[gentoo-project] Poll: Would you sign a Contributer License Agreement?

[gentoo-project] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1972 bytes --]

A while back I requested information on past copyright assignments [1].
Since then, we have located some 30 of the assignment forms, signed by
developers (most of them retired by now) in 2004.

Here is the second part of the exercise. The current draft of the new
Gentoo copyright policy [2] arranges for two procedures:

1. Certifying agreement to a "Gentoo Developer's Certificate of Origin"
   by including a "Signed-off-by" line with every commit. This would
   be virtually identical to the procedure used for the Linux kernel,
   and would be mandatory. A draft of the Gentoo DCO can be seen at [3].

2. In addition, according to the current policy draft, developers would
   be encouraged to sign a "Gentoo Contributor License Agreement (CLA)".
   Its current draft version is at [4]. However, this would be
   completely voluntary and *not* be required. The exact workflow
   hasn't been drafted yet, but PGP signing of the form would be one
   possibility. (Also note that the form includes fields for real name
   and postal address.)

The goals of the second item is to "make compliance with this policy
easier (fewer copyright holders to list), and allow the Foundation to
enforce copyrights and re-license content if appropriate" [2].
Apparently, we will only be able to achieve these goals if a
significant fraction of contributors will sign the CLA.

So, before I pursue more work on the CLA I would like to ask all
developers and contributors:

- Would you sign a "Gentoo Contributor License Agreement", similar to
  the current draft in [4]?

Please reply to me personally; I shall post a summary to the
gentoo-project mailing list in one week from now.

Thank you in advance,
Ulrich

[1] https://archives.gentoo.org/gentoo-project/message/4958621b17b00eac7aaca1c8737b8b57
[2] https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html
[3] https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html#certificate-of-origin
[4] https://dev.gentoo.org/~ulm/cla/cla.pdf

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Poll: Would you sign a Contributer License Agreement?

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1079 bytes --]

On Wed, May 30, 2018 at 04:36:09PM +0200, Ulrich Mueller wrote:
> Here is the second part of the exercise. The current draft of the new
> Gentoo copyright policy [2] arranges for two procedures:
...
> 2. In addition, according to the current policy draft, developers would
>    be encouraged to sign a "Gentoo Contributor License Agreement (CLA)".
>    Its current draft version is at [4]. However, this would be
>    completely voluntary and *not* be required. The exact workflow
>    hasn't been drafted yet, but PGP signing of the form would be one
>    possibility. (Also note that the form includes fields for real name
>    and postal address.)
I have a nit question:
Can we please call the agreement "FLA" instead of "CLA", since it is
derived from FSFE's FLA-2.0, and is still a FLA at it's heart, rather
than a USian-centric CLA?

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

Re: [gentoo-project] Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Wed, May 30, 2018 at 1:45 PM Robin H. Johnson <robbat2@gentoo.org> wrote:

> I have a nit question:
> Can we please call the agreement "FLA" instead of "CLA", since it is
> derived from FSFE's FLA-2.0, and is still a FLA at it's heart, rather
> than a USian-centric CLA?


As a USian, I second the motion.  I think the FLA is a copyleft approach to
CLA-like documents and I'd prefer that anybody who is adverse to CLAs in
general take a moment to understand what the FLA does before rushing to
judgment.

I believe this one was created using the FSFe's recommended attributes,
which are very GPL-like at heart.  It grounds the Foundation power to do
the sorts of things we'd probably want them to be able to do, while
restricting their ability to do the sorts of things they probably shouldn't
be able to do.  This extends to anybody who might seize control of the
Foundation legally (such as via a lawsuit/judgment), and as a result it
gives nefarious people less of an incentive to attempt to do so.

But, the above is subjective.  Go read the document or the FSFe's
descriptions of the FLA to understand what it does.  It is more than just a
"copyright assignment for Germany."

-- 
Rich

[gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 3861 bytes --]

>>>>> On Wed, 30 May 2018, Greg KH wrote:

> Please please please do not "fork" the DCO.  It was specifically
> designed so that any project can use it, as-is, with no changes
> needed.

We simply cannot. We have files in the Gentoo repository that are not
under a free software license, and for these we need an extra clause.
Otherwise we would have to specify in the policy that certain commits
are excepted from the requirement of a Signed-off-by line, and IMHO
that would be a much worse solution.

Addition of the extra clause for licenses and similar files resulted
from a long discussion on 2018-01-25 in the #gentoo-council channel,
which included three council members and a trustee.

> Yes, some foolish projects have gone off and rewritten it, but that
> was crazy, and they now wish they did not, as it requires corporate
> lawyers to manually have to go review the "new" document to ensure
> that it really is doing what it thinks it is doing.

> Again, please just use the DCO.  It's at it's own web site, and is
> good to be used that way:
> 	https://developercertificate.org/

> Also, note, that if you do decide to copy it, I personally am going
> to get upset as it is a blatent copyright violation.  So there is
> that issue...

How is it a copyright violation? We create a modified version of
a document that was released under a Creative Commons Attribution-
ShareAlike 2.5 License. Distribution of modified versions is allowed
under this license, and I believe that we include proper attribution.
Also section 4b of CC-BY-SA-2.5 explicitly allows distribution of a
modified work under CC-BY-SA-3.0.

> Hint doing a s/open/free/ on the original text does not mean that
> you suddenly have created a brand new document with no requirement
> to abide by the original document's copyright.  I see you claim that
> it was published in 2005 with a CC-BY-SA-2.5 License?  Do you have
> any reference for that, I know I spent a lot of time working on this
> in the past and I do not remember that...

https://web.archive.org/web/20060524185355/http://www.osdlab.org/newsroom/press_releases/2004/2004_05_24_dco.html

Specifically, its full copyright notice reads:

| © 2005 Open Source Development Labs, Inc. The Developer's
| Certificate of Origin 1.1 is licensed under a Creative Commons
| Attribution-ShareAlike 2.5 License. If you modify you must use a
| name or title distinguishable from "Developer's Certificate of
| Origin" or "DCO" or any confusingly similar name.

Notice the sentence "if you modify ..." which clearly confirms that
modifications are allowed. (If you think that "Gentoo Developer's
Certificate of Origin" isn't a name sufficiently different from the
original, we're certainly open to suggestions.)

> Again, just use the DCO, please.

See above, the simple reason is that we need an exception for license
files.

Then again, Linux might profit from such a clause too. See for example
the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/LICENSES/preferred/GPL-2.0?id=255247c2770ada6edace04173b35307869b47d99

The commit message carries two Signed-off-by lines (and a Reviewed-by
by yourself). But let's look what the document says about its license:

+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.

Clearly, this isn't an open source license, because it doesn't allow
modifications. So I wonder how the committer could certify agreement
to the DCO 1.1 there?

> No, I personally will not sign any CLAs, sorry.

This is interesting, since you had previously signed the copyright
assignment form to Gentoo Technologies, Inc. (To be precise, you PGP
signed it and sent it to recruiters@gentoo.org on 2004-03-08.)

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1872 bytes --]

>>>>> On Wed, 30 May 2018, Rich Freeman wrote:

> On Wed, May 30, 2018 at 1:45 PM Robin H. Johnson <robbat2@gentoo.org> wrote:
>> I have a nit question:
>> Can we please call the agreement "FLA" instead of "CLA", since it
>> is derived from FSFE's FLA-2.0, and is still a FLA at it's heart,
>> rather than a USian-centric CLA?

> As a USian, I second the motion.  I think the FLA is a copyleft
> approach to CLA-like documents and I'd prefer that anybody who is
> adverse to CLAs in general take a moment to understand what the FLA
> does before rushing to judgment.

We have been asked by the FSFE not to call it FLA if we modify it.
And although I don't like this proliferation of versions, neither for
the DCO nor for the FLA, we don't have a choice here:

FLA-2.0 [1] says in section 4 (my emphasis):

| We agree to (sub)license the Contribution or any Materials
| containing, based on or derived from your Contribution under the
| terms of any licenses the Free Software Foundation classifies as
| free licenses *and* which are approved by the Open Source Initiative
| as Open Source licenses.

So it requires that we distribute any contribution only under a
license approved by both the FSF and the OSI. However, the OSI's list
of approved licenses [2] doesn't include any of the Creative Commons
licenses, which would prevent us from using CC-BY-SA-3.0 for our
documentation.

Therefore the "and" is changed to an "or", which is also the most
significant change in the Gentoo version. The other two changes are
that we have removed the reference to an "entity version" which
doesn't exist, and that we call our product simply "Gentoo Linux"
instead of "Gentoo Foundation's Gentoo Linux" (the latter being the
term that results from the FSFE's FLA generator).

Ulrich

[1] https://dev.gentoo.org/~ulm/cla/fla-2.0.pdf
[2] https://opensource.org/licenses/alphabetical

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Wed, May 30, 2018 at 5:44 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> This is interesting, since you had previously signed the copyright
> assignment form to Gentoo Technologies, Inc. (To be precise, you PGP
> signed it and sent it to recruiters@gentoo.org on 2004-03-08.)
>

Given that the intent is for the FLA/CLA/whateverLA to be completely
optional, I don't think it makes sense to challenge people if they say
they don't intend to sign it.  Contributors are welcome to sign it, or
not, and while I think we should explain why it would be a nice thing
if they could, if they can't or won't that is just fine too and that
is all there is to it.

I'll let Greg speak for himself (if he wishes to), but in a past
thread on this topic he commented that some may not be able to sign
due to employment obligations.  This was one of the reasons we decided
to go towards making it optional (back when this was first being
discussed).

While I also ended up having a few disagreements with him in that
thread I will acknowledge that Greg is considered a bit of an expert
in this space (not that he needs endorsement from me).  As we
discussed in IRC I support the changes that were made in this case,
however.

