[gentoo-project] RFC: GLEP-76 copyright update, established pseudonyms and recruitment

[gentoo-project] RFC: GLEP-76 copyright update, established pseudonyms and recruitment

[Joonas Niilola]

[-- Attachment #1.1: Type: text/plain, Size: 656 bytes --]

Hey,

another GLEP-76 copyright related topic. To my knowledge not using a
real name was never a blocker from becoming a Gentoo developer, but with
the previous version of GLEP-76 it did prevent from committing to any
infra-hosted platform which then again made the developer status a bit
useless. Now with the relaxed GLEP it's possible to commit using
established pseudonyms. Therefore I'm asking what does the broader
community feel about recruiting individuals using pseudonyms?

I'm just gauging community feedback whether this should be made into
official policy, one way or another. What points are there for, and against?

-- juippis

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-project] RFC: GLEP-76 copyright update, established pseudonyms and recruitment

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1146 bytes --]

>>>>> On Fri, 28 Jul 2023, Joonas Niilola wrote:

> another GLEP-76 copyright related topic. To my knowledge not using a
> real name was never a blocker from becoming a Gentoo developer, but with
> the previous version of GLEP-76 it did prevent from committing to any
> infra-hosted platform which then again made the developer status a bit
> useless. Now with the relaxed GLEP it's possible to commit using
> established pseudonyms. Therefore I'm asking what does the broader
> community feel about recruiting individuals using pseudonyms?

> I'm just gauging community feedback whether this should be made into
> official policy, one way or another. What points are there for, and against?

While GLEP 76 allows other contributors to use pseudonyms, it is not a
contradiction if we hold developers to a higher standard.

Apart from committing to our repositories, developers also can vote
for project leads and for the council. Although we normally assume good
faith, we should at least have the theoretical possibility to verify
that a voter is a natural person (and that there are no votes by
multiple pseudonyms of the same person).

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-project] RFC: GLEP-76 copyright update, established pseudonyms and recruitment

[Michael Orlitzky]

On Fri, 2023-07-28 at 16:50 +0300, Joonas Niilola wrote:
> 
> I'm just gauging community feedback whether this should be made into
> official policy, one way or another. What points are there for, and against?

Uploading malicious packages to pypi, npm, etc. is very popular these
days and is only possible because the developers can use pseudonyms.

Re: [gentoo-project] RFC: GLEP-76 copyright update, established pseudonyms and recruitment

[Sam James]

Ulrich Mueller <ulm@gentoo.org> writes:

> [[PGP Signed Part:Undecided]]
>>>>>> On Fri, 28 Jul 2023, Joonas Niilola wrote:
>
>> another GLEP-76 copyright related topic. To my knowledge not using a
>> real name was never a blocker from becoming a Gentoo developer, but with
>> the previous version of GLEP-76 it did prevent from committing to any
>> infra-hosted platform which then again made the developer status a bit
>> useless. Now with the relaxed GLEP it's possible to commit using
>> established pseudonyms. Therefore I'm asking what does the broader
>> community feel about recruiting individuals using pseudonyms?
>
>> I'm just gauging community feedback whether this should be made into
>> official policy, one way or another. What points are there for, and against?
>
> While GLEP 76 allows other contributors to use pseudonyms, it is not a
> contradiction if we hold developers to a higher standard.
>
> Apart from committing to our repositories, developers also can vote
> for project leads and for the council. Although we normally assume good
> faith, we should at least have the theoretical possibility to verify
> that a voter is a natural person (and that there are no votes by
> multiple pseudonyms of the same person).

Thanks - I'd wanted to make that first point, and the second is
a good one.

I also feel it could hurt our reputation if we allowed pseudonyms
from developers. It doesn't come across as professional as real
names.

There's also the question of whether the standard for psuedonyms
would be at least higher for developers - would we require them
to be e.g. polite? I recently rejected a PR because the S-o-b
line was from a particularly rude name. I asked about about this
in #gentoo-dev and some ComRel members said it definitely seemed
fine to reject it, but I don't think we have a formal rule on it
either.

It matters less if we allow a S-o-b from a somewhat juvenile
pseudonym for contributors rather than full developers with
commit access in their own right.

Maybe framing it differently: I pretty much only see downsides
to allowing it and I'm not sure it's worth us spending the effort
on.

Further, perhaps could revisit it a while after the original GLEP 76
change from April if someone is really so-inclined, but I'm
not sure my mind is likely to change.

thanks,
sam

Re: [gentoo-project] RFC: GLEP-76 copyright update, established pseudonyms and recruitment

[Haelwenn (lanodan) Monnier]

[2023-07-29 07:55:19-0400] Michael Orlitzky:
>On Fri, 2023-07-28 at 16:50 +0300, Joonas Niilola wrote:
>>
>> I'm just gauging community feedback whether this should be made into
>> official policy, one way or another. What points are there for, and against?
>
>Uploading malicious packages to pypi, npm, etc. is very popular these
>days and is only possible because the developers can use pseudonyms.

I don't see how a name really changes the state of things much, specially as with homonyms you'd rather not do name-based bans.

I think the real reason pypi/npm/… have a lot of malware is because there's no a-priori moderation, you can just register an account and directly upload whatever you want, with AFAIK with no scans/limitations (for example you can upload binaries).

Meanwhile distros like Gentoo on the other hand review submissions from users, where what's done can always be verified ("trust but verifiable"), even from more trusted people like the developers.