On Wed, Sep 29, 1999 at 07:07:07PM +0200, Henning Makholm wrote: > Christian Surchi <[EMAIL PROTECTED]> writes: > > > I have a package (tkpgp) from munitions.vipul.net archive and the > > upstream maintainer wants distribute only his email and his > > nick. The program is GPL. Can this package stay in Debian, without > > real name of author in debian/copyright? > > An interesting question. Personally I'd doubt it: what sort of > guarantees do we have that the anonymous guy who claims copyright > really has copyright? >
This is a bad situation. I'm assuming the tkpgp maintainer wants to remain anonymous because distributing tkpgp might place him in violation of export laws in his home country. > A concrete scenario: by the time J. Random CD Manufacturer has > pressed 100.000 sets of Potato disks, somebody stands forward and > asserts the copyright to the package, demanding that he be paid > a humongous license fee or the disks are destroyed. Now, who can > JRCM sue for making the false claim that the program was GPL? > Here in the US, we name a pseudonym like John Doe in the initial filing. Then legal tools (subpeona, court order, etc.) are used to determine the true identity of the anonymous offender. > If the identity of the upstream maintainer who claimed GPL was > known, things would be relatively easy - the culprit can be held > responsible, and even if he's nowhere to find Debian has acted in > good faith and made any reasonable effort to identify the sources > of the rumors we act upon. > True. The ideal thing for the author of tkpgp to do in this case would be to assign the copyright of tkpgp to the Free Software Foundation under the condition that they keep his identity a secret. > However, if Debian started accepting code based on anonymous hearsay > that whoever wrote this means it to be under GPL, and a scenario > like the above came true, Debian's general reputation would go way > down. > Yes. It would be unwise to rely on the author's word alone. Perhaps there is some way he can provide some evidence that he is the author without revealing his identity? PGP timestamp servers would be an excellent way of showing the progression of development and proving that a given document or program was in existance at a certain time in order to be signed by the author and the timestamp server, but this is not something that can be done retroactively. In this case, the author would have the first and only copy in existance immediately after creating it by nature of the author, and thus would be able to produce the oldest signed and timestamped version of the program. Like a notary mark on an engineering notebook, it would prove them to be the first inventor(author). > > However, it is another question if the anonymous maintainer simply > maintains code that some earlier author or maintainer (who was a real, > identifyable person) put under the GPL. > In this case, it's a bit more safe because we're assured the program hasn't been stolen wholesale. But it's still more difficult to make someone accountable if he's snagged a few functions from a proprietary codebase and incorporated them into his program. Nobody wants to sue a pseudonym, so they're very likely to point the finger at someone else who's not responsible but somehow connected to the incident -- like Debian/SPI or the CD publisher. I'm not a lawyer, but I hear the Free Software Foundation has a few good ones working for them. I'm sure they'd see to it that everything was taken care of if the author of tkpgp was to assign his copyright. It is probably worth looking into. Good Luck. -- Brian Ristuccia [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
