Re: [External] Re: [Hyperledger TSC] Agenda items for this week?
Hart Montgomery <hmontgomery@...>
I'd also like to hear about people's perspectives on anonymous contributors. I informally and off the record (so it doesn't count as legal advice) spoke to a patent attorney about the ramifications of anonymous contribution to open source projects yesterday, and my conclusion (I am not a lawyer, so cum grano salis) was that this is a large grey area and we should ask for an opinion from lawyers.
The DCO (as currently stated) requires no identity verification. I can create a pseudonym, contribute code, and sign off. What if I do this with a fake identity, and in a way that's untraceable or very difficult to trace (i.e. work entirely through tor)? It might be impossible to ever find my identity. What if I use this anonymity to try to contribute code that contains patents, and then sue later? Presumably no one could complete the identity loop, or trace back the contributor that made the malicious code contribution.
At least to me, it's not even clear who could or would be sued over patents (even after the aforementioned conversation yesterday). I'm guessing, however, that someone could be held accountable for anonymous infringing contributions--otherwise, our optimal legal strategy would be to have fully anonymous contributions, and companies could put together "anonymous" open source implementations of their competitors' patented products.
So I guess I'm with Danno: I'd like to see a clear statement from the LF's lawyers about what are acceptable policies for DCO and contributor anonymity. Is there any way we can get an official opinion on this so that we can put all of this discussion to rest?
Thanks, and have a great day.
From: tsc@... <tsc@...> on behalf of Danno Ferrin <danno.ferrin@...>
Sent: Tuesday, March 30, 2021 2:02 PM
To: Arun .S.M. <arun.s.m.cse@...>
Cc: Tracy Kuhrt <tracy.a.kuhrt@...>; Arnaud Le Hors <lehors@...>; Hyperledger TSC <tsc@...>
Subject: Re: [External] Re: [Hyperledger TSC] Agenda items for this week?
Good to hear Arun. I now remember that discussion, but I didn't see it written in the notes, but it wasn't terribly clear from the discussion IIRC (I guess I'll need to go re-play the call).
On a slightly different tangent, for the issues in the TSC decision backlog I think it would be useful to document what the next needed action is and who is responsible for moving it forward. I think being able to refer to those items it would be easier to see if a meeting should be cancelled. For the last few meetings we have gone mostly to time and that to me indicates there still is back pressure on pending issues. If no one is sure what needs to be done for an issue or no one has action items for the issue then perhaps it is time to formally have it closed or withdrawn, or perhaps open a TSC vote and formally vote it down.
I'll start with two of the current TSC decision log issues.
First on the DCO Validation during Contribution review I opened last week (https://wiki.hyperledger.org/display/TSC/DCO+Validation+During+Contribution+Review). Based on comments it looks this will require an opinion from the LF legal team since there is some question as to whether or not what I proposed provides the needed legal protections. So to aid the process the specific question is "Does the proposed process in https://wiki.hyperledger.org/display/TSC/DCO+Validation+During+Contribution+Review meet the standard for Clause C of the DCO (https://developercertificate.org/)?" If the answer is no then my proposal is dead in the water without further need for TSC discussion.
Second is the DCO and pseudonyms issue. I foresee this being an issue again in the future and we are not well served by an ambiguous policy. HL projects will receive (has already received?) patches from individuals who sign under pseudonym that are either obviously a pseudonym or known to a project maintainer to be a pseudonym. How do maintainers deal with such contributions? Summary rejection? Can they provide a signed-off-by attestation under clause C of the DCO as well? I would rather have the latter (maintainer attestation) before the former (summary rejection). But I would rather have a formal summary rejection policy than letting this question fester for another six months. Arnaud, Brian, who has the next step on this one?
On Tue, Mar 30, 2021 at 2:20 PM Arun .S.M. <arun.s.m.cse@...> wrote: