From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 835F3138239 for ; Fri, 12 Oct 2018 01:59:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 900AEE0991; Fri, 12 Oct 2018 01:59:52 +0000 (UTC) Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4CD0FE0986 for ; Fri, 12 Oct 2018 01:59:52 +0000 (UTC) Received: by mail-pl1-f194.google.com with SMTP id q19-v6so2023963pll.5 for ; Thu, 11 Oct 2018 18:59:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=rbkBNyJe0CXsB9PWIMwZG/n/06bJbr/urnkcVv8VVc4=; b=p6V/r2B5X3mLYHouYvw5i/RnrzGHF7Rx+t1KacuA7zWqu+twdBaAjVo5/sGuuxkYTR VxArB/WIcYieGKVxXsVjYlB0AoTNl2NMQpp38tflgsjrjQZBz+Ke4fwJEam2E+5dg9ZI CQwlA9/Nr3sEQl+Qzuv6Lv7YdGtSiCsN7nE1PXzshZK1aiNW9g3/k/q/QRIUS2LQlTSM xbWy9h7J7z9je2IPkfwCx1MhbYojJecpDFXaqoXRCsJ+9450JcLfp9s7RoK62kFkLmcs iCagfLjhWRrfcapt0v2sw0WFurHzx/vra/14jRB5ZkSk1S6vdjPIrVvoA7KIoWmK6eEe GYlQ== X-Gm-Message-State: ABuFfojbRw0llIyKJuLCA2V1ULZ2A/fFa0vx1kJ7auYXKVVc+Alm3Y7x wx8EuDatBTjWDHPdFWH5SZnOBCe8Olf6o652JMIxc+Z0 X-Google-Smtp-Source: ACcGV6262c4r7gwnY4n5orOtT9wgrqrXuHrquBfpkVdSznKjnxjV7J8ZRih72jnH/BsH23ABsIIeoyQzV+TZDYBHRuQ= X-Received: by 2002:a17:902:ceb:: with SMTP id 98-v6mr3956579plt.331.1539309590575; Thu, 11 Oct 2018 18:59:50 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 References: <20180930140524.015249f0@sf> <20181011153139.7700484dc6c452ed570df66a@gentoo.org> <20181012000936.39875e5f4224c1c009935adf@gentoo.org> <0e56babe-c5a8-0973-e194-7667ebdc671f@poindexter.ovh> In-Reply-To: <0e56babe-c5a8-0973-e194-7667ebdc671f@poindexter.ovh> From: Rich Freeman Date: Thu, 11 Oct 2018 21:59:38 -0400 Message-ID: Subject: Re: [gentoo-project] Call for agenda items - Council meeting 2018-10-14 To: gentoo-project Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 84a424ec-563e-4ea3-ac4c-61efa6b7db05 X-Archives-Hash: 697772c04ed9a345237df6381d46d9f2 On Thu, Oct 11, 2018 at 9:25 PM Sarah White wrote: > > assuming "commit authors are copyright holders" shouldn't be > trusted blindly (the git log doesn't "solve everything") > Sure, but neither can any other conceivable log, and anything that could be put in such a log could also be put in a commit annotation, which IMO will track it a heck of a lot better than a random text file. > > Does this mean "gentoo authors" will appear in court when > there's infringement? This is not a rhetorical question. > Simply being named in a copyright notice creates no particular obligation to appear in a court. If there is some kind of copyright lawsuit, then presumably those most associated with the code in question could be called as witnesses, assuming whoever is doing the suing can be bothered to track them down. Ultimately though if Gentoo gets sued by somebody, the burden of proof is actually on them to prove that THEY owned the copyright. Gentoo's burden would probably be to show that reasonable care was exercised over accepting code, and that infractions were dealt with in a reasonable manner when brought to our attention. Really though, that is about the best we can do anyway. If we want to suppose that somebody can make us do more than what is "reasonable" then we might as well give up on FOSS. > > This is a very useful notice, because if someone has a snapshot > tarball, or other non-git copy of particular source files, the > lack of a proper notice is a legal problem (see below) Just stick it in git. If somebody wants to know the history, they can look it up in git. If somebody wants to go redistributing snippets of the file, then complying with the law is their problem, not ours. > > - This ignores the purpose: copyright notices are to make > sure when someone gets "free code", they don't assume it's > free for any/all purposes with zero restrictions: > Our notices already make this clear, regardless of whose name is listed. > the infringer could say the copyright status (copyleft > uses copyright law for enforcement) wasn't apparent due > to the lack of a clearly formatted copyright notice... The required format of a copyright noticed under US law is explictly stated= : (b)Form of Notice.=E2=80=94If a notice appears on the copies, it shall cons= ist of the following three elements: (1)the symbol =C2=A9 (the letter C in a circle), or the word =E2=80=9CCopyr= ight=E2=80=9D, or the abbreviation =E2=80=9CCopr.=E2=80=9D; and (2)the year of first publication of the work; in the case of compilations, or derivative works incorporating previously published material, the year date of first publication of the compilation or derivative work is sufficient. The year date may be omitted where a pictorial, graphic, or sculptural work, with accompanying text matter, if any, is reproduced in or on greeting cards, postcards, stationery, jewelry, dolls, toys, or any useful articles; and (3)the name of the owner of copyright in the work, or an abbreviation by which the name can be recognized, or a generally known alternative designation of the owner. > ... so something generic like "gentoo authors" can be > difficult to enforce - I've not seen case law on this. Our copyright would be completely enforceable even if we had no notice at a= ll. However, if Gentoo sued somebody for infringement, then the defendant could attempt to claim that the infringement was innocent (ie they did not know the work