Signed-off-by and aliases

Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 1866 bytes --]

Hi Ceph,

We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.

If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.

I think Ceph should accept contributions that are signed with an alias because it does not make a difference.

From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.

What do you think ?

Cheers

[1] SIGNING CONTRIBUTIONS https://github.com/ceph/ceph/blob/master/SubmittingPatches#L13

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Signed-off-by and aliases

[Wido den Hollander]

On 07/31/2015 09:59 PM, Loic Dachary wrote:
> Hi Ceph,
> 
> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
> 
> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
> 
> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
> 
> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
> 
> What do you think ?
> 

Using an alias is just dumb since it would only make you loose the
copyright since it's not you doing the commit.

However, if we want to go for security, there is also a way to sign your
Git commits using GPG [2].

[2]: https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work

> Cheers
> 
> [1] SIGNING CONTRIBUTIONS https://github.com/ceph/ceph/blob/master/SubmittingPatches#L13
> 


-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on

Re: Signed-off-by and aliases

[Joao Eduardo Luis]

On 08/01/2015 09:11 AM, Wido den Hollander wrote:
> On 07/31/2015 09:59 PM, Loic Dachary wrote:
>> Hi Ceph,
>>
>> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>>
>> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>>
>> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>>
>> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>>
>> What do you think ?
>>
> 
> Using an alias is just dumb since it would only make you loose the
> copyright since it's not you doing the commit.

Do you have a source that corroborates this statement? I would be deeply
grateful if you could point me to something of the sorts :)

As far as I could gather however, this doesn't seem to hold up.

As per the Berne Convention's Article 15 [1] number (1), identification
of an author is possible even using a pseudonym, where said pseudonym
"leaves no doubt as to his identity"; number (3) further states that

"In the case of anonymous and pseudonymous works, other than those
referred to in paragraph (1) above, the publisher whose name appears on
the work shall, in the absence of proof to the contrary, be deemed to
represent the author, and in this capacity he shall be entitled to
protect and enforce the author's rights. The provisions of this
paragraph shall cease to apply when the author reveals his identity and
establishes his claim to authorship of the work."

So this would have me believing that, as long as the original author has
some means of proving he is the original author using a given pseudonym,
said author can at any point in time reclaim authorship.

IANAL, but would think this whole thing hinges however on the
contribution being considered a 'work' that could benefit of protection.

  -Joao

[1] -
http://www.wipo.int/wipolex/en/treaties/text.jsp?file_id=283698#P192_37445



> 
> However, if we want to go for security, there is also a way to sign your
> Git commits using GPG [2].
> 
> [2]: https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work
> 
>> Cheers
>>
>> [1] SIGNING CONTRIBUTIONS https://github.com/ceph/ceph/blob/master/SubmittingPatches#L13
>>
> 
> 

Re: Signed-off-by and aliases

[Wido den Hollander]

On 08/02/2015 06:19 PM, Joao Eduardo Luis wrote:
> On 08/01/2015 09:11 AM, Wido den Hollander wrote:
>> On 07/31/2015 09:59 PM, Loic Dachary wrote:
>>> Hi Ceph,
>>>
>>> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>>>
>>> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>>>
>>> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>>>
>>> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>>>
>>> What do you think ?
>>>
>>
>> Using an alias is just dumb since it would only make you loose the
>> copyright since it's not you doing the commit.
> 
> Do you have a source that corroborates this statement? I would be deeply
> grateful if you could point me to something of the sorts :)
> 

IANAL either. But using an alias would ONLY complicate things for yourself.

The risk of loosing the copyright is only bigger when not using your own
name.

But like I mentioned, as a project Ceph can mandate the usage of GPG for
signing off commits.

Wido

> As far as I could gather however, this doesn't seem to hold up.
> 
> As per the Berne Convention's Article 15 [1] number (1), identification
> of an author is possible even using a pseudonym, where said pseudonym
> "leaves no doubt as to his identity"; number (3) further states that
> 
> "In the case of anonymous and pseudonymous works, other than those
> referred to in paragraph (1) above, the publisher whose name appears on
> the work shall, in the absence of proof to the contrary, be deemed to
> represent the author, and in this capacity he shall be entitled to
> protect and enforce the author's rights. The provisions of this
> paragraph shall cease to apply when the author reveals his identity and
> establishes his claim to authorship of the work."
> 
> So this would have me believing that, as long as the original author has
> some means of proving he is the original author using a given pseudonym,
> said author can at any point in time reclaim authorship.
> 
> IANAL, but would think this whole thing hinges however on the
> contribution being considered a 'work' that could benefit of protection.
> 
>   -Joao
> 
> [1] -
> http://www.wipo.int/wipolex/en/treaties/text.jsp?file_id=283698#P192_37445
> 
> 
> 
>>
>> However, if we want to go for security, there is also a way to sign your
>> Git commits using GPG [2].
>>
>> [2]: https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work
>>
>>> Cheers
>>>
>>> [1] SIGNING CONTRIBUTIONS https://github.com/ceph/ceph/blob/master/SubmittingPatches#L13
>>>
>>
>>
> 


-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on

Re: Signed-off-by and aliases

[John Spray]

On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <loic@dachary.org> wrote:
> Hi Ceph,
>
> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>
> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>
> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>
> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>
> What do you think ?

(Without any legal knowledge whatsoever, and speaking in general terms
rather than about any particular code or vendor's practices or
products)

My understanding is that projects use a Signed-off-by line for the
contributor to certify that they agree with the "Developer's
Certificate of Origin".