-- 
Rich

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 952 bytes --]

>>>>> On Wed, 30 May 2018, Rich Freeman wrote:

> On Wed, May 30, 2018 at 5:44 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>> This is interesting, since you had previously signed the copyright
>> assignment form to Gentoo Technologies, Inc.

> Given that the intent is for the FLA/CLA/whateverLA to be completely
> optional, I don't think it makes sense to challenge people if they say
> they don't intend to sign it.  Contributors are welcome to sign it, or
> not, and while I think we should explain why it would be a nice thing
> if they could, if they can't or won't that is just fine too and that
> is all there is to it.

I haven't intended any challenge there, and sorry if it came across
like this. Of course, signing the *LA will be optional, and will in no
way be connected to signing or not signing of any previous form.

(Still, I find the fact interesting when the statement is as absolute
as "I personally will not sign any CLAs".)

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Poll: Would you sign a Contributer License Agreement?

[kuzetsa]

[-- Attachment #1.1: Type: text/plain, Size: 1455 bytes --]

On 05/30/2018 01:45 PM, Robin H. Johnson wrote:

> I have a nit question:
> Can we please call the agreement "FLA" instead of "CLA", since it is
> derived from FSFE's FLA-2.0, and is still a FLA at it's heart, rather
> than a USian-centric CLA?
> 

^ That's not a 'nit question, it's a big deal!!!

After researching the FSFE-style "FLA", it's important:

https://fsfe.org/activities/ftf/fla.en.html (FAQ of sorts)

Q) What if trustee misuses the rights I gave to them, e.g.
by re-licensing Free Software as a proprietary one?

A) FLA offers a special clause for this kind of situation
to protect the Free Software project against potentially
malicious intentions of Trustee. According to this
provision, if Trustee acts against the principles of Free
Software, all granted rights and licences return to their
original owners. That means Trustee will be effectively
prevented from continuing any activity which is contrary
to principles of Free Software.

~(end quote of FAQ, etc)~

That is to say: in the past, I've refused to contribute
when asked for a generic copyright assignment, especially
when more "permissive" (not as libre / free) licenses were
already causing me to heistate.

If it's a generic "assign all copyrights", then no.
I would not sign a copyright assignment which doesn't
look after my intent to work on libre / free-type works.

yes please. do it as FLA if possible. ::thumbs up::

--kuza


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 5475 bytes --]

>>>>> On Thu, 31 May 2018, Greg KH wrote:

>> We simply cannot. We have files in the Gentoo repository that are not
>> under a free software license, and for these we need an extra clause.

> Your "extra clause" is pretty odd.  You took out the c) clause of the
> original DCO for some unknown reason as well, which is going to cause
> you big problems.

No, previous clause (c) has been moved to (d).

And previous clause (d) is a separate paragraph below the list,
because the logical structure of it made no sense before. In the
original DCO, "I certify that" refers to items (a) to (c) only,
but (d) is separate from it. (So while at it, we have fixed this as
well, in order to make the structure consistent with the meaning.)

> Was this vetted by a lawyer? Again, this is going to cause companies
> to have to spend lots of time and money to be able to get anyone to
> use this, do not change things lightly.

Huh? The wording is quite simple, and it won't take anybody with even
half a brain more than 2 minutes to figure it out.

> [...]

> Are you _sure_ you need this change?

Pretty sure, yes. The alternative would be to have exceptions to the
S-o-b policy, and it would be a nightmare to verify that.

>> How is it a copyright violation? We create a modified version of
>> a document that was released under a Creative Commons Attribution-
>> ShareAlike 2.5 License. Distribution of modified versions is
>> allowed under this license, and I believe that we include proper
>> attribution. Also section 4b of CC-BY-SA-2.5 explicitly allows
>> distribution of a modified work under CC-BY-SA-3.0.

> Fair enough, but please be sure to run the fact that you are
> changing something is obviously copyrighted by someone else with a
> declaration that it can not be changed, by relying on the wayback
> machine to make that change past a copyright lawyer.  There is a
> reason that the DCO is not under such a license anymore, as this
> "respin" proves it :)

"The CC licenses are irrevocable. This means that once you receive
material under a CC license, you will always have the right to use it
under those license terms, even if the licensor changes his or her
mind and stops distributing under the CC license terms."
https://creativecommons.org/faq/

Plus, if the DCO would be under a non-free license, then by its own
terms we won't be able to commit it to our documentation. :) And in
fact, also our Social Contract requires our documentation to be under
a free license.

>> > Again, just use the DCO, please.
>> 
>> See above, the simple reason is that we need an exception for license
>> files.
>> 
>> Then again, Linux might profit from such a clause too. See for example
>> the following commit:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/LICENSES/preferred/GPL-2.0?id=255247c2770ada6edace04173b35307869b47d99
>> 
>> The commit message carries two Signed-off-by lines (and a Reviewed-by
>> by yourself). But let's look what the document says about its license:
>> 
>> + Everyone is permitted to copy and distribute verbatim copies
>> + of this license document, but changing it is not allowed.
>> 
>> Clearly, this isn't an open source license, because it doesn't allow
>> modifications. So I wonder how the committer could certify agreement
>> to the DCO 1.1 there?

> Section b) should cover this nicely.

Section (b) says "covered under an appropriate free software license",
and this condition is obviously not fulfilled.

> If your lawyers somehow feel it does not, I will be glad to consult
> with the LF lawyers about this and have them discuss the matter.

> Also note that I really doubt that the fact that you can include
> verbatim copies of a license in a repo is going to make anyone upset
> at all, unless you modify that license text.  So you might all be
> worried about nothing "real" at all here.  License files are not
> code, just like documentation is not code, and almost all open
> source licenses do not cover either of them well, if at all.

I agree to all of this, but it is not the question at hand.
The question is if a developer can certify a commit of an immutable
license file, and I don't see how he could certify it with the
original DCO, which unconditionally requires an open source license.

Also we want people to actually think about what they certify. IANAL,
but wouldn't it weaken one's legal position if someone found commits
of non-open-source material certified by the original DCO (which
requires open source)? Might it not even be taken as a sign that
developers add these Signed-off-by lines carelessly?

> As an armchair thought experiment of this, how would the overall
> license of a GNU project's tarball release such as bash, which is
> GPLv3, cover the license file of the GPLv3 text that is included in
> the tarball?

GNU projects usually have a license notice in every file. For bash it
is GPL-3+ for most of the files, but some (like README or NEWS) are
distributed under more relaxed terms, and COPYING allows only its
verbatim distribution. So no, GPL-3 doesn't cover its own license
text.

> Would the inclusion of a file in the tarball that is obviously not
> under a free software license cause that project's license to
> somehow not be "free software"?

> It's a fun rabit hole to go down, but one that I think you will have
> to do on your own :)

Other distros are aware of the problem, too:
https://lists.debian.org/debian-legal/2018/04/msg00006.html

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

[gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

Hi Greg,

Someone just pointed out that for some reason your messages haven't
made it to the gentoo-project list (maybe you're not subscribed?).

Ulrich (hoping that he hasn't snipped too much of the context)

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

[gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 9373 bytes --]

>>>>> On Thu, 31 May 2018, Ulrich Mueller wrote:

> (hoping that he hasn't snipped too much of the context)

Presumably I have. So find Greg's two messages below, in full (which
had gentoo-project in CC).

Ulrich


>>>>> On Wed, 30 May 2018, Greg KH wrote:

> On Wed, May 30, 2018 at 04:36:09PM +0200, Ulrich Mueller wrote:
>> A while back I requested information on past copyright assignments [1].
>> Since then, we have located some 30 of the assignment forms, signed by
>> developers (most of them retired by now) in 2004.
>> 
>> Here is the second part of the exercise. The current draft of the new
>> Gentoo copyright policy [2] arranges for two procedures:
>> 
>> 1. Certifying agreement to a "Gentoo Developer's Certificate of Origin"
>> by including a "Signed-off-by" line with every commit. This would
>> be virtually identical to the procedure used for the Linux kernel,
>> and would be mandatory. A draft of the Gentoo DCO can be seen at [3].

> Please please please do not "fork" the DCO.  It was specifically
> designed so that any project can use it, as-is, with no changes needed.
> Yes, some foolish projects have gone off and rewritten it, but that was
> crazy, and they now wish they did not, as it requires corporate lawyers
> to manually have to go review the "new" document to ensure that it
> really is doing what it thinks it is doing.

> Again, please just use the DCO.  It's at it's own web site, and is good
> to be used that way:
> 	https://developercertificate.org/

> Also, note, that if you do decide to copy it, I personally am going to
> get upset as it is a blatent copyright violation.  So there is that
> issue...
> Hint doing a s/open/free/ on the original text  does not mean that you
> suddenly have created a brand new document with no requirement to abide
> by the original document's copyright.  I see you claim that it was
> published in 2005 with a CC-BY-SA-2.5 License?  Do you have any
> reference for that, I know I spent a lot of time working on this in the
> past and I do not remember that...

> Again, just use the DCO, please.

>> 2. In addition, according to the current policy draft, developers would
>> be encouraged to sign a "Gentoo Contributor License Agreement (CLA)".
>> Its current draft version is at [4]. However, this would be
>> completely voluntary and *not* be required. The exact workflow
>> hasn't been drafted yet, but PGP signing of the form would be one
>> possibility. (Also note that the form includes fields for real name
>> and postal address.)
>> 
>> The goals of the second item is to "make compliance with this policy
>> easier (fewer copyright holders to list), and allow the Foundation to
>> enforce copyrights and re-license content if appropriate" [2].
>> Apparently, we will only be able to achieve these goals if a
>> significant fraction of contributors will sign the CLA.
>> 
>> So, before I pursue more work on the CLA I would like to ask all
>> developers and contributors:
>> 
>> - Would you sign a "Gentoo Contributor License Agreement", similar to
>> the current draft in [4]?

