Re: DCO topic


Hart Montgomery
 

Hi Everyone,

 

Thanks for the informative responses.  I’m with Chris here—it might be time to consider a CLA model.  I highly doubt the board will let us keep doing what we’ve done so far after they look into this.

 

I think we could also do this pseudonymously.  Consider the following model:  the root of all identity in Hyperledger is the LFID.  We attach a CLA, email, real name (or whatever identity information we want) to an LFID.  We also require people to list their github accounts in their LFID info.  However, all of this information is kept private, so no one (other than the LF database) sees anything at all.  We set permissions on HL github repos so that only github accounts that are associated with an LFID in good standing can commit code.

 

I don’t know enough about the current LFID infrastructure to know whether this is possible (or how much work it would take to make it possible) but this would give us seemingly “best possible” anonymity.  The LF would know who the contributors are, but everything public-facing could be anonymous.  You could configure your github account, which is what the public would see, to be totally anonymizing.  You could even add multiple github accounts to your LFID if you really wanted to confuse people, although I don’t know if anyone would do this.  I think this would address the concerns of most of the people who were interested in anonymity that I spoke to on this:  they didn’t seem to care as much if the LF knew who they were as much as they wanted to avoid random people on the internet being able to find or contact them.

 

This would also have the side benefit of making community statistics easy to gather since the LF would have the relevant information about people (we could, of course, use differentially private techniques to release information about contributors).  In addition, it would address a lot of concerns people have addressed with TSC elections, since we could use the LFID for that too.

 

What do folks think about something like this?

 

Thanks a lot for your time, and have a great day.

 

Hart

 

From: tsc@... [mailto:tsc@...] On Behalf Of Christopher Ferris
Sent: Thursday, January 16, 2020 9:24 AM
To: bbehlendorf@...
Cc: Montgomery, Hart <hmontgomery@...>; Arnaud Le Hors <lehors@...>; tsc@...
Subject: Re: [Hyperledger TSC] DCO topic

 

Fabric, having moved from Gerrit (which required a LF ID) to GitHub (which does not) now opens up a bit of risk unless the maintainers reviewing patches also know who the submitter is. With Linux Kernel, all patches are submitted via email, so the address is resolvable by definition. While we do know the GitHub account from whence a PR is submitted, a GitHub ID does not require any form of further identification (name, email, etc) I have seen patches submitted with emails of the form: somebody@.... Where 'somebody' is the Git Hub id.

 

The purpose of the DCO was to reduce friction, not to allow anonymous contribution. Getting a CLA signed off for a corporate employee can be torturous because you might need to involve your Legal department, etc.

 

Should we (TSC) maybe be thinking of making a recommendation of adopting a CLA model instead, despite the friction? There are now tools in place to automate this.

 

Cheers,

Christopher Ferris
IBM Fellow, CTO Open Technology
email: chrisfer@...
twitter: @christo4ferris

IBM Open Source white paper: https://developer.ibm.com/articles/cl-open-architecture-update/
phone: +1 508 667 0402

 

 

----- Original message -----
From: "Brian Behlendorf" <bbehlendorf@...>
Sent by: tsc@...
To: Arnaud Le Hors <lehors@...>, "hmontgomery@..." <hmontgomery@...>
Cc: "tsc@..." <tsc@...>
Subject: [EXTERNAL] [Hyperledger TSC] DCO topic
Date: Thu, Jan 16, 2020 8:41 AM
 

LF legal looked at the item and were wondering what underlying need was motivating the ask.  "In the Linux kernel for example the maintainers are expected to know the identity of anyone whose patches they're contributing. The real issue is if there was ever a legal matter, would the person be identifiable and available because we have their identity."  I was going to bring that question back to here but fell behind. 

 

The risk of taking a DCO from someone that can't be identified and reached is that a challenge to the provenance of that code can't be answered - basically anyone could claim "that was mine, you accepted stolen property" and there'd be no one to refute that or take the blame for it.  In which case there'd be a very difficult decision - fight in court without any testimony that the code wasn't stolen, or purge the code and require a clean-room rewrite.  Those seem like awful paths to have to take, for the price of more vigilance up front.

 

Given this is a matter of legal liability, it's not a decision the TSC can make; at best it could recommend a change to the Governing Board and LF, but it's the GB and LF that need to weigh that risk as they're the ones who would bear the costs of any legal action.

 

I wasn't on Hyperledger on day zero, but one thing I recall hearing is that one reason it was formed was to provide a space safe from anonymous contributors who may come along later seeking rent.  I remember specifically hearing that if it turned out Craig Wright was Satoshi, then the Australian patents he (much later) filed on Bitcoin architecture could be leveraged against anyone in the Bitcoin community, in part because the license on the code was MIT and thus came with no patent grants.  I think we want to avoid that risk.  