The purpose of a certificate or origin is that if I am distributing
AcmeProject packages, and EvilCorp says "hey, we found our highly
patented code in your package!" then I can say "actually this was
submitted by Elizabeth Windsor <liz@buckinghampalace.org>, who
certified to me that she had the rights to the code.  I can thus
demonstrate that the original infringement was by her, and any
infringement in my distribution of the software was accidental, I
acted in good faith."

OTOH if I said "That code was contributed by A.Nonymous", then
EvilCorp would say "Well, that could just as easily have been one of
your own developers, acting anonymously, so you have not demonstrated
that the infringement was unintentional".

So in my opinion, it is necessary that any project wishing to apply a
"certificate of origin" process also needs to have a real name policy.

John

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 4409 bytes --]



On 03/08/2015 21:18, John Spray wrote:
> On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <loic@dachary.org> wrote:
>> Hi Ceph,
>>
>> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>>
>> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>>
>> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>>
>> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>>
>> What do you think ?
> 
> (Without any legal knowledge whatsoever, and speaking in general terms
> rather than about any particular code or vendor's practices or
> products)

In these matters the project lead needs to make a decision that makes sense and then ask a lawyers to implement it. We don't need to be lawyers to do that.

> 
> My understanding is that projects use a Signed-off-by line for the
> contributor to certify that they agree with the "Developer's
> Certificate of Origin".
> 
> The purpose of a certificate or origin is that if I am distributing
> AcmeProject packages, and EvilCorp says "hey, we found our highly
> patented code in your package!" then I can say "actually this was
> submitted by Elizabeth Windsor <liz@buckinghampalace.org>, who
> certified to me that she had the rights to the code.  I can thus
> demonstrate that the original infringement was by her, and any
> infringement in my distribution of the software was accidental, I
> acted in good faith."
> 
> OTOH if I said "That code was contributed by A.Nonymous", then
> EvilCorp would say "Well, that could just as easily have been one of
> your own developers, acting anonymously, so you have not demonstrated
> that the infringement was unintentional".
> 
> So in my opinion, it is necessary that any project wishing to apply a
> "certificate of origin" process also needs to have a real name policy.

If that was indeed what a Signed-off-by does, I would also be against using aliases. In reality a Signed-off-by is nothing more than a convenient mean to get in touch with someone who claimed to be the author of a patch.

The companies making and distributing Free Software using Signed-off-by like Ceph does, do not attempt to even verify that the person behind the Signed-off-by really is who (s)he claims. I don't think that's because they have been careless for the past decade. I think that's because it would not make a significant difference and that it would be a burden to the project. The company lawyers would certainly claim that it would be better to verify the identity for each Signed-off-by. But in practice they don't push for it, not even for the Linux kernel who went into more legal troubles than any other Free Software project.

My point is that there could already be a dozen of aliases that look like real names in the current Signed-off-by list. Explicitly accepting aliases that look like aliases would just be an acknowledgement of what we already do. 

Cheers

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Signed-off-by and aliases

[Gregory Farnum]

On Mon, Aug 3, 2015 at 11:10 PM, Loic Dachary <loic@dachary.org> wrote:
>
>
> On 03/08/2015 21:18, John Spray wrote:
>> On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <loic@dachary.org> wrote:
>>> Hi Ceph,
>>>
>>> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>>>
>>> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>>>
>>> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>>>
>>> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>>>
>>> What do you think ?
>>
>> (Without any legal knowledge whatsoever, and speaking in general terms
>> rather than about any particular code or vendor's practices or
>> products)
>
> In these matters the project lead needs to make a decision that makes sense and then ask a lawyers to implement it. We don't need to be lawyers to do that.
>
>>
>> My understanding is that projects use a Signed-off-by line for the
>> contributor to certify that they agree with the "Developer's
>> Certificate of Origin".
>>
>> The purpose of a certificate or origin is that if I am distributing
>> AcmeProject packages, and EvilCorp says "hey, we found our highly
>> patented code in your package!" then I can say "actually this was
>> submitted by Elizabeth Windsor <liz@buckinghampalace.org>, who
>> certified to me that she had the rights to the code.  I can thus
>> demonstrate that the original infringement was by her, and any
>> infringement in my distribution of the software was accidental, I
>> acted in good faith."
>>
>> OTOH if I said "That code was contributed by A.Nonymous", then
>> EvilCorp would say "Well, that could just as easily have been one of
>> your own developers, acting anonymously, so you have not demonstrated
>> that the infringement was unintentional".
>>
>> So in my opinion, it is necessary that any project wishing to apply a
>> "certificate of origin" process also needs to have a real name policy.
>
> If that was indeed what a Signed-off-by does, I would also be against using aliases. In reality a Signed-off-by is nothing more than a convenient mean to get in touch with someone who claimed to be the author of a patch.
>
> The companies making and distributing Free Software using Signed-off-by like Ceph does, do not attempt to even verify that the person behind the Signed-off-by really is who (s)he claims. I don't think that's because they have been careless for the past decade. I think that's because it would not make a significant difference and that it would be a burden to the project. The company lawyers would certainly claim that it would be better to verify the identity for each Signed-off-by. But in practice they don't push for it, not even for the Linux kernel who went into more legal troubles than any other Free Software project.
>
> My point is that there could already be a dozen of aliases that look like real names in the current Signed-off-by list. Explicitly accepting aliases that look like aliases would just be an acknowledgement of what we already do.