> No, I personally will not sign any CLAs, sorry.

> Sent publically as the DCO thing should be discussed in public.

> thanks,

> greg k-h


>>>>> On Thu, 31 May 2018, Greg KH wrote:

> On Wed, May 30, 2018 at 11:44:34PM +0200, Ulrich Mueller wrote:
>> >>>>> On Wed, 30 May 2018, Greg KH wrote:
>> 
>> > Please please please do not "fork" the DCO.  It was specifically
>> > designed so that any project can use it, as-is, with no changes
>> > needed.
>> 
>> We simply cannot. We have files in the Gentoo repository that are not
>> under a free software license, and for these we need an extra clause.

> Your "extra clause" is pretty odd.  You took out the c) clause of the
> original DCO for some unknown reason as well, which is going to cause
> you big problems.

> Was this vetted by a lawyer?  Again, this is going to cause companies
> to have to spend lots of time and money to be able to get anyone to use
> this, do not change things lightly.

>> Otherwise we would have to specify in the policy that certain commits
>> are excepted from the requirement of a Signed-off-by line, and IMHO
>> that would be a much worse solution.
>> 
>> Addition of the extra clause for licenses and similar files resulted
>> from a long discussion on 2018-01-25 in the #gentoo-council channel,
>> which included three council members and a trustee.

> No license lawyers?

> Are you _sure_ you need this change?

>> > Yes, some foolish projects have gone off and rewritten it, but that
>> > was crazy, and they now wish they did not, as it requires corporate
>> > lawyers to manually have to go review the "new" document to ensure
>> > that it really is doing what it thinks it is doing.
>> 
>> > Again, please just use the DCO.  It's at it's own web site, and is
>> > good to be used that way:
>> > 	https://developercertificate.org/
>> 
>> > Also, note, that if you do decide to copy it, I personally am going
>> > to get upset as it is a blatent copyright violation.  So there is
>> > that issue...
>> 
>> How is it a copyright violation? We create a modified version of
>> a document that was released under a Creative Commons Attribution-
>> ShareAlike 2.5 License. Distribution of modified versions is allowed
>> under this license, and I believe that we include proper attribution.
>> Also section 4b of CC-BY-SA-2.5 explicitly allows distribution of a
>> modified work under CC-BY-SA-3.0.

> Fair enough, but please be sure to run the fact that you are changing
> something is obviously copyrighted by someone else with a declaration
> that it can not be changed, by relying on the wayback machine to make
> that change past a copyright lawyer.  There is a reason that the DCO is
> not under such a license anymore, as this "respin" proves it :)

>> > Again, just use the DCO, please.
>> 
>> See above, the simple reason is that we need an exception for license
>> files.
>> 
>> Then again, Linux might profit from such a clause too. See for example
>> the following commit:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/LICENSES/preferred/GPL-2.0?id=255247c2770ada6edace04173b35307869b47d99
>> 
>> The commit message carries two Signed-off-by lines (and a Reviewed-by
>> by yourself). But let's look what the document says about its license:
>> 
>> + Everyone is permitted to copy and distribute verbatim copies
>> + of this license document, but changing it is not allowed.
>> 
>> Clearly, this isn't an open source license, because it doesn't allow
>> modifications. So I wonder how the committer could certify agreement
>> to the DCO 1.1 there?

> Section b) should cover this nicely.  If your lawyers somehow feel it
> does not, I will be glad to consult with the LF lawyers about this and
> have them discuss the matter.

> Also note that I really doubt that the fact that you can include
> verbatim copies of a license in a repo is going to make anyone upset at
> all, unless you modify that license text.  So you might all be worried
> about nothing "real" at all here.  License files are not code, just like
> documentation is not code, and almost all open source licenses do not
> cover either of them well, if at all.

> As an armchair thought experiment of this, how would the overall license
> of a GNU project's tarball release such as bash, which is GPLv3, cover
> the license file of the GPLv3 text that is included in the tarball?
> Would the inclusion of a file in the tarball that is obviously not under
> a free software license cause that project's license to somehow not be
> "free software"?

> It's a fun rabit hole to go down, but one that I think you will have to
> do on your own :)

>> > No, I personally will not sign any CLAs, sorry.
>> 
>> This is interesting, since you had previously signed the copyright
>> assignment form to Gentoo Technologies, Inc. (To be precise, you PGP
>> signed it and sent it to recruiters@gentoo.org on 2004-03-08.)

> That was because I was forced to do so in order to become a Gentoo
> developer at the time, and my employer at the time also insisted on it,
> as they were the owners of all of the work that I did on Gentoo, not me.
> I had no say in the matter at all, just like almost all other people
> employed in the US due to the standard employment contract used.  So to
> be clear, that was not _me_ giving up any copyrights, it was my
> employer.

> My position has changed on how best to handle copyrights in the 14 years
> since then, and I currently am employed by someone who allows me to keep
> my personal copyright (while also giving them a copy) so I guess I
> should figure out how to somehow retroactively not-sign it :)

> Any hints as to how to do that?

> Anyway, my strongest suggestion as to why not to change to use your
> custom license is the fact that you will now require all Gentoo
> developers who work for companies that allow their employers to
> contribute to Gentoo, to now have to have their lawyers read over this
> new license and come to an understanding of it before those people are
> allowed to contribute.  That's a huge waste of time and money and will
> make those companies, and developers, grumpy.

> And if developers ignore the fact that they should have run this change
> by their employers, that could get them into big trouble later on.

> thanks,

> greg k-h

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1952 bytes --]

>>>>> On Thu, 31 May 2018, kuzetsa  wrote:

> On 05/30/2018 01:45 PM, Robin H. Johnson wrote:
>> I have a nit question:
>> Can we please call the agreement "FLA" instead of "CLA", since it is
>> derived from FSFE's FLA-2.0, and is still a FLA at it's heart, rather
>> than a USian-centric CLA?

> ^ That's not a 'nit question, it's a big deal!!!

> After researching the FSFE-style "FLA", it's important:

> https://fsfe.org/activities/ftf/fla.en.html (FAQ of sorts)

> Q) What if trustee misuses the rights I gave to them, e.g.
> by re-licensing Free Software as a proprietary one?

> A) FLA offers a special clause for this kind of situation
> to protect the Free Software project against potentially
> malicious intentions of Trustee. According to this
> provision, if Trustee acts against the principles of Free
> Software, all granted rights and licences return to their
> original owners. That means Trustee will be effectively
> prevented from continuing any activity which is contrary
> to principles of Free Software.

> ~(end quote of FAQ, etc)~

> That is to say: in the past, I've refused to contribute
> when asked for a generic copyright assignment, especially
> when more "permissive" (not as libre / free) licenses were
> already causing me to heistate.

> If it's a generic "assign all copyrights", then no.
> I would not sign a copyright assignment which doesn't
> look after my intent to work on libre / free-type works.

> yes please. do it as FLA if possible. ::thumbs up::

As I said before, the FSFE has asked us not to name it FLA even with
our relatively small changes applied. That's why its title is "Gentoo
Contributor License Agreement". Otherwise, it is derived from FLA-2.0
and (IMHO) preserves all its main features.

If you still think it should better be named FLA, feel free to take it
up with the FSFE legal team (legal@lists.fsfe.org). I don't feel like
going through more hassle just because of the title.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Jonas Stein]

[-- Attachment #1.1: Type: text/plain, Size: 1002 bytes --]

On 2018-05-30 23:44, Ulrich Mueller wrote:
>>>>>> On Wed, 30 May 2018, Greg KH wrote:
> 
>> Please please please do not "fork" the DCO.  It was specifically
>> designed so that any project can use it, as-is, with no changes
>> needed.
> 
> We simply cannot. We have files in the Gentoo repository that are not
> under a free software license, and for these we need an extra clause.
> Otherwise we would have to specify in the policy that certain commits
> are excepted from the requirement of a Signed-off-by line, and IMHO
> that would be a much worse solution.

That is a good point.
Which files do not have a free software license in the tree?
Are these just some patches or files in the "files" folder of the
packages or is there something else?

Are we allowed to use the free github repository for non free files?

We could upload the non free files to a different space and exclude
these from the repository, like we do it for large patches already.

-- 
Best,
Jonas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 701 bytes --]

On 06/01/2018 12:24 AM, Jonas Stein wrote:
>> We simply cannot. We have files in the Gentoo repository that are not
>> under a free software license, and for these we need an extra clause.
>> Otherwise we would have to specify in the policy that certain commits
>> are excepted from the requirement of a Signed-off-by line, and IMHO
>> that would be a much worse solution.
> That is a good point.
> Which files do not have a free software license in the tree?

The best example is likely most license files themselves that are not
malleable.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Raymond Jennings]

I refuse to sign anything.

If the GPL works as intended, then anyone using my work would
themselves be making a derived work of their own for which they
themselves could enforce the GPL.


On Thu, May 31, 2018 at 3:27 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> On 06/01/2018 12:24 AM, Jonas Stein wrote:
>>> We simply cannot. We have files in the Gentoo repository that are not
>>> under a free software license, and for these we need an extra clause.
>>> Otherwise we would have to specify in the policy that certain commits
>>> are excepted from the requirement of a Signed-off-by line, and IMHO
>>> that would be a much worse solution.
>> That is a good point.
>> Which files do not have a free software license in the tree?
>
> The best example is likely most license files themselves that are not
> malleable.
>
> --
> Kristian Fiskerstrand
> OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
>

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]

>>>>> On Fri, 1 Jun 2018, Jonas Stein wrote:

> On 2018-05-30 23:44, Ulrich Mueller wrote:
>> We simply cannot. We have files in the Gentoo repository that are not
>> under a free software license, and for these we need an extra clause.
>> Otherwise we would have to specify in the policy that certain commits
>> are excepted from the requirement of a Signed-off-by line, and IMHO
>> that would be a much worse solution.

