trinity-devel@lists.pearsoncomputing.net

Message: previous - next
Month: October 2014

Re: [trinity-devel] Contributor License Agreements

From: "Timothy Pearson" <kb9vqf@...>
Date: Fri, 17 Oct 2014 11:18:16 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224

> Am Donnerstag, 16. Oktober 2014 schrieb Timothy Pearson:
>> > I have a question:
>> >
>> > I often process patches from François, making adjustments as needed,
>> and
>> > then
>> > commit. For such posts will be listed as an author François and as
>> > Signed-off
>> > will be mine. Is this the correct procedure?
>>
>> Actually he needs to sign off on them.  It gets a bit confusing because
>> there are actually three authorship fields in GIT that we are interested
>> in: author, signed-off-by, and committer.  In this case his name goes
>> into
>> author and signed-off-by, and your name goes into committer.  So when
>> you
>> process the patches, if he provided a signed-off-by line for that patch
>> in
>> Bugzilla then you copy that into the commit message on the last line of
>> the commit message, separated by a blank line.
>>
>> As I am still phasing the CLA system in, and I trust the core team not
>> to
>> sue, include copyrighted code, etc., if he has not provided a
>> signed-off-by line for the patches go ahead and commit them without a
>> signed-off-by line.
>>
>> For developers with GIT accounts you can commit and sign off all in one
>> step by passing the -s flag to git commit.  Just be aware that you are
>> stating you have the legal right to license the commit when you do this;
>> philosophically this is the same as before but the procedure is a bit
>> more
>> formal now.
>>
>> > Or contributions should be Signed-off at the same time by François? If
>> so,
>> > how
>> > should it be implemented technically?
>>
>> When he submits patches he should provide a signed-off-by line for that
>> patch in the bugtracker.  If anyone outside of the core team submits a
>> patch without a signed-off-by line for that patch in the bug report we
>> need to request that they provide one--the patch itself does not have to
>> be resubmitted, but the submitter needs to add a comment stating they
>> are
>> signing off on that patch and appending the appropriate signed-off-by
>> line
>> to that comment.
>>
>> > Similarly, in cases of occasional contributors who do not have commit
>> > access?
>> > For example, during the integration of the translations.
>>
>> Same as above; if patch is submitted via Email then the Email should
>> contain the signed-off-by line.  It's always OK to reply to a patch
>> submission and request that a signed-off-by line be provided.
>>
>> Does this make sense?  Basically we're just fixing the bookkeeping end
>> of
>> the project so that we know who authored, who owns, who released, and
>> who
>> committed anything and can thereby better avoid any potential legal
>> issues.
>>
>> Tim
>
> "How do you call it when a bus full of lawers goes over the cliffs?" "A
> good beginning!"

Heh. :-)

> What about just demanding form every contributor for his/her
> patches/bugreports to be accepted the patches/report must comply to GPL
> v2/v3/BSD ... ? Place it in the bugtracker, place it on the list, be done.

The problem (explained below) boils down to at least in the USA/UK (unsure
of elsewhere) a person may not actually have the legal rights to release
their work under the GPL.  If the true rights holder comes after me, which
do you think will shorten the legal trouble: "I had a notice on the
website so I thought they read and followed it..." or "this person was in
breach of contract with me, here's the paperwork they read, signed, and
violated!".  I vote for the latter, as does every major open source
project I know of:
http://en.wikipedia.org/wiki/Contributor_License_Agreement

> If somebody wants to sue you, he/she will do despite whaterver contract
> was signed - especally in the "free" US. In the rest of the world that
> signed CLA will most likely not be valid at all (in most cases it's
> sufficent to claim you have not comprehended the text in its full extent,
> 'cause it's not written in your tongue)

While I understand fully what you are saying, in all honesty I am not
concerned about problems from contributors outside of the USA/UK.  I think
most of the free world understands what contributing to open source means;
it's just our two countries (and maybe one or two others, not sure) where
people seem to want to have their cake and eat it too.

This whole CLA thing kicked off many months ago because I have someone who
lives in the USA and works for a USA-based engineering firm; basically in
this situation the person's employer de facto owns all works created by
the employee even in their off time unless the company explicitly releases
those rights.  Previously we had no mechanism by which the employee could
ask the company to do that, and therefore no way for that person to ever
contribute to TDE; now we have a mechanism in place.

Tim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iFYEARELAAYFAlRBQTQACgkQLaxZSoRZrGEBLADdGe1bt4yj5zoZ+D6nGpNdsGGw
cxzDqVVf26oubwDZAeHE4bmIkFwuFCKOGVyqgoqhoroxbNnfz2K0Dw==
=nggS
-----END PGP SIGNATURE-----