On Wed, Sep 8, 2021 at 11:11 David Jencks <david.a.jen...@gmail.com> wrote:
> I’m watching from the sidelines…. > > IIUC you are saying that if AsterixDB started over with a history-free > tarball for this donation this whole question of validating the source > origin would not arise and we’d just trust the SGA? No not at all. If the donation came with the original headers and we knew that the donor had done due diligence when developing the software internally to confirm the source of all lines of code followed regular licensing practices we would have less concern. The big issue is that the donor changed the license headers before donating. There’s actually no usable history in the GitHub repo as best as I can tell. > > While some history is nice to have, I’m not sure it’s worth this > conversation. > > David Jencks > > > On Sep 7, 2021, at 5:42 PM, John D. Ament <johndam...@apache.org> wrote: > > > > Hi Till > > > > fwiw I think the donation is fine though the AsterixDB PMC will need to > do > > some due diligence in verifying ownership of code before forming a > release. > > This is likely what Justin is trying to refer to as well. > > > > Some background on possible issues…. > > > > Before GitHub became the popular place to do this when a donation was > > received a tar ball without any history was the preferred method to > receive > > it. Since the donation was put on GitHub it leaves some ambiguity with > the > > actual history of the code. The ASF headers already applied create some > > additional cautiousness here - no one can validate 100% that the code > being > > donated can actually be claimed by couchbase. No way to see if some code > > was lifted via stack overflow or taken from a GPL library. > > > > So here’s my +1 with the cautionary note about validating the original > > source of each line of code. > > > > John > > > > > > On Tue, Sep 7, 2021 at 19:01 Till Westmann <ti...@apache.org> wrote: > > > >> Hi Justin, > >> > >> On 3 Sep 2021, at 0:46, Justin Mclean wrote: > >> > >>>> Please help me understand why > >>>> - the software grant from Couchbase and > >>>> - the acceptance from the AsterixDB project > >>>> are not sufficient to approve this donation. > >>> > >>> Because IMO the information provided doesn’t give sufficient detail > >>> to determine who has contributed to the codebase, the history of > >>> contributions has been hidden, the IP ownership of files can't really > >>> be determined from what has been provided and previous questions by > >>> the IPMC on this donation went unanswered. > >> > >> On our "Contributor Agreements" page [1] we say: > >> > >> "When an individual or corporation [in this case a corporation] decides > >> to donate a body of existing software or documentation to one of the > >> Apache projects, they need to execute a formal Software Grant Agreement > >> (SGA) with the ASF [which has been executed and recorded]. Typically, > >> they do this after negotiating approval with the ASF Incubator or one of > >> the PMCs [in this case the AsterixDB PMC], since the ASF does not accept > >> software unless there is a viable community available to support it as > >> part of a collaborative project." > >> > >> The code has been developed by developers working for Couchbase and the > >> IP is owned by the corporation. Couchbase has executed the SGA and has > >> specified which code is contributed to the ASF under the terms of the > >> SGA. As the AsterixDB PMC has voted to accept the donation it seems that > >> all requirements to accept the donation are met. > >> > >> Wasn't the SGA design for cases like this where a corporation (and not > >> an individual) contributes code to an Apache project? > >> > >> On your questions: > >> Q: Where was this code original developed and who worked on it? There is > >> only a couple of commits in that repro, so it doesn’t seem to have > >> been developed there. > >> A: This code was originally developed by multiple developers working for > >> Couchbase. The names of current and former developers at Couchbase who > >> have worked on it (and who largely do not have an ICLA on file) seem to > >> be immaterial for the IP question as an SGA is recorded. > >> > >> Q: Why does the code have ASF headers on it before being donated? Were > >> any 3rd party headers removed? > >> A: The repository with the Apache license headers was created with the > >> purpose of being donated to the ASF. Couchbase's copyright notices were > >> removed from the source files and corresponding NOTICE files were added. > >> ASF headers were added to files that did not have license headers and > >> regular Apache License headers were replaced with the ASF headers. > >> > >> Q: Have all contributors signed ICLAs and/or do we have a SGA from > >> CouchBase? > >> A: A SGA has been executed and recorded. Not all contributors have > >> signed an ICLA, but that also seems immaterial as the SGA is available. > >> > >> Regards, > >> Till > >> > >> [1] https://www.apache.org/licenses/contributor-agreements.html#grants > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > >> For additional commands, e-mail: general-h...@incubator.apache.org > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
