From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5D770138334 for ; Thu, 4 Apr 2019 05:20:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 393DAE0940; Thu, 4 Apr 2019 05:20:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ED5B8E093E for ; Thu, 4 Apr 2019 05:20:55 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 13ADE335C36; Thu, 4 Apr 2019 05:20:52 +0000 (UTC) Message-ID: Subject: Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14 From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Thu, 04 Apr 2019 07:20:49 +0200 In-Reply-To: References: <20190401032055.GA9497@linux1.home> <4bbfc34f-335f-5521-310a-b66ffd0d9a9a@gentoo.org> <5e30d658-80c8-b608-1505-dc08db3625bf@gentoo.org> <20190403174315.32615d3b9574571e3ed4a399@gentoo.org> <80ed2e482e96c96555bf4fd9331731c4c9ad0d7f.camel@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-fB+42BUWylEuWUQYhiBM" User-Agent: Evolution 3.30.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: adab456e-4d6e-4741-a289-1d2a50644405 X-Archives-Hash: 4f530e56cf24c54fbf4b9b0c3f3c9e38 --=-fB+42BUWylEuWUQYhiBM Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2019-04-03 at 18:35 -0400, Alec Warner wrote: > On Wed, Apr 3, 2019 at 2:44 PM Micha=C5=82 G=C3=B3rny = wrote: >=20 > > On Wed, 2019-04-03 at 17:43 +0300, Andrew Savchenko wrote: > > > Why? We have no way to verify that provided names are valid or that > > > provided ID's are valid. At least in my jurisdiction such > > > information collected can't be used for legal action or protection > > > without following established government-assisted verification > > > procedure. In other jurisdictions similar problems may and will > > > arise. > >=20 > > 'Perfect is the enemy of good'. Claiming that you can't be 100% sure > > that someone's giving his real name doesn't imply that everyone is usin= g > > fake names. Or that it makes no sense to use them. > >=20 > > > Additional problem is personal data collection, it is > > > restricted or heavily regulated in many countries. One can't just > > > demand to show an ID via electronic means without following > > > complicated data protection procedures which are likely to be > > > incompatible between jurisdictions. > >=20 > > Do you have any proof of that, or are you just basing your comments > > on the common concept of misunderstanding GDPR and extending it to matc= h > > your private interest? > >=20 > > > So the real name requirement gives us no real protection from > > > possible cases, but creates real and serious problems by kicking > > > active developers and contributors from further contributions. > > > NP-Hardass is not the only one. > >=20 > > Do you have any proof of that? As far as I'm concerned, we're pretty > > clear that NP-Hardass can't contribute to Gentoo, and that his previous > > contributions shouldn't have been accepted in the first place (and why > > Trustees agreed to them is another problem). Are you going to take > > legal and financial responsibility if his employer claims copyright to > > his contributions? And if you say yes, are you going to really take it > > or go with the forementioned attitude that we can't legally force you > > to? > >=20 >=20 > Under the current policy we do not accept contributions from contributors > whose names we believe are not real identities. The current policy says > nothing about previous contributions; almost everyone who contributed to > Gentoo over the past 20 years did so without signing anything, without > identity verification, and with no DCO. Those commits were accepted and > continue to be accepted until we decide otherwise. I don't like the way y= ou > construe the previous work of hundreds of people who contributed to the > project; I find the idea that we should never have accepted these > contributions to be pretty offensive. >=20 > You are free to blame the organization for having bad policies (and you d= o > and I'm the board President and I will 1000% take the blame) but don't fo= r > a minute blame people who are just trying to contribute and following the > policies that the project had at the time. As you wrote above "perfect is > the enemy of the good" and if we rejected the previous 20 years of work > we'd have basically nothing, so we accept that risk as a cost of continui= ng > to exist as a Foundation. No business operates with zero risk. I'm sorry. I don't know what exact knowledge people who made those decisions had. I'm just saying that if you know that someone is hiding his contributions to Gentoo from his employer, and if you know that employers often claim copyright to all