I won't be merging any code with obvious aliases for exactly the
reasons John mentions. Obviously IANAL, but I think you'll find law
proceedings in the USA would look much less kindly on accepting
obvious aliases versus having a real name policy — which we do, even
if it's not diligently checked. Keep in mind that we generally have a
background on our contributors to track them down even if they are
using a non-obvious alias.
-Greg
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 5999 bytes --]



On 12/08/2015 12:54, Gregory Farnum wrote:
> On Mon, Aug 3, 2015 at 11:10 PM, Loic Dachary <loic@dachary.org> wrote:
>>
>>
>> On 03/08/2015 21:18, John Spray wrote:
>>> On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <loic@dachary.org> wrote:
>>>> Hi Ceph,
>>>>
>>>> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>>>>
>>>> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>>>>
>>>> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>>>>
>>>> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>>>>
>>>> What do you think ?
>>>
>>> (Without any legal knowledge whatsoever, and speaking in general terms
>>> rather than about any particular code or vendor's practices or
>>> products)
>>
>> In these matters the project lead needs to make a decision that makes sense and then ask a lawyers to implement it. We don't need to be lawyers to do that.
>>
>>>
>>> My understanding is that projects use a Signed-off-by line for the
>>> contributor to certify that they agree with the "Developer's
>>> Certificate of Origin".
>>>
>>> The purpose of a certificate or origin is that if I am distributing
>>> AcmeProject packages, and EvilCorp says "hey, we found our highly
>>> patented code in your package!" then I can say "actually this was
>>> submitted by Elizabeth Windsor <liz@buckinghampalace.org>, who
>>> certified to me that she had the rights to the code.  I can thus
>>> demonstrate that the original infringement was by her, and any
>>> infringement in my distribution of the software was accidental, I
>>> acted in good faith."
>>>
>>> OTOH if I said "That code was contributed by A.Nonymous", then
>>> EvilCorp would say "Well, that could just as easily have been one of
>>> your own developers, acting anonymously, so you have not demonstrated
>>> that the infringement was unintentional".
>>>
>>> So in my opinion, it is necessary that any project wishing to apply a
>>> "certificate of origin" process also needs to have a real name policy.
>>
>> If that was indeed what a Signed-off-by does, I would also be against using aliases. In reality a Signed-off-by is nothing more than a convenient mean to get in touch with someone who claimed to be the author of a patch.
>>
>> The companies making and distributing Free Software using Signed-off-by like Ceph does, do not attempt to even verify that the person behind the Signed-off-by really is who (s)he claims. I don't think that's because they have been careless for the past decade. I think that's because it would not make a significant difference and that it would be a burden to the project. The company lawyers would certainly claim that it would be better to verify the identity for each Signed-off-by. But in practice they don't push for it, not even for the Linux kernel who went into more legal troubles than any other Free Software project.
>>
>> My point is that there could already be a dozen of aliases that look like real names in the current Signed-off-by list. Explicitly accepting aliases that look like aliases would just be an acknowledgement of what we already do.
> 
> I won't be merging any code with obvious aliases for exactly the
> reasons John mentions. Obviously IANAL, but I think you'll find law
> proceedings in the USA would look much less kindly on accepting
> obvious aliases versus having a real name policy — which we do, even
> if it's not diligently checked. 

It would be more accurate to say it is not checked at all. And it is the same for the Linux kernel.

> Keep in mind that we generally have a
> background on our contributors to track them down even if they are
> using a non-obvious alias.

As of today the Ceph repository has 427 contributors and 96 of them authored more than 10 commits. I would not be surprised if one of them was an alias. The only background check we do is when asking a new contributor about his affiliation to an organization (see http://tracker.ceph.com/projects/ceph/wiki/Ceph_contributors_list_maintenance_guide). 41 contributors declared that they are not affiliated to any organization and we did not investigate further. Nor do I think we should.

You have a point: we know the vast majority of contributors, one way or the other. It is a small world :-) If a contributor you know insisted on contributing using an alias, for ethical reasons, would you turn her/him down ? Wouldn't it be better for you to be able to vouch for her/him somehow ?

Cheers

> -Greg
> 

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Signed-off-by and aliases

[Joao Eduardo Luis]

On 08/12/2015 01:51 PM, Loic Dachary wrote:
> 
> 
> On 12/08/2015 12:54, Gregory Farnum wrote:
>> I won't be merging any code with obvious aliases for exactly the
>> reasons John mentions. Obviously IANAL, but I think you'll find law
>> proceedings in the USA would look much less kindly on accepting
>> obvious aliases versus having a real name policy — which we do, even
>> if it's not diligently checked. 
> 
> It would be more accurate to say it is not checked at all. And it is the same for the Linux kernel.
> 
>> Keep in mind that we generally have a
>> background on our contributors to track them down even if they are
>> using a non-obvious alias.
> 
> As of today the Ceph repository has 427 contributors and 96 of them authored more than 10 commits. I would not be surprised if one of them was an alias. The only background check we do is when asking a new contributor about his affiliation to an organization (see http://tracker.ceph.com/projects/ceph/wiki/Ceph_contributors_list_maintenance_guide). 41 contributors declared that they are not affiliated to any organization and we did not investigate further. Nor do I think we should.
> 
> You have a point: we know the vast majority of contributors, one way or the other. It is a small world :-) If a contributor you know insisted on contributing using an alias, for ethical reasons, would you turn her/him down ? Wouldn't it be better for you to be able to vouch for her/him somehow ?

Call me paranoid if you must, but if we were considering liability
exposure of the project in case of IP violation, then this could be bad
for the one person merging the code knowingly a given contributor was
using an alias.

Say this contributor did contribute something that he shouldn't have. If
he did ask someone to use an alias instead, and this someone went on
with 'okay, let's do this' and merged the code, I can't stop wondering
whether a lawyer would not take advantage of it, arguing the developer
performing the merge was complicit in the IP violation. He did know this
one person was under an alias, he did know who this person was, made
sure this person was not identified - "he most certainly knew something
bad was happening, AND DID NOTHING!"

Also, what would the developer be expected to do if a court asked him
who was the real author of a merge containing patches that violated
someone's IP rights? Lying to protect the integrity of an alias doesn't
seem like the obvious choice.

If someone is indeed interested in contributing under an alias, they
should just get a sensible alias that would be assumed to be the real
deal. And everyone can go on with their lives without having to be
exposed, at some point, to the nastiness of IP litigation if things go
sower, or having to lie to cover someone else's track if they cannot
avoid being exposed to it.

  -Joao

> 
> Cheers
> 
>> -Greg
>>
> 

--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 4977 bytes --]

Hi Joao,

On 14/08/2015 10:49, Joao Eduardo Luis wrote:
> On 08/12/2015 01:51 PM, Loic Dachary wrote:
>>
>>
>> On 12/08/2015 12:54, Gregory Farnum wrote:
>>> I won't be merging any code with obvious aliases for exactly the
>>> reasons John mentions. Obviously IANAL, but I think you'll find law
>>> proceedings in the USA would look much less kindly on accepting
>>> obvious aliases versus having a real name policy — which we do, even
>>> if it's not diligently checked. 
>>
>> It would be more accurate to say it is not checked at all. And it is the same for the Linux kernel.
>>
>>> Keep in mind that we generally have a
>>> background on our contributors to track them down even if they are
>>> using a non-obvious alias.
>>
>> As of today the Ceph repository has 427 contributors and 96 of them authored more than 10 commits. I would not be surprised if one of them was an alias. The only background check we do is when asking a new contributor about his affiliation to an organization (see http://tracker.ceph.com/projects/ceph/wiki/Ceph_contributors_list_maintenance_guide). 41 contributors declared that they are not affiliated to any organization and we did not investigate further. Nor do I think we should.
>>
>> You have a point: we know the vast majority of contributors, one way or the other. It is a small world :-) If a contributor you know insisted on contributing using an alias, for ethical reasons, would you turn her/him down ? Wouldn't it be better for you to be able to vouch for her/him somehow ?
> 
> Call me paranoid if you must, but if we were considering liability
> exposure of the project in case of IP violation, then this could be bad
> for the one person merging the code knowingly a given contributor was
> using an alias.
> 
> Say this contributor did contribute something that he shouldn't have. If
> he did ask someone to use an alias instead, and this someone went on
> with 'okay, let's do this' and merged the code, I can't stop wondering
> whether a lawyer would not take advantage of it, arguing the developer
> performing the merge was complicit in the IP violation. He did know this
> one person was under an alias, he did know who this person was, made
> sure this person was not identified - "he most certainly knew something
> bad was happening, AND DID NOTHING!"
> 
> Also, what would the developer be expected to do if a court asked him
> who was the real author of a merge containing patches that violated
> someone's IP rights? Lying to protect the integrity of an alias doesn't
> seem like the obvious choice.
> 
> If someone is indeed interested in contributing under an alias, they
> should just get a sensible alias that would be assumed to be the real
> deal. And everyone can go on with their lives without having to be
> exposed, at some point, to the nastiness of IP litigation if things go
> sower, or having to lie to cover someone else's track if they cannot
> avoid being exposed to it.

It is quite impossible for us (non lawyers) to draw the line that separates paranoïa and common sense. Reason why most discussions on these topics turn short. I cannot dismiss the scenario you describe and I'm quite sure asking a lawyer would not clarify anything. Mostly because whatever the question, the lawyer answer will always be : "maybe" and never "yes" or "no" ;-)

Yet, we are to decide what makes sense and what does not. If you ask the OpenStack community, the majority agree that it is necessary to have a CLA. If you ask the Linux kernel community, the consensus seems to be that there is no need for a CLA. etc.

So, how can one make an opinion on a topic (s)he does not fully understand ? I chose to decide based on facts I have and favor what give us (the Ceph project community) more flexibility. I don't think anyone has any fact regarding legal troubles related to contributor using aliases. And since we don't verify contributor backgrounds anyway, acknowledging that we already accept aliases makes sense to me.

The value of this thread is more about how we collectively form a consensus on a topic that has legal implications than the question of accepting aliases or not. As Greg mentioned, all developers/organizations holding a significant part of the Ceph copyright know each other. Whatever is decided regarding aliases, it is not going to have any actual legal impact. But it would be great if we can somehow come up with a consensus. Ultimately the decision is not for us to make anyway: we're not a democracy. But it's not because a community has no power to decide that it must not have an opinion ;-)

Cheers

> 
>   -Joao
> 
>>
>> Cheers
>>
>>> -Greg
>>>
>>
> 
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Signed-off-by and aliases

[Alex Elsayed]

Loic Dachary wrote:

> Hi Joao,
<snipping quite a bit>

> It is quite impossible for us (non lawyers) to draw the line that
> separates paranoïa and common sense. Reason why most discussions on these
> topics turn short. I cannot dismiss the scenario you describe and I'm
> quite sure asking a lawyer would not clarify anything. Mostly because
> whatever the question, the lawyer answer will always be : "maybe" and
> never "yes" or "no" ;-)

There are cases where lawyer's will say "yes" or "no" - it's just that those 
tend to be "Yes, this will cost a lot of effort to succeed against" and "No, 
I don't think we can successfully argue that" :P

> Yet, we are to decide what makes sense and what does not. If you ask the
> OpenStack community, the majority agree that it is necessary to have a
> CLA. If you ask the Linux kernel community, the consensus seems to be that
> there is no need for a CLA. etc.

I think part of the issue here is that "CLA" is a very overloaded term (in 
the C++ sense).

Some use it to refer to copyright assignment, which is a portion of some 
CLAs.

Some use it to refer to "thick" CLAs, like the Project Harmony ones, which 
may or may not have copyright assignment depending on the individual CLA.

Others use it to refer to _any_ formal agreement regarding licensing between 
the code author and some entity responsible for the overall body of code - 
under which definition the kernel DCO qualifies.

Personally, I fall into the camp that says that a DCO-like system, which 
ensures that input = output and attests to the right to submit, is 
sufficient: Whethern the person submits the DCO under an alias or not, they 
have asserted that *submissions under this name (even if it's an alias) will 
abide by the DCO* - and thus people accepting those patches have a reason to 
believe that the submissions are "clean" and in good faith.

Also, if that model came under fire, various groups involved in the kernel 
would have a vested interest in helping defend it. That's not a small thing 
to backstop on.

> So, how can one make an opinion on a topic (s)he does not fully understand
> ? I chose to decide based on facts I have and favor what give us (the Ceph
> project community) more flexibility. I don't think anyone has any fact
> regarding legal troubles related to contributor using aliases. And since
> we don't verify contributor backgrounds anyway, acknowledging that we
> already accept aliases makes sense to me.

This is where I see a subtle, but meaningful distinction: Accepting from 
aliases *which have submitted a DCO* means that the person behind the alias, 
even if we don't know their name, has bound themselves to a standard ov 
behavior.

Accepting from arbitrary aliases does _not_ carry that meaning.

> The value of this thread is more about how we collectively form a
> consensus on a topic that has legal implications than the question of
> accepting aliases or not. As Greg mentioned, all developers/organizations
> holding a significant part of the Ceph copyright know each other. Whatever
> is decided regarding aliases, it is not going to have any actual legal
> impact. But it would be great if we can somehow come up with a consensus.
> Ultimately the decision is not for us to make anyway: we're not a
> democracy. But it's not because a community has no power to decide that it
> must not have an opinion ;-)

Entirely agreed.

--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 2858 bytes --]

Hi Alex,

On 17/08/2015 22:19, Alex Elsayed wrote:
> Loic Dachary wrote:
> 
>> Hi Joao,
> <snipping quite a bit>
> 
>> It is quite impossible for us (non lawyers) to draw the line that
>> separates paranoïa and common sense. Reason why most discussions on these
>> topics turn short. I cannot dismiss the scenario you describe and I'm
>> quite sure asking a lawyer would not clarify anything. Mostly because
>> whatever the question, the lawyer answer will always be : "maybe" and
>> never "yes" or "no" ;-)

That reminds me of an amusing talk in the FOSDEM legal track a few years back, specifically on that topic :-)

<snip>--<snip>

>> So, how can one make an opinion on a topic (s)he does not fully understand
>> ? I chose to decide based on facts I have and favor what give us (the Ceph
>> project community) more flexibility. I don't think anyone has any fact
>> regarding legal troubles related to contributor using aliases. And since
>> we don't verify contributor backgrounds anyway, acknowledging that we
>> already accept aliases makes sense to me.
> 
> This is where I see a subtle, but meaningful distinction: Accepting from 
> aliases *which have submitted a DCO* means that the person behind the alias, 
> even if we don't know their name, has bound themselves to a standard ov 
> behavior.
> 
> Accepting from arbitrary aliases does _not_ carry that meaning.

Yes. Although we don't do formal background checks, we make sure that each commit is Signed-off-by: the author as required by https://github.com/ceph/ceph/blob/master/SubmittingPatches#L22 which is linked from the https://github.com/ceph/ceph/blob/master/CONTRIBUTING.rst document that shows whenever someone submits a pull request.

I also believe this is an important distinction and I would feel uncomfortable if Ceph accepted contributions (aliases or not) that are not Signed-off one way or the other.

Cheers

> 
>> The value of this thread is more about how we collectively form a
>> consensus on a topic that has legal implications than the question of
>> accepting aliases or not. As Greg mentioned, all developers/organizations
>> holding a significant part of the Ceph copyright know each other. Whatever
>> is decided regarding aliases, it is not going to have any actual legal
>> impact. But it would be great if we can somehow come up with a consensus.
>> Ultimately the decision is not for us to make anyway: we're not a
>> democracy. But it's not because a community has no power to decide that it
>> must not have an opinion ;-)
> 
> Entirely agreed.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Signed-off-by and aliases

[Alex Elsayed]

Loic Dachary wrote:

> Hi Alex,
> 
> On 17/08/2015 22:19, Alex Elsayed wrote:
<snip>
>> This is where I see a subtle, but meaningful distinction: Accepting from
>> aliases *which have submitted a DCO* means that the person behind the
>> alias, even if we don't know their name, has bound themselves to a
>> standard ov behavior.
>> 
>> Accepting from arbitrary aliases does _not_ carry that meaning.
> 
> Yes. Although we don't do formal background checks, we make sure that each
> commit is Signed-off-by: the author as required by
> https://github.com/ceph/ceph/blob/master/SubmittingPatches#L22 which is
> linked from the https://github.com/ceph/ceph/blob/master/CONTRIBUTING.rst
> document that shows whenever someone submits a pull request.
> 
> I also believe this is an important distinction and I would feel
> uncomfortable if Ceph accepted contributions (aliases or not) that are not
> Signed-off one way or the other.

The kernel does something slightly different, in a very careful manner: 
Signed-off-by says that you have _submitted_ the DCO - as in, you must have, 
from the same address as you signed off by, emailed the DCO itself to the 
list.

The S-o-B tag, then, simply says "If you look, you'll find my affirmation of 
intent to follow the DCO" - it is not, in itself, anything other than a 
pointer. This prevents people from copypasta'ing the S-o-B line as a magic 
incantation, without understanding the meaning. (Which the kernel has found 
_does_ happen _anyway_, but with the "actually submitted a DCO" requirement 
they can _detect_ that.)

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]



On 17/08/2015 22:58, Alex Elsayed wrote:

> The S-o-B tag, then, simply says "If you look, you'll find my affirmation of 
> intent to follow the DCO" - it is not, in itself, anything other than a 
> pointer. This prevents people from copypasta'ing the S-o-B line as a magic 
> incantation, without understanding the meaning. (Which the kernel has found 
> _does_ happen _anyway_, but with the "actually submitted a DCO" requirement 
> they can _detect_ that.)

Oh, I overlooked that, thanks for the information. I can see how that can make a difference indeed.

Cheers

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Signed-off-by and aliases

[Alex Elsayed]

Loic Dachary wrote:

> 
> 
> On 17/08/2015 22:58, Alex Elsayed wrote:
> 
>> The S-o-B tag, then, simply says "If you look, you'll find my affirmation
>> of intent to follow the DCO" - it is not, in itself, anything other than
>> a pointer. This prevents people from copypasta'ing the S-o-B line as a
>> magic incantation, without understanding the meaning. (Which the kernel
>> has found _does_ happen _anyway_, but with the "actually submitted a DCO"
>> requirement they can _detect_ that.)
> 
> Oh, I overlooked that, thanks for the information. I can see how that can
> make a difference indeed.

This is a really good article about how the DCO system works, and why:
https://lwn.net/Articles/592503/

Re: Signed-off-by and aliases

[Sage Weil]

On Mon, 17 Aug 2015, Alex Elsayed wrote:
> Loic Dachary wrote:
> 
> > Hi Alex,
> > 
> > On 17/08/2015 22:19, Alex Elsayed wrote:
> <snip>
> >> This is where I see a subtle, but meaningful distinction: Accepting from
> >> aliases *which have submitted a DCO* means that the person behind the
> >> alias, even if we don't know their name, has bound themselves to a
> >> standard ov behavior.
> >> 
> >> Accepting from arbitrary aliases does _not_ carry that meaning.
> > 
> > Yes. Although we don't do formal background checks, we make sure that each
> > commit is Signed-off-by: the author as required by
> > https://github.com/ceph/ceph/blob/master/SubmittingPatches#L22 which is
> > linked from the https://github.com/ceph/ceph/blob/master/CONTRIBUTING.rst
> > document that shows whenever someone submits a pull request.
> > 
> > I also believe this is an important distinction and I would feel
> > uncomfortable if Ceph accepted contributions (aliases or not) that are not
> > Signed-off one way or the other.
> 
> The kernel does something slightly different, in a very careful manner: 
> Signed-off-by says that you have _submitted_ the DCO - as in, you must have, 
> from the same address as you signed off by, emailed the DCO itself to the 
> list.
> 
> The S-o-B tag, then, simply says "If you look, you'll find my affirmation of 
> intent to follow the DCO" - it is not, in itself, anything other than a 
> pointer. This prevents people from copypasta'ing the S-o-B line as a magic 
> incantation, without understanding the meaning. (Which the kernel has found 
> _does_ happen _anyway_, but with the "actually submitted a DCO" requirement 
> they can _detect_ that.)

I can't find any reference to emailing a copy of the DCO to any address in 
SubmittingPatches or elsewhere.  Are you sure this is the case?  See

	https://www.kernel.org/doc/Documentation/SubmittingPatches

FWIW, LWN's coverage of James's talk on the DCO last year matches my 
understanding:

	https://lwn.net/Articles/592503/

...

As far as aliases go in sign-offs, I don't see that it's an issue.  In my 
opinion the sign-off is more about due diligence than anything else--that 
we have made a good faith effort to ensure that the code is made in 
compliance with the license.

James contends that it's also more cleaning out offending code when a 
problematic contributor is identified and less about liability for that 
individual, so as long as an alias is used consistently I'm not sure it 
makes a difference.  Lots of people go by names that are not technically 
their legal names, but shortened or anglicized versions of them, but as 
long as they are sufficient to associate the contribution with the 
contributor it serves its purpose.

sage

Re: Signed-off-by and aliases

[Alex Elsayed]

Sage Weil wrote:

> On Mon, 17 Aug 2015, Alex Elsayed wrote:
>> Loic Dachary wrote:
>> 
>> > Hi Alex,
>> > 
>> > On 17/08/2015 22:19, Alex Elsayed wrote:
>> <snip>
>> >> This is where I see a subtle, but meaningful distinction: Accepting
>> >> from aliases *which have submitted a DCO* means that the person behind
>> >> the alias, even if we don't know their name, has bound themselves to a
>> >> standard ov behavior.
>> >> 
>> >> Accepting from arbitrary aliases does _not_ carry that meaning.
>> > 
>> > Yes. Although we don't do formal background checks, we make sure that
>> > each commit is Signed-off-by: the author as required by
>> > https://github.com/ceph/ceph/blob/master/SubmittingPatches#L22 which is
>> > linked from the
>> > https://github.com/ceph/ceph/blob/master/CONTRIBUTING.rst document that
>> > shows whenever someone submits a pull request.
>> > 
>> > I also believe this is an important distinction and I would feel
>> > uncomfortable if Ceph accepted contributions (aliases or not) that are
>> > not Signed-off one way or the other.
>> 
>> The kernel does something slightly different, in a very careful manner:
>> Signed-off-by says that you have _submitted_ the DCO - as in, you must
>> have, from the same address as you signed off by, emailed the DCO itself
>> to the list.
>> 
>> The S-o-B tag, then, simply says "If you look, you'll find my affirmation
>> of intent to follow the DCO" - it is not, in itself, anything other than
>> a pointer. This prevents people from copypasta'ing the S-o-B line as a
>> magic incantation, without understanding the meaning. (Which the kernel
>> has found _does_ happen _anyway_, but with the "actually submitted a DCO"
>> requirement they can _detect_ that.)
> 
> I can't find any reference to emailing a copy of the DCO to any address in
> SubmittingPatches or elsewhere.  Are you sure this is the case?  See
> 
> https://www.kernel.org/doc/Documentation/SubmittingPatches
> 
> FWIW, LWN's coverage of James's talk on the DCO last year matches my
> understanding:
> 
> https://lwn.net/Articles/592503/
> 
> ...
> 
> As far as aliases go in sign-offs, I don't see that it's an issue.  In my
> opinion the sign-off is more about due diligence than anything else--that
> we have made a good faith effort to ensure that the code is made in
> compliance with the license.
> 
> James contends that it's also more cleaning out offending code when a
> problematic contributor is identified and less about liability for that
> individual, so as long as an alias is used consistently I'm not sure it
> makes a difference.  Lots of people go by names that are not technically
> their legal names, but shortened or anglicized versions of them, but as
> long as they are sufficient to associate the contribution with the
> contributor it serves its purpose.

Hm, you're right. Not sure where I got that, then - weird.

Re: Signed-off-by and aliases

[Richard Fontana]

On Wed, May 21, 2014 at 07:06:04PM +0200, Loic Dachary wrote:
> Hi Richard,
> 
> I met with Benjamin Jean and two other lawyers (their names escape me, my apologies) while at http://solutionlinux.fr/ and asked for their opinion. They suggested that if a contributor wants to remain anonymous to the general public while being easily reachable if needed, she/he could disclose her/his identity to RedHat or any other trusted third party. Do you see any reason why RedHat would object to this ? 

That seems acceptable in principle, with the devil in the details - in
fact I was going to suggest something like that too, for exceptional
cases I can imagine in which there is a compelling reason to remain
publicly anonymous. 

 - R












> 
> Cheers
> 
> On 19/05/2014 17:13, Loic Dachary wrote:
> > Hi Richard,
> > 
> > It was nice seeing you at the OpenStack summit. Do not hesitate to redirect if this question is best answered by someone else at RedHat. As most of us I'm still unsure who at RedHat has time to devote to Ceph ;-)
> > 
> > Koleos Fuskus <koleosfuscus@yahoo.com> would like to contribute code under an alias (this is not its real name). If I understand correctly, copyright (both in software and litterary works) allows authors to use aliases. Does RedHat have a position on this ?
> > 
> > Cheers
> > 
> 
> -- 
> Loïc Dachary, Artisan Logiciel Libre
> 


--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]

Hi Richard,

I met with Benjamin Jean and two other lawyers (their names escape me, my apologies) while at http://solutionlinux.fr/ and asked for their opinion. They suggested that if a contributor wants to remain anonymous to the general public while being easily reachable if needed, she/he could disclose her/his identity to RedHat or any other trusted third party. Do you see any reason why RedHat would object to this ? 

Cheers

On 19/05/2014 17:13, Loic Dachary wrote:
> Hi Richard,
> 
> It was nice seeing you at the OpenStack summit. Do not hesitate to redirect if this question is best answered by someone else at RedHat. As most of us I'm still unsure who at RedHat has time to devote to Ceph ;-)
> 
> Koleos Fuskus <koleosfuscus@yahoo.com> would like to contribute code under an alias (this is not its real name). If I understand correctly, copyright (both in software and litterary works) allows authors to use aliases. Does RedHat have a position on this ?
> 
> Cheers
> 

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: Signed-off-by and aliases

[Richard Fontana]

On Tue, May 20, 2014 at 07:31:59AM +0200, Loic Dachary wrote:

> However, I know of at least one other instance where finding a way
> to handle aliases would allow contributors to participate in the
> Ceph project. OVH is a large hosting company employing a number of
> developers and management explicitly forbids participation in Free
> Software projects. The primary reason being that they could be
> contacted by companies looking for talents. If their contributions
> were clustered under the OVH <libre@ovh.com> alias, they may have
> permission to publish their code.

On the assumption that OVH is the copyright holder of all such
contributions, and would knowingly permit employees contributing using
this alias, this seems okay to me.

- Richard

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 3267 bytes --]

Hi Richard,

Thanks for your input !

I don't think koleosfuscus will have an issue using its real name. However, I know of at least one other instance where finding a way to handle aliases would allow contributors to participate in the Ceph project. OVH is a large hosting company employing a number of developers and management explicitly forbids participation in Free Software projects. The primary reason being that they could be contacted by companies looking for talents. If their contributions were clustered under the OVH <libre@ovh.com> alias, they may have permission to publish their code. Legally speaking it is not even an alias since OVH indeed is the copyright holder. I guess the same applies in the context OpenStack.

What do you think ?