was copyrighted). IMO that would be an uphill battle. If the court decides our notice complies, then they are required by law to not give any credence to such an argument. If they decide that it doesn't completely comply, then they would still weigh the argument, and how plausible is it that a court will buy that you didn't know it was copyrighted when Copyright 2018 Gentoo Authors is on the first line of the file? And none of this will ever matter at all unless Gentoo files a lawsuit. Right now we can't seem to file our taxes. How likely do we think it is that Gentoo will be filing a lawsuit as the plaintiff? The notice doesn't matter at all if somebody sues us. > > I believe licensing is the reason for GCO, not copyright > attribution. Language about committer, acked or signed-off, > and copyright holder VS licenses and GCO, all within the > same Sure, that is completely true. The GCO/DCO/etc has nothing to do with attribution. > GLEP (#76) adds a lot of confusion because copyright > is barely mentioned, and not in a clearly defined way. What is unclear about it? It used to be much more prescriptive. However, that was considered to be too inflexible, and other prominent projects (like Linux) don't seem to require this. The importance of a very specific notice also did not really seem to be sufficient to create controversies when contributors felt they could not comply with a very specific requirement. > Copyright should be treated as a separate issue from GCO. Well, both deal with copyright, but I agree that the notice is separate from the GCO, and they are in fact mentioned separately. > > Do "gentoo authors" file a lawsuit when there's infringement? You do not need to be listed in a copyright notice to file a lawsuit. You merely need to have authorship. > How does jurisdiction work when the only thing which can > be known for certain is: "someone claimed the commit they > wrote was FOSS/Libre & they signed-off with a GCO line" Ultimately anybody wanting to file a lawsuit has to prove the underlying facts. If you want to sue somebody for copyright infringement you have to demonstrate to the court that you wrote whatever you're suing over. If we were in the business of selling software and were more likely to be suing people regularly, then I'd certainly agree that a lot more rigor could be used to capture proof of ownership. This would presumably pay for itself as a cost of doing business. However, that isn't the kind of organization we are in. Mostly we just want to show reasonable care, and to be responsible in general. That helps keep us from getting sued. I'm skeptical that Gentoo would ever sue anybody. > Does this mean GCO sign-off lines obligate the contributors > to respond whenever FOSS/Libre legal issues come up? No. Your obligation to respond to a court is established in your local laws. In many places you can be called as a witness against your will if you have knowledge of a case, whether you sign anything or not. I don't think that is particularly likely to happen here, and it is especially unlikely outside of your local jurisdiction, and most courts do have rules to avoid placing unreasonable burdens on witnesses. IMO signing the DCO/GCO/etc probably reduces the likelihood of being called to testify simply because your testimony is already a matter of public record (well, maybe aside form some notarized statement affirming that you signed it). > If there was a FLA policy in place, and gentoo formally held > itself out to protect (as a fiduciary) any FOSS/Libre interests > of the contributors; gentoo needs to hold the copyright, and > more importantly: invest in policy and planning to legally > protect FOSS/Libre interests when any infringement occurs. Actually, the FLA as written by the FSFe explicitly does NOT assign copyrig= ht. > the protection should be proper: a real entity. changing > the language from foundation to authors and treating it > like it's still a copyright assignment is pointless > unless the simplified attribution still assigns the > copyright to the gentoo foundation hold copyright. The intent is not to require assignment of copyright. We were actually considering rolling out the FLA in parallel (voluntarily), but this was felt to be making the GLEP even more complex. > GLEP 76 shouldn't try to be an umbrella for multiple things. I guess we should consider that when we approve it. Oh wait, it is already approved. I guess when you author the next one you can take that into account. :) It isn't perfect. IMO it belongs together. However, others might disagree. It only took about half a decade to finish. I'm sure somebody willing to put enough time into it will surpass it. Then they can go on to real challenges like filing the Foundation's taxes. In any case, I'm not convinced that copyright notice is really worth THAT much fighting over. I wasn't a huge fan of "Gentoo Authors" either, but in the end I realized that notices are fairly overrated. I think that the GLEP accomplishes what it ought to on this front. Any requirement you add to it is just going to create another group of devs who feel they cannot comply with it. Heck, the current policy basically allows almost any notice that complies with US law and there is still some concern. --=20 Rich