> That is a good point.
> Which files do not have a free software license in the tree?
> Are these just some patches or files in the "files" folder of the
> packages or is there something else?

The main concern are license files which are not modifiable. These are
located either in the licenses dir of the Gentoo repository, but it
also applies to COPYING (i.e., GPL) files in any project repositories.

With the new policy in force, non-free third party patches would have
to be excluded from the Gentoo repository in any case, and would e.g.
be packed into a tarball and placed on distfile mirrors. (Last time I
checked, there were only few non-free patches around, though. It is
rare for software to be patchable and distributable, while at the same
time having a non-free license.)

> Are we allowed to use the free github repository for non free files?

If the policy would force us to resort to such tricks, then something
would be wrong with that policy. It is supposed to apply to all
repositories of Gentoo projects, regardless of where they are hosted.

> We could upload the non free files to a different space and exclude
> these from the repository, like we do it for large patches already.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[R0b0t1]

On Thu, May 31, 2018 at 6:52 PM, Raymond Jennings <shentino@gmail.com> wrote:
> I refuse to sign anything.
>
> If the GPL works as intended, then anyone using my work would
> themselves be making a derived work of their own for which they
> themselves could enforce the GPL.
>

It is for this reason I never understood the point of contributor
agreements for open source projects. Even the FSF's justification, so
that they may pursue GPL violations without requiring you present,
seems to fall apart as various Linux kernel contributors have gone
after companies on their own for profit without the consent of Mr.
Torvalds, the other contributors, or the Linux Foundation.

Cheers,
     R0b0t1

>
> On Thu, May 31, 2018 at 3:27 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>> On 06/01/2018 12:24 AM, Jonas Stein wrote:
>>>> We simply cannot. We have files in the Gentoo repository that are not
>>>> under a free software license, and for these we need an extra clause.
>>>> Otherwise we would have to specify in the policy that certain commits
>>>> are excepted from the requirement of a Signed-off-by line, and IMHO
>>>> that would be a much worse solution.
>>> That is a good point.
>>> Which files do not have a free software license in the tree?
>>
>> The best example is likely most license files themselves that are not
>> malleable.
>>
>> --
>> Kristian Fiskerstrand
>> OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
>> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
>>
>

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Thu, May 31, 2018 at 9:55 PM R0b0t1 <r030t1@gmail.com> wrote:
>
> On Thu, May 31, 2018 at 6:52 PM, Raymond Jennings <shentino@gmail.com> wrote:
> > I refuse to sign anything.
> >
> > If the GPL works as intended, then anyone using my work would
> > themselves be making a derived work of their own for which they
> > themselves could enforce the GPL.
> >

They could pursue the violation for just the copyright on the changes
they made, not to the work they derived it from.

For example, if somebody reproduced this email illegally (let's assume
it was distributed under a non-free license), I could sue them for
copying these two paragraphs, or for the email as a whole, but not if
they removed my additions and only sent the quoted text above.
Likewise you could sue them for copying the quoted text above, or for
the email as a whole, but not if they removed the quoted text and only
copied my additions.  This email as a whole is a derived work, but if
I didn't quote you it probably wouldn't be.

>
> It is for this reason I never understood the point of contributor
> agreements for open source projects. Even the FSF's justification, so
> that they may pursue GPL violations without requiring you present,
> seems to fall apart as various Linux kernel contributors have gone
> after companies on their own for profit without the consent of Mr.
> Torvalds, the other contributors, or the Linux Foundation.
>

You're comparing apples and oranges here.  The Linux kernel doesn't
require people to sign CLAs.  That means that the Linux Foundation
generally CAN'T pursue copyright violators, but the individual
contributors CAN.  If the contributors signed traditional CLAs, then
the Linux Foundation COULD pursue copyright violators, but the
individual contributors COULD NOT.  A traditional CLA transfers the
rights of the creator to the assignee, at least under US law.  I'm
speaking generally of course since what any particular CLA does is
governed by the wording of that particular CLA, and of course the
governing law.

The FSF wants people to sign CLAs so that THEY can pursue copyright
violators.  The contributor already has this right, probably.

There are a few other nuances (again, talking about traditional CLAs
that assign copyright):

*  Some question whether somebody holding copyright over only a small
part of software could on their own pursue a violator, or how
effective this would be.  These people argue that a CLA consolidates
the copyrights so that instead of a bazillion people owning copyrights
to 3 lines each, you end up with 1 entity owning copyright to the
whole thing, which eliminates this issue.

*  A CLA also can allow for relicensing beyond the limits of the
standard "or a later version" language (for projects that even use
this language).  If a CLA is signed then an organization could choose
to switch from GPL to CDDL, or from BSD to Apache.  Of course, many
traditional CLAs would also let them switch from GPL to "all rights
reserved," with the caveat that whatever was prevsiously released
under the GPL could still be redistributed and modified by recipients
under the GPL.

Note that the above pertains mostly to traditional CLAs.  For the FSFe
FLA approach the main benefits are:

*  Gentoo could re-license under a different free license, within the
limits of the agreement, assuming we owned enough of the code or
otherwise dealt with that issue.  This could be useful if some new
license comes out later not related to the GPL/etc.  If you care about
such things you'll want to read it for yourself, but the agreement is
structured to prevent shenanigans like proprietary re-licensing.

*  One of the goals originally in the FLA was to make it exclusive in
a way that would ensure that Gentoo would know that you hadn't given
somebody else permission to use your contribution under a non-free
license (which means we know anybody doing this is in violation).
However, looking at the wording of section 2.3 of the new version I'm
not sure that this feature even applies anymore, as there don't seem
to be any copyleft restrictions on the grant back and its ability to
relicense.  That seems like a bug the FSFe might want to look into.
In any case, without an FLA with the correct wording, there is no way
to know if somebody is in violation without contacting the original
contributor, because the original contributor could have given them
permission to use it under a non-free license.  This makes detecting
violations more difficult.

(I realize the above might be confusing, and can elaborate further if desired.)

-- 
Rich

Re: [gentoo-project] Re: [gentoo-dev-announce] Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1332 bytes --]

>>>>> On Thu, 31 May 2018, Rich Freeman wrote:

> *  One of the goals originally in the FLA was to make it exclusive in
> a way that would ensure that Gentoo would know that you hadn't given
> somebody else permission to use your contribution under a non-free
> license (which means we know anybody doing this is in violation).
> However, looking at the wording of section 2.3 of the new version I'm
> not sure that this feature even applies anymore, as there don't seem
> to be any copyleft restrictions on the grant back and its ability to
> relicense.  That seems like a bug the FSFe might want to look into.
> In any case, without an FLA with the correct wording, there is no way
> to know if somebody is in violation without contacting the original
> contributor, because the original contributor could have given them
> permission to use it under a non-free license.  This makes detecting
> violations more difficult.

The old version (1.2) of FSFE's FLA, §3 (2) has this:
"Furthermore, FSFE grants to Beneficiary additional non- exclusive,
transferable license to use, reproduce, redistribute and make
available the Software as needed for releases of the Software under
other licences."

IIUC that woudln't have prevented distribution by the original author
under a non-free license either.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

[gentoo-project] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 2455 bytes --]

>>>>> On Wed, 30 May 2018, Ulrich Mueller wrote:

> A while back I requested information on past copyright assignments [1].
> Since then, we have located some 30 of the assignment forms, signed by
> developers (most of them retired by now) in 2004.

> Here is the second part of the exercise. The current draft of the new
> Gentoo copyright policy [2] arranges for two procedures:

> 1. Certifying agreement to a "Gentoo Developer's Certificate of Origin"
>    by including a "Signed-off-by" line with every commit. This would
>    be virtually identical to the procedure used for the Linux kernel,
>    and would be mandatory. A draft of the Gentoo DCO can be seen at [3].

> 2. In addition, according to the current policy draft, developers would
>    be encouraged to sign a "Gentoo Contributor License Agreement (CLA)".
>    Its current draft version is at [4]. However, this would be
>    completely voluntary and *not* be required. The exact workflow
>    hasn't been drafted yet, but PGP signing of the form would be one
>    possibility. (Also note that the form includes fields for real name
>    and postal address.)

> The goals of the second item is to "make compliance with this policy
> easier (fewer copyright holders to list), and allow the Foundation to
> enforce copyrights and re-license content if appropriate" [2].
> Apparently, we will only be able to achieve these goals if a
> significant fraction of contributors will sign the CLA.

> So, before I pursue more work on the CLA I would like to ask all
> developers and contributors:

> - Would you sign a "Gentoo Contributor License Agreement", similar to
>   the current draft in [4]?

After five days, I have received only 13 replies from developers, and
it seems impossible to draw any conclusion from such a small number.
(Especially, does the absense of an answer imply that the person
doesn't care and would therefore also not sign the CLA? Not sure.)

Crossposting to -core now for a wider audience, at least amongst devs.
Developers and other contributors, please reply.

> Please reply to me personally; I shall post a summary to the
> gentoo-project mailing list in one week from now.

Ulrich

> [1] https://archives.gentoo.org/gentoo-project/message/4958621b17b00eac7aaca1c8737b8b57
> [2] https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html
> [3] https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html#certificate-of-origin
> [4] https://dev.gentoo.org/~ulm/cla/cla.pdf

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: Poll: Would you sign a Contributer License Agreement?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 526 bytes --]

On 06/04/2018 02:35 PM, Ulrich Mueller wrote:
> - Would you sign a "Gentoo Contributor License Agreement", similar to
>   the current draft in [4]?