Cheers

On 20/05/2014 06:19, Richard Fontana wrote:
> On Mon, May 19, 2014 at 08:27:54AM -0700, Koleos Fuskus wrote:
>> Please notice that the complete alias is "koleosfuscus" with "c" and not "k"
>> and I include a space when the forms ask me for name and family name. Anyway, I
>> would like to receive advice on this topic. It may be convenient for me to do
>> contributions using my real name. I am not aware of the copyright problems that
>> I may have for using alias. 
> 
> I can't provide you with advice on this, but my recommendation to the
> Ceph project maintainers is that real names be required as part of the
> Signed-off-by.
> 
> Use of an alias does not affect your ability to obtain copyright. One
> concern is that if you remain entirely anonymous and it becomes
> necessary to contact you in the future for some reason relating either
> to the license you are granting or the code you are providing, it may
> become relatively difficult to do so. How much this would actually
> matter is unclear (it might depend on how substantial your
> contributions are).
> 
> Another concern I have is a policy issue somewhat external to Ceph. I
> am currently attempting with some others to convince OpenStack to
> switch from a CLA to a DCO contribution system and have specifically
> pointed to Ceph as an example of a successful DCO-using project, well
> known to OpenStack participants. I am concerned about possible FUD
> from CLA advocates should it be discovered that Ceph accepts
> pseudonymic contributions under the DCO. (This even though I realize a
> CLA could itself be signed pseudonymously.)
> 
>  - Richard
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>>
>> Best,
>>
>> koleos
>>
>>
>> On Monday, May 19, 2014 5:19 PM, Loic Dachary <loic@dachary.org> wrote:
>>
>>
>> Hi Richard,
>>
>> It was nice seeing you at the OpenStack summit. Do not hesitate to redirect if
>> this question is best answered by someone else at RedHat. As most of us I'm
>> still unsure who at RedHat has time to devote to Ceph ;-)
>>
>> Koleos Fuskus <koleosfuscus@yahoo.com> would like to contribute code under an
>> alias (this is not its real name). If I understand correctly, copyright (both
>> in software and litterary works) allows authors to use aliases. Does RedHat
>> have a position on this ?
>>
>> Cheers
>>
>> --
>> Lo c Dachary, Artisan Logiciel Libre
>>
>>

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: Signed-off-by and aliases

[Richard Fontana]

On Mon, May 19, 2014 at 08:27:54AM -0700, Koleos Fuskus wrote:
> Please notice that the complete alias is "koleosfuscus" with "c" and not "k"
> and I include a space when the forms ask me for name and family name. Anyway, I
> would like to receive advice on this topic. It may be convenient for me to do
> contributions using my real name. I am not aware of the copyright problems that
> I may have for using alias. 

I can't provide you with advice on this, but my recommendation to the
Ceph project maintainers is that real names be required as part of the
Signed-off-by.

Use of an alias does not affect your ability to obtain copyright. One
concern is that if you remain entirely anonymous and it becomes
necessary to contact you in the future for some reason relating either
to the license you are granting or the code you are providing, it may
become relatively difficult to do so. How much this would actually
matter is unclear (it might depend on how substantial your
contributions are).

Another concern I have is a policy issue somewhat external to Ceph. I
am currently attempting with some others to convince OpenStack to
switch from a CLA to a DCO contribution system and have specifically
pointed to Ceph as an example of a successful DCO-using project, well
known to OpenStack participants. I am concerned about possible FUD
from CLA advocates should it be discovered that Ceph accepts
pseudonymic contributions under the DCO. (This even though I realize a
CLA could itself be signed pseudonymously.)

 - Richard


















> 
> Best,
> 
> koleos
> 
> 
> On Monday, May 19, 2014 5:19 PM, Loic Dachary <loic@dachary.org> wrote:
> 
> 
> Hi Richard,
> 
> It was nice seeing you at the OpenStack summit. Do not hesitate to redirect if
> this question is best answered by someone else at RedHat. As most of us I'm
> still unsure who at RedHat has time to devote to Ceph ;-)
> 
> Koleos Fuskus <koleosfuscus@yahoo.com> would like to contribute code under an
> alias (this is not its real name). If I understand correctly, copyright (both
> in software and litterary works) allows authors to use aliases. Does RedHat
> have a position on this ?
> 
> Cheers
> 
> --
> Lo c Dachary, Artisan Logiciel Libre
> 
> 

Re: Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]



On 19/05/2014 17:27, Koleos Fuskus wrote:
> Please notice that the complete alias is "koleosfuscus" with "c" and not "k" and I include a space when the forms ask me for name and family name. 

Sorry about that : it is fixed in the Reported-by: at https://github.com/ceph/ceph/pull/1824

Cheers

Anyway, I would like to receive advice on this topic. It may be convenient for me to do contributions using my real name. I am not aware of the copyright problems that I may have for using alias.
> 
> Best,
> 
> koleos
> 
> 
> On Monday, May 19, 2014 5:19 PM, Loic Dachary <loic@dachary.org> wrote:
> 
> 
> Hi Richard,
> 
> It was nice seeing you at the OpenStack summit. Do not hesitate to redirect if this question is best answered by someone else at RedHat. As most of us I'm still unsure who at RedHat has time to devote to Ceph ;-)
> 
> Koleos Fuskus <koleosfuscus@yahoo.com <mailto:koleosfuscus@yahoo.com>> would like to contribute code under an alias (this is not its real name). If I understand correctly, copyright (both in software and litterary works) allows authors to use aliases. Does RedHat have a position on this ?
> 
> Cheers
> 
> -- 
> Loïc Dachary, Artisan Logiciel Libre
> 
> 

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Signed-off-by and aliases

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

Hi Richard,

It was nice seeing you at the OpenStack summit. Do not hesitate to redirect if this question is best answered by someone else at RedHat. As most of us I'm still unsure who at RedHat has time to devote to Ceph ;-)

Koleos Fuskus <koleosfuscus@yahoo.com> would like to contribute code under an alias (this is not its real name). If I understand correctly, copyright (both in software and litterary works) allows authors to use aliases. Does RedHat have a position on this ?

Cheers

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]