On Nov 15, 2005, at 6:53 AM, Tim Ellison wrote:
Geir Magnusson Jr. wrote:
I'm sorry, but I don't understand the issue here. I'm proposing that
a) We suggest to people that are about to contribute to us to do some
careful inspection before they do that. The assumption here is that
people are well-meaning but sometimes makes mistakes or are lazy, and
we want them to think before the contribute. A keyword scanner
(which
is a glorified "grep") is a great way to find things that you
weren't
aware were there, such as who authors were (if there are author
tags),
what copyright claims are listed in the files, etc. There's
nothing
inherently evil about it. It doesn't matter what SCO or anyone else
did with a keyword scanner - we're trying to have it used to protect
ourselves and just as importantly, other copyright holders like Sun.
The keyword scan would be another tool in the Harmony IP-cleanliness
toolkit, alongside the Contributor Questionnaire and Bulk Contribution
Policy. I'd like to see such a tool used not only on incoming bulk
contributions but also used regularly on the day-to-day developed code
base in svn.
Exactly.
Such tools and processes will never be perfect, and can only provide
assistance with limited aspects (copyright/trademark) of the
IP-cleanliness goal; however, it does set the tone for the project --
that we care about such things for the Harmony code, and that we
respect
the IP rights of code outside Harmony to not be misappropriated into
Harmony.
That said, I agree with Leo that naming BlackDuck as the provider of
such cleanliness checks limits the Bulk Contribution Policy in a
manner
that is unneccessary. The PPMC should be in a position to decide
whether the actual checks performed by a contributor are sufficient or
whether they think further checks are required.
We used the phrase "such as" to give people the idea. We don't want
to endorse or promote any such technology or company as part of our
governance process (of course), so it was never meant that we'd have
specific endorsements in our guidelines for contributors. The
phrasing as is was to illustrate and trigger discussion.
However, the key issue is what we do in the project. I think that we
should have a baseline set of checks though, as that makes our IP
pedigree that much simpler and cleaner....
b) We use a tool internally to check code for which the contributor
can't provide our ASQ for each author. Ok, the tool isn't open
source,
but I don't know of any options, and we need something like this
*now*. I'd love to see us create a toolsuite like this (because
one of
my goals is to work out a process that we can share with the rest of
the ASF....), but we don't have the luxury of time to do it.
I have no experience of using BlackDuck, and no reason to believe they
are anything other than a fine bunch of people. IMHO we will be more
successful by informing people of the risks and adopting good working
practices rather than looking for the biggest stick to hit
offenders (I
know that you are not advocating that approach!).
So my constructive suggestion is to keep the extra questions in the
questionnaire, but remove the single sentence:
"For example, the contribution may be compared against known
proprietary implementations of similar technology using a
service such as that offered by Black Duck or XXXXXXXXXX."
maybe replacing it with a reference to current best practice.
Yep
geir
--
Geir Magnusson Jr +1-203-665-6437
[EMAIL PROTECTED]