No, I don't see this as being of much value and might not be possible to
begin with but I haven't read the Norwegian copyright laws closely
enough, but given other European legislation likely more of a hassle
than value.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[gentoo-project] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 2810 bytes --]

>>>>> On Wed, 30 May 2018, Ulrich Mueller wrote:

> A while back I requested information on past copyright assignments
> [1]. Since then, we have located some 30 of the assignment forms,
> signed by developers (most of them retired by now) in 2004.

> Here is the second part of the exercise. The current draft of the
> new Gentoo copyright policy [2] arranges for two procedures:

> 1. Certifying agreement to a "Gentoo Developer's Certificate of
>    Origin" by including a "Signed-off-by" line with every commit.
>    This would be virtually identical to the procedure used for the
>    Linux kernel, and would be mandatory. A draft of the Gentoo DCO
>    can be seen at [3].

> 2. In addition, according to the current policy draft, developers
>    would be encouraged to sign a "Gentoo Contributor License
>    Agreement (CLA)". Its current draft version is at [4]. However,
>    this would be completely voluntary and *not* be required. The
>    exact workflow hasn't been drafted yet, but PGP signing of the
>    form would be one possibility. (Also note that the form includes
>    fields for real name and postal address.)

> The goals of the second item is to "make compliance with this policy
> easier (fewer copyright holders to list), and allow the Foundation
> to enforce copyrights and re-license content if appropriate" [2].
> Apparently, we will only be able to achieve these goals if a
> significant fraction of contributors will sign the CLA.

> So, before I pursue more work on the CLA I would like to ask all
> developers and contributors:

> - Would you sign a "Gentoo Contributor License Agreement", similar
>   to the current draft in [4]?

> Please reply to me personally; I shall post a summary to the
> gentoo-project mailing list in one week from now.

Time to post a summary: I have received 24 answers in total, 22 from
developers and 2 from users.

    9 answers said they would sign such an agreement,
   12 answers said they would not sign it, or would not be allowed to
      by their employer,
    3 answers were undecided or non-committal.

It is still difficult to extrapolate from these numbers. My impression
(also from replies in mailing lists) is that achieving 50% coverage
would be a very optimistic assumption. Also there were some very
active devs amongst the "no" replies.

For the time being, we have therefore removed the FLA/CLA section from
the (pre-)draft of the copyright policy [2]. I shall post it soon as a
GLEP draft for wider rewiev.

Thanks to everyone who has replied.

Ulrich


[1] https://archives.gentoo.org/gentoo-project/message/4958621b17b00eac7aaca1c8737b8b57
[2] https://dev.gentoo.org/~ulm/glep-drafts/glep-0076.html
[3] https://dev.gentoo.org/~ulm/glep-drafts/glep-0076.html#certificate-of-origin
[4] https://dev.gentoo.org/~ulm/cla/cla.pdf

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

[gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1939 bytes --]

[Replying to gentoo-project only.]

>>>>> On Mon, 25 Jun 2018, Greg KH wrote:

> On Mon, Jun 04, 2018 at 02:35:41PM +0200, Ulrich Mueller wrote:
>> After five days, I have received only 13 replies from developers,
>> and it seems impossible to draw any conclusion from such a small
>> number. (Especially, does the absense of an answer imply that the
>> person doesn't care and would therefore also not sign the CLA? Not
>> sure.)
>> 
>> Crossposting to -core now for a wider audience, at least amongst
>> devs. Developers and other contributors, please reply.

> As I stated before privately, I think this is a horrid idea.  You
> are creating yet-another-development-process that anyone who is
> employed by _ANY_ company is going to have to go and get their
> employer's permission to do so.

> That means, at the least, lots of billable lawyer hours, and at the
> worse, lots of people not being able to contribute.

> And while I haven't really done any Gentoo work in many years, it
> _will_ prevent me from doing any future work.

Please read the whole thread. We have dropped the FLA/CLA in the
latest iteration. Also even in the previous versions it was meant to
be voluntary, i.e. devs were "welcome and encouraged (but *not*
required)" to sign it.

> And again, as I previously stated, "forking" the DCO is a horrible
> idea,

Has there ever been a wider review of the Linux DCO? If not, then it
is not surprising if it fits the needs of kernel development only
(which is very homogeneous, license wise), but not necessarily other
projects.

> and doing it by not getting legal review of such changes is an even
> worse idea.

> Would you want a medical doctor to write a legal document?  If not,
> why would you want a programmer to do so?

Are you saying that the DCO is so complicated that all devs will need
a lawyer, in order to understand what they are certifying? Then we are
doing something fundamentally wrong.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 1367 bytes --]

On 25/06/2018 08:50, Ulrich Mueller wrote:
> Has there ever been a wider review of the Linux DCO? If not, then it
> is not surprising if it fits the needs of kernel development only
> (which is very homogeneous, license wise), but not necessarily other
> projects.

+1

It's been very convincing for me as a software engineer to use DCO
everywhere. However, I can also see the opposing argument, that the
situation of many companies and project is very different from Linux
Foundation's, especially from legal point of view. Even though I might
not personally be fully convinced, I certainly accept that specialists
(lawyers) have a deeper understanding of that perspective.

>> and doing it by not getting legal review of such changes is an even
>> worse idea.
> 
>> Would you want a medical doctor to write a legal document?  If not,
>> why would you want a programmer to do so?
> 
> Are you saying that the DCO is so complicated that all devs will need
> a lawyer, in order to understand what they are certifying? Then we are
> doing something fundamentally wrong.

Greg has a good point here. It may help to state clearly what are we
trying to accomplish here, and evaluate different solutions against that
goal. If our fork of DCO would still be optional, what does it
accomplish? Might it create some additional issues?

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

[gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 2640 bytes --]

>>>>> On Mon, 25 Jun 2018, Greg KH wrote:

> On Mon, Jun 25, 2018 at 08:50:26AM +0200, Ulrich Mueller wrote:
>> [Replying to gentoo-project only.]

> Why?  You put this on -core for a reason, why take conversations
> somewhere that not everyone can see them?  That's just rude :)

>> Please read the whole thread. We have dropped the FLA/CLA in the
>> latest iteration. Also even in the previous versions it was meant to
>> be voluntary, i.e. devs were "welcome and encouraged (but *not*
>> required)" to sign it.

> Where is "the whole thread" at these days?  It's hard to keep track of
> it all.

gentoo-project mailing list, thread "[RFC] GLEP 76: Copyright Policy".
Latest draft is at: https://www.gentoo.org/glep/glep-0076.html

>> > And again, as I previously stated, "forking" the DCO is a horrible
>> > idea,
>> 
>> Has there ever been a wider review of the Linux DCO? If not, then it
>> is not surprising if it fits the needs of kernel development only
>> (which is very homogeneous, license wise), but not necessarily other
>> projects.

> Yes, there has been, it is used by lots of differently licensed
> projectes these days.  One example would be a large number of the CNCF
> projects (kuberneties and friends).

> It has also been vetted and approved by the legal departments of all
> companies that allow their developers to contribute to open source
> projects.  Again, a very wide range of legal and developer vetting has
> happened.  If you know of any current problems, please let us know.

The problems are listed in the rationale of GLEP 76.

With the license currently listed at https://developercertificate.org/
("changing is not allowed") nobody would even be allowed to commit the
DCO to a repository under it's own terms. Catch-22.

We can only commit it under the CC-BY-SA under which it (fortunately)
has been released earlier, and then we _are_ permitted to fix any bugs
in it.

>> Are you saying that the DCO is so complicated that all devs will need
>> a lawyer, in order to understand what they are certifying? Then we are
>> doing something fundamentally wrong.

> I'm saying that if you change the DCO then it will have to be vetted by
> all corporate legal departments.  If you do not change it, it is an easy
> "we know all about that one, it's fine" 1 minute conversation.

It hopefully takes less than 1 minute to read and understand the item
that we have added:

   (3) The contribution is a license text (or a file of similar nature),
       and verbatim distribution is allowed; or

Do you think that anybody would have difficulties understanding this?
Then please propose a better wording.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

[gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Mon, Jun 25, 2018 at 7:05 AM Greg KH <gregkh@gentoo.org> wrote:
>
> On Mon, Jun 25, 2018 at 09:54:19AM +0200, Ulrich Mueller wrote:
> >
> > The problems are listed in the rationale of GLEP 76.
> >
> > With the license currently listed at https://developercertificate.org/
> > ("changing is not allowed") nobody would even be allowed to commit the
> > DCO to a repository under it's own terms. Catch-22.
>
> And as the Debian developers said, "that's crazy-talk, don't worry about
> it."  Seriously, don't.

Do you have some kind of link to this?

Distributing the licenses is completely legal, but I don't see how
anybody could make the certifications in the DCO when doing so.

>
> What company or legal entity has concern with the DCO as-written?
>

Well, I do, at least as far as license commits go.  How could I make
the certifications in your DCO when committing a license file like the
GPL?

The text of the upstream DCO says that the file is "covered under an
appropriate open source license," and the GPL isn't covered under an
open source license.

Don't get me wrong, per the terms in the GPL it is completely legal to
redistribute.  My problem isn't with redistributing the GPL.  My
problem is with signing off on the DCO when committing the GPL to a
repository, because I'd be making a statement that isn't true.

An alternative to this would be to not require a DCO signoff when
committing license files.

> That's not the only thing that you have changed here, as you state.  You
> changed the wording of the types of licenses (hint, "free software" is
> not the same as "open source" and has consequences by changing that
> wording.)

Sure, but our intent is to require the use of a free software license.
So, the consequences are intentional here.  It isn't adequate to
merely certify that the work is covered by an open source license
(this would be one of those cases where the needs of the Linux
Foundation may not be the same as the needs of everybody).

The other wording change is in changing how the outline numbering
works, to separate the three OR clauses from the one AND clause.

