as opposed to objecting.


>
> >> Additional problem is personal data collection, it is
> >> restricted or heavily regulated in many countries. One can't just
> >> demand to show an ID via electronic means without following
> >> complicated data protection procedures which are likely to be
> >> incompatible between jurisdictions.
> >
> > Do you have any proof of that, or are you just basing your comments
> > on the common concept of misunderstanding GDPR and extending it to match
> > your private interest?
> >
>
> At the very least, insecure transportation and storage of legal
> documents has a potential to lead to identity theft, which makes it a
> legal liability in and of itself. I don't think we should be dismissive
> on this point.
>

I don't believe any policies require collecting personal data currently.


>
> >> So the real name requirement gives us no real protection from
> >> possible cases, but creates real and serious problems by kicking
> >> active developers and contributors from further contributions.
> >> NP-Hardass is not the only one.
> >
> > Do you have any proof of that?  As far as I'm concerned, we're pretty
> > clear that NP-Hardass can't contribute to Gentoo, and that his previous
> > contributions shouldn't have been accepted in the first place (and why
> > Trustees agreed to them is another problem).  Are you going to take
> > legal and financial responsibility if his employer claims copyright to
> > his contributions?  And if you say yes, are you going to really take it
> > or go with the forementioned attitude that we can't legally force you
> > to?
> >
>
> I do disagree on this point. I believe the Foundation did take
> appropriate measures to reduce the legal liability when he was
> recruited. I think it should have been clearly explained how he has
> become a legal liability to the Foundation before his access was taken
> away from him.
>

The Foundation has always carried legal risk. Only recently have we
(through the awesome work of ulm@ and others) had a policy to help mitigate
it. These contributors have not 'suddenly become a legal risk' but instead
the community (council and foundation combined) have adopted a more
risk-averse stance by adopting GLEP-76 and that results in some
contributors being unable to contribute. I'm not sure what else needs to be
explained.


>
> You also bring up a more interesting point here. If I work with a user
> who has lied to me about their identity, and their employer decided to
> take it to court, who is liable? Am I at fault for having good faith or
> is it a neglect on the Foundation's side?
>

I'm not a lawyer, so I won't speculate on this specific instance. Having a
policy where commits require a DCO and we take some measure to not accept
contributions when we have knowledge that the DCO is wrong / invalid is
clearly better than our previous policy (which was basically "accept all
contributions.") Whether it is sufficient to prevent any specific legal
suit, I couldn't tell you.


>
> >> I invited some gifted people with
> >> high quality out-of-tree work to become contributors or developers,
> >> but due to hostile attitude towards anonymous contributors they
> >> can't join. And people want to stay anonymous for good reasons,
> >> because they are engaged with privacy oriented development.
> >
> > This is a very vague statement that sounds like serious overstatement
> > with no proof, aimed purely to force emotional reaction to support your
> > proposal.  If you really want to propose something meaningful, I'd
> > really appreciate if you used real evidence to support it rather than
> > vague claims.
> >
> >> We are loosing real people, real contributions and real community.
> >> What for? For solving imaginary problems with inappropriate tools.
> >>
> >
> > Thank you for telling us that copyright is an imaginary problem.
> >
>
> I can't help but agree with the point that we are losing real
> contributors and real community. And people whom I talked to didn't
> oppose the Foundation's attempt to reduce legal liability. They were
> frustrated by the arbitrary enforcement and not having their opinions
> heard. The fact that people can get away with using a pseudonym as long
> as it reads like a normal person name (for which there is no definition)
> is something we have to address to the people who weren't as lucky with
> their choice of pseudonym and lost their ability to contribute.
>

If you want to make a point that Gentoo leadership is bad at making
opposing feelings heard, well I'd probably agree with you (this thread is
one such example.) If you want to make some kind of point that "having an
opinion heard means we change the policy to suit that opinion" then I think
we just disagree on that point. Don't make it out like we made the decision
without thinking of anonymous / pseudonymous contributors; numerous
discussions were had about them and we could not find a way to include them
in the policy.

That doesn't mean we didn't hear their thoughts and objections though.

-A


>
> --
> gokturk
>
>