Geir Magnusson Jr. wrote: > I'm sorry, but I don't understand the issue here. I'm proposing that > > a) We suggest to people that are about to contribute to us to do some > careful inspection before they do that. The assumption here is that > people are well-meaning but sometimes makes mistakes or are lazy, and > we want them to think before the contribute. A keyword scanner (which > is a glorified "grep") is a great way to find things that you weren't > aware were there, such as who authors were (if there are author tags), > what copyright claims are listed in the files, etc. There's nothing > inherently evil about it. It doesn't matter what SCO or anyone else > did with a keyword scanner - we're trying to have it used to protect > ourselves and just as importantly, other copyright holders like Sun.
The keyword scan would be another tool in the Harmony IP-cleanliness toolkit, alongside the Contributor Questionnaire and Bulk Contribution Policy. I'd like to see such a tool used not only on incoming bulk contributions but also used regularly on the day-to-day developed code base in svn. Such tools and processes will never be perfect, and can only provide assistance with limited aspects (copyright/trademark) of the IP-cleanliness goal; however, it does set the tone for the project -- that we care about such things for the Harmony code, and that we respect the IP rights of code outside Harmony to not be misappropriated into Harmony. That said, I agree with Leo that naming BlackDuck as the provider of such cleanliness checks limits the Bulk Contribution Policy in a manner that is unneccessary. The PPMC should be in a position to decide whether the actual checks performed by a contributor are sufficient or whether they think further checks are required. > b) We use a tool internally to check code for which the contributor > can't provide our ASQ for each author. Ok, the tool isn't open source, > but I don't know of any options, and we need something like this > *now*. I'd love to see us create a toolsuite like this (because one of > my goals is to work out a process that we can share with the rest of > the ASF....), but we don't have the luxury of time to do it. I have no experience of using BlackDuck, and no reason to believe they are anything other than a fine bunch of people. IMHO we will be more successful by informing people of the risks and adopting good working practices rather than looking for the biggest stick to hit offenders (I know that you are not advocating that approach!). So my constructive suggestion is to keep the extra questions in the questionnaire, but remove the single sentence: "For example, the contribution may be compared against known proprietary implementations of similar technology using a service such as that offered by Black Duck or XXXXXXXXXX." maybe replacing it with a reference to current best practice. Regards, Tim -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK.