-- 
Rich

[gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 4538 bytes --]

>>>>> On Mon, 25 Jun 2018, Greg KH wrote:

> And I'm dragging this back to -core, as I'm not on -project, so my
> responses are not even going there, and you started this on -core.

Nope, I started the thread on -project on 2018-05-30:
https://archives.gentoo.org/gentoo-project/message/b1d92fc4275c15a052cf27bb2a5d75dd
I cross-posted to -core once (on 2018-06-04) for wider audience,
because I had received only a handful of replies by then.

Otherwise, there is no reason why this discussion should take place in
private, so it is off-topic in -core.

>> With the license currently listed at https://developercertificate.org/
>> ("changing is not allowed") nobody would even be allowed to commit
>> the DCO to a repository under it's own terms. Catch-22.

> And as the Debian developers said, "that's crazy-talk, don't worry
> about it."  Seriously, don't.

If anyone worries about non-free files in their repositories, then
it's Debian. Certainly much more than we do.

Also, encouraging people to falsely certify things (and "don't worry
about it") is exactly what we want to avoid. If there is a S-o-b line
included with a commit, then there must not be any doubt that this
commit conforms to the wording of the certificate. If we allow people
to commit non-free files and certify them under the Linux DCO 1.1 then
the whole exercise is useless.

> And if you do have a lawyer who is worried about such a thing,
> please let me talk to them and I'll be glad to put them in contact
> with loads of other lawyers who will be glad to discuss it.

> What company or legal entity has concern with the DCO as-written?

Everybody who wants to commit a license file to the Gentoo repository,
and with the DCO 1.1 would have to lie about its status?

> That's not the only thing that you have changed here, as you state.
> You changed the wording of the types of licenses (hint, "free
> software" is not the same as "open source" and has consequences by
> changing that wording.)

It is generally acknowledged that "open source" licenses and "free
software licenses" are mostly congruent. (There are very few OSI
approved licenses like Artistic 1.0 which the FSF classifies as
non-free. The other way around, I am not aware of any.)

Nevertheless, I don't have a strong opinion here. Our Social Contract
says "free software", so we changed it to that for consistency, but
replacement of the term alone wouldn't be a sufficient reason to
create a modified version.

>> Do you think that anybody would have difficulties understanding
>> this? Then please propose a better wording.

> I am saying, over and over and over, that it's not up to me to
> change the wording.  I want _you_ to justify the change by getting a
> solid legal opinion that what you are changing actually does what
> you think it does, and is even needed in the first place.

> Again, don't try to arm-chair legal issues.  That ends up causing
> many more problems than you can ever imagine.  There's a good reason
> that lawyers write licenses and legal texts as they understand
> things that are not obvious to non-legally-trained people.

(Sometimes I wonder how some people survive. Do they ask their lawyers
before passing a green traffic light? Or before agreeing to a contract
of sale in the grocery store? :-)

> And again, you are ignoring the fact that we all are now going to
> have to get the legal departments of our companies to evaluate this.
> That will NOT take just 1 minute.  If you use the DCO as-is, that
> would only take 1 minute.

How about the following change then:

--- a/glep-0076.rst
+++ b/glep-0076.rst
@@ -133,12 +133,17 @@ with the project's license.
 For commits made using a VCS, the committer shall certify agreement
 to the Gentoo DCO by adding ``Signed-off-by: Name <e-mail>`` to the
 commit message as a separate line.  Committers must use their real
 name, i.e., the name that would appear in an official document like
 a passport.
 
+As an alternative to the above, commits may be certified with the
+Linux Kernel DCO 1.1.  Committers shall clearly indicate this by
+adding ``(Linux DCO 1.1)`` at the end of the ``Signed-off-by`` line.
+Using the Gentoo DCO is strongly preferred, though.
+
 The following is the current Gentoo DCO::
 
     Gentoo Developer's Certificate of Origin, revision 1
 
     By making a contribution to this project, I certify that:
 

It would allow anyone who has issues with our modified version to
commit under the original Linux DCO instead. Of course, certain files
they couldn't commit then.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 5475 bytes --]

On 25/06/18 15:37, Ulrich Mueller wrote:
>>>>>> On Mon, 25 Jun 2018, Greg KH wrote:
>> And I'm dragging this back to -core, as I'm not on -project, so my
>> responses are not even going there, and you started this on -core.
> Nope, I started the thread on -project on 2018-05-30:
> https://archives.gentoo.org/gentoo-project/message/b1d92fc4275c15a052cf27bb2a5d75dd
> I cross-posted to -core once (on 2018-06-04) for wider audience,
> because I had received only a handful of replies by then.
>
> Otherwise, there is no reason why this discussion should take place in
> private, so it is off-topic in -core.
>
>>> With the license currently listed at https://developercertificate.org/
>>> ("changing is not allowed") nobody would even be allowed to commit
>>> the DCO to a repository under it's own terms. Catch-22.
>> And as the Debian developers said, "that's crazy-talk, don't worry
>> about it."  Seriously, don't.
> If anyone worries about non-free files in their repositories, then
> it's Debian. Certainly much more than we do.
>
> Also, encouraging people to falsely certify things (and "don't worry
> about it") is exactly what we want to avoid. If there is a S-o-b line
> included with a commit, then there must not be any doubt that this
> commit conforms to the wording of the certificate. If we allow people
> to commit non-free files and certify them under the Linux DCO 1.1 then
> the whole exercise is useless.
>
>> And if you do have a lawyer who is worried about such a thing,
>> please let me talk to them and I'll be glad to put them in contact
>> with loads of other lawyers who will be glad to discuss it.
>> What company or legal entity has concern with the DCO as-written?
> Everybody who wants to commit a license file to the Gentoo repository,
> and with the DCO 1.1 would have to lie about its status?
>
>> That's not the only thing that you have changed here, as you state.
>> You changed the wording of the types of licenses (hint, "free
>> software" is not the same as "open source" and has consequences by
>> changing that wording.)
> It is generally acknowledged that "open source" licenses and "free
> software licenses" are mostly congruent. (There are very few OSI
> approved licenses like Artistic 1.0 which the FSF classifies as
> non-free. The other way around, I am not aware of any.)
>
> Nevertheless, I don't have a strong opinion here. Our Social Contract
> says "free software", so we changed it to that for consistency, but
> replacement of the term alone wouldn't be a sufficient reason to
> create a modified version.
>
>>> Do you think that anybody would have difficulties understanding
>>> this? Then please propose a better wording.
>> I am saying, over and over and over, that it's not up to me to
>> change the wording.  I want _you_ to justify the change by getting a
>> solid legal opinion that what you are changing actually does what
>> you think it does, and is even needed in the first place.
>> Again, don't try to arm-chair legal issues.  That ends up causing
>> many more problems than you can ever imagine.  There's a good reason
>> that lawyers write licenses and legal texts as they understand
>> things that are not obvious to non-legally-trained people.
> (Sometimes I wonder how some people survive. Do they ask their lawyers
> before passing a green traffic light? Or before agreeing to a contract
> of sale in the grocery store? :-)
>
>> And again, you are ignoring the fact that we all are now going to
>> have to get the legal departments of our companies to evaluate this.
>> That will NOT take just 1 minute.  If you use the DCO as-is, that
>> would only take 1 minute.
> How about the following change then:
>
> --- a/glep-0076.rst
> +++ b/glep-0076.rst
> @@ -133,12 +133,17 @@ with the project's license.
>  For commits made using a VCS, the committer shall certify agreement
>  to the Gentoo DCO by adding ``Signed-off-by: Name <e-mail>`` to the
>  commit message as a separate line.  Committers must use their real
>  name, i.e., the name that would appear in an official document like
>  a passport.
>  
> +As an alternative to the above, commits may be certified with the
> +Linux Kernel DCO 1.1.  Committers shall clearly indicate this by
> +adding ``(Linux DCO 1.1)`` at the end of the ``Signed-off-by`` line.
> +Using the Gentoo DCO is strongly preferred, though.
> +
>  The following is the current Gentoo DCO::
>  
>      Gentoo Developer's Certificate of Origin, revision 1
>  
>      By making a contribution to this project, I certify that:
>  
>
> It would allow anyone who has issues with our modified version to
> commit under the original Linux DCO instead. Of course, certain files
> they couldn't commit then.
>
> Ulrich
I make a simple observation based on the thread here. I would personally
probably be more comfortable under a DCO that has "large organisation"
backing eg. Linux kernel, as the effort required to make changes is
likely to be significant, and it is likely to have been vetted by
"qualified persons". By contrast, Gentoo is likely to have been cobbled
together by a consensus of unqualified persons, and is quite unlikely to
be defended in court, -should- it come to that (see recent legal case of
McHardy et al).

Not that I have any issue with Gentoo having it's own, but it lacks
teeth and claws.

-----
another 2c from the peanut gallery. Apologies.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Mon, Jun 25, 2018 at 10:46 AM M. J. Everitt <m.j.everitt@iee.org> wrote:
>
> By contrast, Gentoo is likely to have been cobbled
> together by a consensus of unqualified persons, and is quite unlikely to
> be defended in court, -should- it come to that (see recent legal case of
> McHardy et al).
>

If Gentoo used the Linux DCO, and Gentoo was sued in court, and the
Linux Foundation was not named in the suit, and the case hinged on the
DCO, I'm pretty skeptical that Gentoo would suddenly be flooded with
free legal aid from the Linux Foundation or similar organizations,
beyond what they'd receive if they had written their own DCO.

As far as I'm aware no DCO has much legal precedent backing it up
specifically, so while this could change in the future, it isn't much
of a factor at the present either.

Nothing wrong with having it legally reviewed, and I've yet to see
anybody oppose this being done.  Everybody just seems to think that it
ought to be somebody else's job to do so.  :)

-- 
Rich

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Denis Dupeyron]

Replying to Rich's last message to reply to the thread, not to Rich
specifically.