work their employees do... you get the picture, right? And no, I'm not saying people will sue the hell out of us, take all our money, arrest all developers they can. What I'm really worried about is that if they claim copyright to those contributions, we will have to spend a lot of work finding all his contributions and replacing them with unencumbered code. And it will be especially hard to prove we aren't copying that copyrighted code given that ebuilds are very uniform by nature. > > > I invited some gifted people with > > > high quality out-of-tree work to become contributors or developers, > > > but due to hostile attitude towards anonymous contributors they > > > can't join. And people want to stay anonymous for good reasons, > > > because they are engaged with privacy oriented development. > > This is a very vague statement that sounds like serious overstatement > > with no proof, aimed purely to force emotional reaction to support your > > proposal. If you really want to propose something meaningful, I'd > > really appreciate if you used real evidence to support it rather than > > vague claims. > >=20 > > > We are loosing real people, real contributions and real community. > > > What for? For solving imaginary problems with inappropriate tools. > > >=20 > >=20 > > Thank you for telling us that copyright is an imaginary problem. > >=20 >=20 > Your words are like knives, and this leads to a perception of antagonism. ...and accusing Council of 'solving imaginary problems' is not? As far as I'm concerned, that's a *very antagonistic* statement, and seriously undermining Council's professionality. > 1) The policies of the project currently prioritize a knowledge of where > commits come from in order to eventually reduce liability risk for the > project. > 2) I firmly do not believe the project has anything against anonymous / > pseudonymous contributors (nor should it; if you think it does I'm happy = to > amend bylaws, GLEPs, and any other charter documents to state that we hav= e > nothing against that type of contribution.) > 3) The current policy makes it difficult to contribute in this way; becau= se > we have this trade-off we have made where we want to know where commits > come from for legal reasons.) >=20 > Its OK to say "Hi X, we cannot accept your anonymous / pseudonymous > contribution because of this policy, and we made this policy to solve a > problem of copyright liability for the organization." > I don't think its OK to say "Hi X, its completely unreasonable to want to > contribute to Gentoo in an Anonymous or Pseudonymous manner; please file > your identity papers to me immediately!" >=20 > My reading is your comments are closer to the latter than the former; I'm > just not sure why that is. >=20 > I think its perfectly sane to ask "how can we build an organization where > we can accept pseudonymous contributions and contain our liability for co= de > from unverified contributors?" and have people interested in that write u= p > and vet proposals. I get that its a complex and difficult problem area; > maybe none of the proposals will work! but that doesn't meant we shouldn'= t > try to do it. This seems to entirely miss the point taken from Linux policy, and focus on the 'Gentoo is Foundation' model. It's not. Gentoo is distributed to all our users, and all our users need to be able to verify that the code comes from contributors who are actually allowed to contribute. They can't really hit 'Foundation has this data somewhere in secret' wall. If not anything else, this makes the project non-transparent, and raises serious doubts whether users can actually trust it. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-fB+42BUWylEuWUQYhiBM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlyllDFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQq2wQ//eSIqMJxEYdCsG+Ff+i93Kz5em3J1B0fw+Wpvta9vt+XRcvlFQ+jz8W8L b3XPpEF1+yD9OhcqvzJKu2VVcRAI561p1JZNs6Gf+WGIemXVgFcsOQO2YwHacoG1 MqoCax5kj9CWbVOMpKwSgQkC6HPpdMJ7cB/TRavTXEXQiLk6yL0dy2yTlC70ESlU AJYp1ATysjo1mSWJdBnUDJ58SYgDY13MDhdQIrVVZZFc8p7460FgjSxpIEnkFYOC Dq91ZDDQRIYI7H9XP1AAKVgjEpIFC7LDqWUCcqEPofLaPtbyu3I3kvLSRjNblmIv bO0Dx0gX/L3/8qd8Ej1YZ0o72AfhKP16vD5qHkG1OY6T3cdJbED/lnUcuYwE/cgZ gV8nlZE+YlFkmvcr3vhI0zLtt9nvLOdAeuMcOn7Q2WkhP35XPYHRZVfH7gA9Ndr1 AYd8cRE3/A9kdbMSPpvlTTSNH5w3HEPLxBciP7hT0/D+yICVcUp7p0FJTHtq5wd4 /crgyFD0x54JKg+ECj9CHPZ/jlBVkvZf7OrCc0kj8bzkH5H0KHSCKLvvXoPQ6UhU VTQvJ0Z4yttJsvUsN5uEssDEkTzRDl94OByPWeVSgJIWQcd+rbeuUOpFpyEO6oPi iro8LFMcV3z01e8YMU2JlIfyNkO2pCdPy/lJ9VedNhZ50QGanx0= =CWqA -----END PGP SIGNATURE----- --=-fB+42BUWylEuWUQYhiBM--