On Mon, Aug 3, 2015 at 11:10 PM, Loic Dachary <l...@dachary.org> wrote: > > > On 03/08/2015 21:18, John Spray wrote: >> On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <l...@dachary.org> wrote: >>> Hi Ceph, >>> >>> We require that each commit has a Signed-off-by line with the name and >>> email of the author. The general idea is that the Ceph project trusts each >>> developer to understand what it entails[1]. There is no formal verification >>> : the person submitting the patch could use a fake name or publish code >>> from someone else. In reality the odds of that happening and causing >>> problem are so low that neither Ceph nor the Linux kernel felt the need to >>> impose a more formal process. There is no bullet proof process anyway, it's >>> all about balancing risks and costs. >>> >>> If a contributor was using an alias that looks like a real name (for >>> instance I could contribute under the name Louis Lavile), (s)he would go >>> unnoticed and her/his contribution would be accepted as any other. If the >>> same contributor was using an alias that is obviously an alias (such as A. >>> Nonymous), it would raise the question of accepting contributions >>> Signed-off with an alias. >>> >>> I think Ceph should accept contributions that are signed with an alias >>> because it does not make a difference. >>> >>> From a lawyer perspective, there is a difference between an alias and a >>> real name, of course. Should the author be in court, (s)he would have to >>> prove (s)he is the person behind the alias. If (s)he was using her/his real >>> name, an ID card would be enough. And probably other differences that I >>> don't see because IANAL. However since we already accept Signed-off-by that >>> are not formally verified, we're already in a situation where we implicitly >>> accept aliases. Explicitly accepting aliases would not change that, >>> therefore it is not actually something we need to run by lawyers because >>> nothing changes from a legal standpoint. >>> >>> What do you think ? >> >> (Without any legal knowledge whatsoever, and speaking in general terms >> rather than about any particular code or vendor's practices or >> products) > > In these matters the project lead needs to make a decision that makes sense > and then ask a lawyers to implement it. We don't need to be lawyers to do > that. > >> >> My understanding is that projects use a Signed-off-by line for the >> contributor to certify that they agree with the "Developer's >> Certificate of Origin". >> >> The purpose of a certificate or origin is that if I am distributing >> AcmeProject packages, and EvilCorp says "hey, we found our highly >> patented code in your package!" then I can say "actually this was >> submitted by Elizabeth Windsor <l...@buckinghampalace.org>, who >> certified to me that she had the rights to the code. I can thus >> demonstrate that the original infringement was by her, and any >> infringement in my distribution of the software was accidental, I >> acted in good faith." >> >> OTOH if I said "That code was contributed by A.Nonymous", then >> EvilCorp would say "Well, that could just as easily have been one of >> your own developers, acting anonymously, so you have not demonstrated >> that the infringement was unintentional". >> >> So in my opinion, it is necessary that any project wishing to apply a >> "certificate of origin" process also needs to have a real name policy. > > If that was indeed what a Signed-off-by does, I would also be against using > aliases. In reality a Signed-off-by is nothing more than a convenient mean to > get in touch with someone who claimed to be the author of a patch. > > The companies making and distributing Free Software using Signed-off-by like > Ceph does, do not attempt to even verify that the person behind the > Signed-off-by really is who (s)he claims. I don't think that's because they > have been careless for the past decade. I think that's because it would not > make a significant difference and that it would be a burden to the project. > The company lawyers would certainly claim that it would be better to verify > the identity for each Signed-off-by. But in practice they don't push for it, > not even for the Linux kernel who went into more legal troubles than any > other Free Software project. > > My point is that there could already be a dozen of aliases that look like > real names in the current Signed-off-by list. Explicitly accepting aliases > that look like aliases would just be an acknowledgement of what we already do.
I won't be merging any code with obvious aliases for exactly the reasons John mentions. Obviously IANAL, but I think you'll find law proceedings in the USA would look much less kindly on accepting obvious aliases versus having a real name policy — which we do, even if it's not diligently checked. Keep in mind that we generally have a background on our contributors to track them down even if they are using a non-obvious alias. -Greg -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