I want to note here that if this comes into effect, and becomes
mandatory, some critical pieces of Gentoo would go unmaintained for
months, if not longer and possibly indefinitely, until the employer of
the maintainers allows them to sign whatever it is you would require.
I'm talking about portage and OpenRC, but there may be other examples.
These particular projects are maintained by developers paid by their
employer to work on them, and as such do much more than a loose team
of unpaid developers. And although they were hired to so they would
have to wait until the corporate legal arm of their employer approves
them signing your document. That's like sending a message in a bottle
if e.g. the employee is based in the US and lawyers in Japan (example
not chosen at random).

And let's not forget about the dozens of contributors who would be
barred from doing all the awesome stuff they do everyday across the
entire tree.

Finally, think of the deterrent effect to potential new contributors.
It's not like we get a ton of candidates these days, and like we have
the slightest clue about recruiting them. There's a significant chance
that adding such a legal barrier would end up slowly strangling Gentoo
to death.

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Mon, Jun 25, 2018 at 11:53 AM Denis Dupeyron <calchan@gentoo.org> wrote:
>
> I want to note here that if this comes into effect, and becomes
> mandatory, some critical pieces of Gentoo would go unmaintained for
> months, if not longer and possibly indefinitely, until the employer of
> the maintainers allows them to sign whatever it is you would require.

Just to get you to elaborate a bit more: is this a concern with the
Gentoo DCO in particular, or any requirement to sign off on anything?

It is probably worth nothing that the DCO (either upstream's or
Gentoo's) is just an affirmation of compliance.  It doesn't actually
have any binding statements on the signer.  You aren't signing away
any rights or accepting any restrictions, and it doesn't constitute a
contract as far as I can tell.  It is merely a statement of fact about
a commit.

That said, part of me does wonder as such whether we're just as
covered by a policy that requires all commits be redistributable,
training all developers in it, and leaving it at that.  That would
basically be the status quo, and I don't think anybody is going to
object to a policy that says only stuff we can legally distribute goes
in the repos.  That really isn't any more restrictive than our general
social contract.

Ultimately this is all just reasonable care.  Somebody can add a
signed-off-by without reading the DCO just as they can do a commit
without reading our policy on what is allowed to be committed.  Is the
one standard truly any more defensible than the other?

-- 
Rich

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

>>>>> On Mon, 25 Jun 2018, M J Everitt wrote:

> By contrast, Gentoo is likely to have been cobbled together by a
> consensus of unqualified persons,

I would wish you would argue about the facts, instead of resorting to
an ad-hominem argument. Or, if you believe that you're not qualified
for the former, simply abstain from posting.

> and is quite unlikely to be defended in court, -should- it come to
> that (see recent legal case of McHardy et al).

See? Apparently all these "large organisations" with their highly
qualified lawyers hadn't understood the consequences of the
termination clause in section 4 of GPL-2, which is there since 1985.

(And yes, I am aware that they try to band-aid it by imposing
additional restrictions on top of the GPL.)

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 1616 bytes --]

On 25/06/18 17:54, Ulrich Mueller wrote:
>>>>>> On Mon, 25 Jun 2018, M J Everitt wrote:
>> By contrast, Gentoo is likely to have been cobbled together by a
>> consensus of unqualified persons,
> I would wish you would argue about the facts, instead of resorting to
> an ad-hominem argument. Or, if you believe that you're not qualified
> for the former, simply abstain from posting.
>
>> and is quite unlikely to be defended in court, -should- it come to
>> that (see recent legal case of McHardy et al).
> See? Apparently all these "large organisations" with their highly
> qualified lawyers hadn't understood the consequences of the
> termination clause in section 4 of GPL-2, which is there since 1985.
>
> (And yes, I am aware that they try to band-aid it by imposing
> additional restrictions on top of the GPL.)
>
> Ulrich
With a lack of mail signature with one's qualifications attached (very
90s I know..) it is hard to get an accurate grip on any individuals
particular expertise. I see a hell of a lot of bike-shedding by people
who definitely *think* they know about a subject, without a clear
indication of where this comes from. I have no problem with people
talking with authority (IANAL excepting), but if anyone is actively OR
passively refusing to disclose their sources, is it really unreasonable
to ask someone to justify their arguments? We're pretty good in doing
this in code/GLEPs/etc .. why can't we do it in other just-as technical
discussions? (I have absolutely no issue with footnoting either, it's a
very neat, compact way to achieve the required result).


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Mon, Jun 25, 2018 at 1:10 PM M. J. Everitt <m.j.everitt@iee.org> wrote:
>
> I have no problem with people
> talking with authority (IANAL excepting), but if anyone is actively OR
> passively refusing to disclose their sources, is it really unreasonable
> to ask someone to justify their arguments?

Well, you should have a problem with people talking with authority if
they aren't justifying their arguments, whether they disclose sources
or otherwise.  Certainly they can cite arguments made elsewhere
without repeating them, but titles don't convey rightness.

Besides, if we required formal certifications to contribute to Gentoo,
I bet half our developers would be disqualified.  We probably have as
many physics majors as CS majors on the rolls from my observations.

As far as I'm aware nobody on this list is a lawyer, and we have
varying levels of professional and informal involvement in
legal/business/compliance activities (serving on boards, dealing with
contracts, working in regulatory/compliance, etc).  So, take
everything with a grain of salt.

-- 
Rich

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Denis Dupeyron]

On Mon, Jun 25, 2018 at 11:51 AM Rich Freeman <rich0@gentoo.org> wrote:
> On Mon, Jun 25, 2018 at 11:53 AM Denis Dupeyron <calchan@gentoo.org> wrote:
> >
> > I want to note here that if this comes into effect, and becomes
> > mandatory, some critical pieces of Gentoo would go unmaintained for
> > months, if not longer and possibly indefinitely, until the employer of
> > the maintainers allows them to sign whatever it is you would require.
>
> Just to get you to elaborate a bit more: is this a concern with the
> Gentoo DCO in particular, or any requirement to sign off on anything?

The latter.

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Michał Górny]

Dnia 25 czerwca 2018 21:02:05 CEST, Denis Dupeyron <calchan@gentoo.org> napisał(a):
>On Mon, Jun 25, 2018 at 11:51 AM Rich Freeman <rich0@gentoo.org> wrote:
>> On Mon, Jun 25, 2018 at 11:53 AM Denis Dupeyron <calchan@gentoo.org>
>wrote:
>> >
>> > I want to note here that if this comes into effect, and becomes
>> > mandatory, some critical pieces of Gentoo would go unmaintained for
>> > months, if not longer and possibly indefinitely, until the employer
>of
>> > the maintainers allows them to sign whatever it is you would
>require.
>>
>> Just to get you to elaborate a bit more: is this a concern with the
>> Gentoo DCO in particular, or any requirement to sign off on anything?
>
>The latter.

If they really can't sign off that they are allowed to contribute, then I indeed prefer them stopping contributing. That's certainly better than learning one day that all their contributions were illegal and we suddenly have to pull off all those packages.

-- 
Best regards,
Michał Górny (by phone)

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 986 bytes --]

On 25/06/2018 22:13, Michał Górny wrote:
> If they really can't sign off that they are allowed to contribute,
> then I indeed prefer them stopping contributing. That's certainly
> better than learning one day that all their contributions were
> illegal and we suddenly have to pull off all those packages.

Good point.

We could hope that as more projects get more careful about legal
considerations, it won't be as much a surprise/special case for
employers as it might be today. Or it might become a factor when
choosing an employer.

It'd be interesting to know if there are any examples of a project
having to pull some code (and how say git history would have to be handled).

Of course even lack of such examples would not be a reason against more
attention to legal aspects of contributions. However, it may influence
the timeline. Haste may indeed do more harm than good, but ignoring this
doesn't seem to be the right long-term choice either.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 2544 bytes --]

On Mon, Jun 25, 2018 at 11:53 AM, Denis Dupeyron <calchan@gentoo.org> wrote:

> Replying to Rich's last message to reply to the thread, not to Rich
> specifically.
>
> I want to note here that if this comes into effect, and becomes
> mandatory, some critical pieces of Gentoo would go unmaintained for
> months, if not longer and possibly indefinitely, until the employer of
> the maintainers allows them to sign whatever it is you would require.
> I'm talking about portage and OpenRC, but there may be other examples.
> These particular projects are maintained by developers paid by their
> employer to work on them, and as such do much more than a loose team
> of unpaid developers. And although they were hired to so they would
> have to wait until the corporate legal arm of their employer approves
> them signing your document. That's like sending a message in a bottle
> if e.g. the employee is based in the US and lawyers in Japan (example
> not chosen at random).
>

I think you paint a fairly black and white picture here. If there are
*concrete* issues then I want to see them here (e.g. adopting a DCO means
these 5 people cannot contribute without some additional work) because its
up to Gentoo to work out these issues. Maybe that means accepting
contributions on a contingent basis while we work out the issues. Maybe it
means delaying making the DCO mandatory for everyone. Maybe it means
talking to lawyers to discuss specific legal problems.

None of these mean we shouldn't do a DCO. But if we never learn about these
issues, I don't see how we can move forward.


>
> And let's not forget about the dozens of contributors who would be
> barred from doing all the awesome stuff they do everyday across the
> entire tree.
>

I'd rather do what ulm did before and poll people about the DCO (the
original poll was about the CLA) than be subject to these arguments where
people make up numbers.


> Finally, think of the deterrent effect to potential new contributors.
> It's not like we get a ton of candidates these days, and like we have
> the slightest clue about recruiting them. There's a significant chance
> that adding such a legal barrier would end up slowly strangling Gentoo
> to death.


I'd rather do a DCO and see things like "well we tried to recruit 20 new
people but 15 of them left because of a DCO" than be subject to
unsubstantiated fear. At least on that basis we can decide that the DCO is
'too risky to staff' and stop requiring it. But that would be an experience
based on actually trying something.

-A

[-- Attachment #2: Type: text/html, Size: 3355 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Denis Dupeyron]

On Mon, Jun 25, 2018 at 3:13 PM Michał Górny <mgorny@gentoo.org> wrote:
> If they really can't sign off that they are allowed to contribute, then I indeed prefer them stopping contributing. That's certainly better than learning one day that all their contributions were illegal and we suddenly have to pull off all those packages.

That was obvious. I just wanted to point out that Gentoo would be
losing a whole bunch of paid developers, temporarily or permanently,
and that it can't be harmless. And also that our already bad
recruitment would suffer.

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Denis Dupeyron]

On Mon, Jun 25, 2018 at 3:31 PM Alec Warner <antarus@gentoo.org> wrote:
> I think you paint a fairly black and white picture here. If there are *concrete* issues then I want to see them here (e.g. adopting a DCO means these 5 people cannot contribute without some additional work) because its up to Gentoo to work out these issues. Maybe that means accepting contributions on a contingent basis while we work out the issues. Maybe it means delaying making the DCO mandatory for everyone. Maybe it means talking to lawyers to discuss specific legal problems.

I have no opinion of the document itself, whatever it is. I was just
making you guys aware that if this did happen, I and a bunch of others
will be asked to stop contributing in any form until the document,
whether good or bad, was reviewed and us allowed to sign it. Again,
you can make the document as suitable as possible to us, it would
still have to be reviewed by our corporate lawyers. If somebody,
somewhere, decides this has to go full corporate, i.e., to Japan where
I'm suspecting lawyers are not very familiar with both US law and
open-source matters, you're no longer counting in months. And again,
we're talking about the maintenance and continued development of
things like portage and OpenRc. I'm hoping I don't have to make the
case to you that it's difficult if at all possible to replace paid
developers with a loose bunch of volunteers.

> I'd rather do a DCO and see things like "well we tried to recruit 20 new people but 15 of them left because of a DCO" than be subject to unsubstantiated fear. At least on that basis we can decide that the DCO is 'too risky to staff' and stop requiring it. But that would be an experience based on actually trying something.

You just won't get 20 recruits or candidates. You will get much fewer
to none of them. Mark my words. Imagine the situation. Young software
developer has to choose between living his/her life on one hand, and
on the other going through our stupid recruitment system, wait for
months, and then ask his manager to ask his manager to ask etc... that
his/her employer reviews this document and clears him/her to sign it.
This person will either do nothing or become an arch developer. We
don't live in a vacuum.

Again, I don't have any opinion on the document nor the process. I'm
just trying to raise issues which I haven't seen being raised before
it's too late. When our employer asks us to stop contributing we will
have no choice but to comply.

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 3516 bytes --]

On Mon, Jun 25, 2018 at 4:52 PM, Denis Dupeyron <calchan@gentoo.org> wrote:

> On Mon, Jun 25, 2018 at 3:31 PM Alec Warner <antarus@gentoo.org> wrote:
> > I think you paint a fairly black and white picture here. If there are
> *concrete* issues then I want to see them here (e.g. adopting a DCO means
> these 5 people cannot contribute without some additional work) because its
> up to Gentoo to work out these issues. Maybe that means accepting
> contributions on a contingent basis while we work out the issues. Maybe it
> means delaying making the DCO mandatory for everyone. Maybe it means
> talking to lawyers to discuss specific legal problems.
>
> I have no opinion of the document itself, whatever it is. I was just
> making you guys aware that if this did happen, I and a bunch of others
> will be asked to stop contributing in any form until the document,
> whether good or bad, was reviewed and us allowed to sign it. Again,
> you can make the document as suitable as possible to us, it would
> still have to be reviewed by our corporate lawyers. If somebody,
> somewhere, decides this has to go full corporate, i.e., to Japan where
> I'm suspecting lawyers are not very familiar with both US law and
> open-source matters, you're no longer counting in months. And again,
> we're talking about the maintenance and continued development of
> things like portage and OpenRc. I'm hoping I don't have to make the
> case to you that it's difficult if at all possible to replace paid
> developers with a loose bunch of volunteers.
>

So I would rather get some consensus on the wording of the DCO and send it
to $employer_legal_department for review, as opposed to just doing nothing.
Gentoo the organization decides when / if the DCO is mandatory. I'm
proposing we finalize the wording and get a review (to unblock the DCO,
which is nominally a thing Gentoo wants to do.)
I think it should be a goal to retain the volunteers who are paid; and if
we cannot do that then well, that is a problem for future us (e.g. we need
to ask and have the employer unable to say yes for whatever reason.) I feel
like you are suggesting just not asking..and I'm not really on board with
that.

-A


>
> > I'd rather do a DCO and see things like "well we tried to recruit 20 new
> people but 15 of them left because of a DCO" than be subject to
> unsubstantiated fear. At least on that basis we can decide that the DCO is
> 'too risky to staff' and stop requiring it. But that would be an experience
> based on actually trying something.
>
> You just won't get 20 recruits or candidates. You will get much fewer
> to none of them. Mark my words. Imagine the situation. Young software
> developer has to choose between living his/her life on one hand, and
> on the other going through our stupid recruitment system, wait for
> months, and then ask his manager to ask his manager to ask etc... that
> his/her employer reviews this document and clears him/her to sign it.
> This person will either do nothing or become an arch developer. We
> don't live in a vacuum.
>

I'm less convinced by theoretical problems than by practical ones that we
have experience with though.
Maybe we can collect data from other projects who require a DCO and see if
they lost contributors?

-A


>
> Again, I don't have any opinion on the document nor the process. I'm
> just trying to raise issues which I haven't seen being raised before
> it's too late. When our employer asks us to stop contributing we will
> have no choice but to comply.
>
>

[-- Attachment #2: Type: text/html, Size: 4439 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

>>>>> On Mon, 25 Jun 2018, Denis Dupeyron wrote:

> I have no opinion of the document itself, whatever it is. I was just
> making you guys aware that if this did happen, I and a bunch of others
> will be asked to stop contributing in any form until the document,
> whether good or bad, was reviewed and us allowed to sign it.

Note that technically, you don't _sign_ the certificate of origin
(you would sign the FLA/CLA but we've dropped it, in the meantime).
The only thing that will be required is adding a Signed-off-by line to
commits, in order to certify that the contribution is under a free
license.

> [...]

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Rich Freeman]

On Mon, Jun 25, 2018 at 5:06 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Mon, 25 Jun 2018, Denis Dupeyron wrote:
>
> > I have no opinion of the document itself, whatever it is. I was just
> > making you guys aware that if this did happen, I and a bunch of others
> > will be asked to stop contributing in any form until the document,
> > whether good or bad, was reviewed and us allowed to sign it.
>
> Note that technically, you don't _sign_ the certificate of origin
> (you would sign the FLA/CLA but we've dropped it, in the meantime).
> The only thing that will be required is adding a Signed-off-by line to
> commits, in order to certify that the contribution is under a free
> license.
>

Not sure I completely agree with the wording of your email, but in
general the DCO is a unilateral statement, not an agreement or a
contract.

It seems odd that an employer would have any concerns with signing a
statement of this kind.  Maybe if the Gentoo contribution was a work
for hire it might have a bit of bearing.  I'm not sure how many Gentoo
contributions are actually works for hire though.

Outside of work done on company time that is owned by my employer, the
place I work at doesn't have any restrictions on stuff I sign outside
of work.  Though, it seems like the tech industry is full of
over-reach like this.

In any case, I think Denis's comment should be taken for what it is -
a note that it could cause issues for some.  I do think it would be
helpful if people chimed in with "I checked at work and I can't sign
this" rather than "somebody somewhere might have a problem with this."
 I'm hearing a lot more of the latter than the former.

We could always approve the GLEP, then if everybody in the world says
they've been told they can't sign the DCO we can always un-approve the
GLEP.  It doesn't take anything more than a vote and a git hook
change.  Why people would wait to the last minute is beyond me, but
then again apparently somebody was complaining in IRC the other day
about being booted after not committing in a few years and not
checking his email for six months and therefore not replying to
multiple messages asking if he wanted to still be a dev...

-- 
Rich

Re: [gentoo-project] Re: [gentoo-core] Re: Poll: Would you sign a Contributer License Agreement?

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 1508 bytes --]

Am Montag, 25. Juni 2018, 17:53:48 CEST schrieb Denis Dupeyron:
> 
> I want to note here that if this comes into effect, and becomes
> mandatory, some critical pieces of Gentoo would go unmaintained for
> months, if not longer and possibly indefinitely, until the employer of
> the maintainers allows them to sign whatever it is you would require.

Well, we need to agree ourselves on what we want first. That's what is 
happening now. Before the procedure and the text are not finalized, nobody can 
even start requesting agreement e.g. from employers.

Then, once that is completed, people can take whatever steps necessary. 
And later, at some point, we can make the Signed-Off-By mandatory.

So no need to make anyone panic that the flood is coming right now. (It's 
gonna come, but you'll have time to build an ark. Or vehemently argue that 
water doesn't exist.)

That said, I'm not sure if you have understood the principle of the DCO 
correctly. In my personal interpretation (yes IANAL), 

*If* your employer explicitly allows you to contribute to Gentoo, say, under 
the GPL2, then nothing keeps you from adding the Signed-Off-By header with 
git. (*) With the header you certify via the DCO that you are legally able to 
contribute the code under the GPL, which is precisely what your employer 
allowed you to do.

(*) for both Kernel and Gentoo DCO

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, perl, libreoffice, comrel)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]