 

However I know the term "real identity" is highly problematic.  We aren't storing Social Security numbers or DNA or anything like that.  The DCO is attached to the commit or PR, from which we can get the Github account name, but that doesn't necessarily come with a real name or even a contactable email address, which is also a problem when we pull together the voter lists for the TSC election.  Are each of you sure you'd be able to get in contact with all submitters of PRs you've accepted?  Even good, real people have their email addresses go bad or name changes and then can't be reached.  So this isn't about providing a hermetic seal around the problem, more showing good faith and intent in ensuring we don't receive stolen or patent-covered code.

 

I'll try and get more clarity.  Til then, please document any instances where people refuse to offer PRs because they don't want to be contactable after the fact.

 

Brian

 

 

 

 

On 1/16/20 3:53 AM, Arnaud Le Hors wrote:

Thanks for the reminder Hart. Brian was going to bring this up to LF legal. Brian, any update?
--
Arnaud  Le Hors - Senior Technical Staff Member, Blockchain & Web Open Technologies - IBM





From:        "hmontgomery@..." <hmontgomery@...>
To:        Arnaud Le Hors <lehors@...>, Christopher Ferris <chrisfer@...>, Silona Bonewald <sbonewald@...>
Cc:        "dan.middleton@..." <dan.middleton@...>, "mwagner114@..." <mwagner114@...>, "tsc@..." <tsc@...>
Date:        01/16/2020 02:42 AM
Subject:        [EXTERNAL] Re: [Hyperledger TSC] Call for agenda items for TSC call of Jan 16
Sent by:        tsc@...


 

Hi Everyone,

 

Thanks for all the emails, and it’s great to hear from you all post-winter holidays.

 

I had a question:  has any progress been made on the DCO front?  An email update would be awesome if there has been any news.

 

Thanks a lot for your time, and have a great day.

 

Thanks,

Hart

 

From:tsc@... [mailto:tsc@...] On Behalf Of Arnaud Le Hors
Sent: Wednesday, January 15, 2020 10:51 AM
To: Christopher Ferris <chrisfer@...>; Silona Bonewald <sbonewald@...>
Cc: dan.middleton@...; mwagner114@...; tsc@...
Subject: Re: [Hyperledger TSC] Call for agenda items for TSC call of Jan 16

 

All right, let's cancel the call this week again but, please, let's make sure we make progress for next week.

Chris, I will take over the issue on promoted release, so you can focus on trying to make progress on the repo structure.
Silona, please, try to put together a proposal for the governing doc update Task Force.


Thanks.
--
Arnaud  Le Hors - Senior Technical Staff Member, Blockchain & Web Open Technologies - IBM





From:        "Christopher Ferris" <chrisfer@...>
To:        mwagner114@...
Cc:        dan.middleton@..., "Arnaud Le Hors" <lehors@...>, tsc@...
Date:        01/15/2020 07:27 PM
Subject:        [EXTERNAL] Re: [Hyperledger TSC] Call for agenda items for TSC call of Jan 16
Sent by:        tsc@...





Yeah, I've been tied up in an offsite and haven't been able to make any progress on my actions (including the Fabric report). Apologies.

Cheers,

Christopher Ferris
IBM Fellow, CTO Open Technology
email:
chrisfer@...
twitter: @christo4ferris
blog:
https://developer.ibm.com/code/author/chrisfer/
IBM Open Source white paper: https://developer.ibm.com/articles/cl-open-architecture-update/
phone: +1 508 667 0402


----- Original message -----
From: "Mark Wagner" <mwagner114@...>
Sent by: tsc@...
To: Arnaud Le Hors <lehors@...>
Cc: "Middleton, Dan" <dan.middleton@...>, "Technical Steering Committee (TSC)" <tsc@...>
Subject: [EXTERNAL] Re: [Hyperledger TSC] Call for agenda items for TSC call of Jan 16
Date: Wed, Jan 15, 2020 1:14 PM

so no meeting?
 
On Wed, Jan 15, 2020, 08:23 Arnaud Le Hors <lehors@...> wrote:
Thanks Dan for your input.

The thing is that we do have owners for the open issues. Chris is leading the repo structure TF, and volunteered to make a clean proposal on the promoted release one. Silona owns the TF proposal one for governing docs. Evidently they just haven't had a chance to make progress on these.
--
Arnaud  Le Hors - Senior Technical Staff Member, Blockchain & Web Open Technologies - IBM





From:        "Middleton, Dan" <dan.middleton@...>
To:        Arnaud Le Hors <lehors@...>, "Technical Steering Committee (TSC)" <tsc@...>
Date:        01/15/2020 09:20 AM
Subject:        [EXTERNAL] Re: [Hyperledger TSC] Call for agenda items for TSC call of Jan 16
Sent by:        tsc@...


 

I have added a couple DCI announcements, but these announcements do not warrant a meeting.

  • DCI:
    • The DCI survey has incorporated edits from the fall review. HL marketing suggests it launch ahead of the Davos marketing campaign so we can make use of visibility from those hyperledger activities. This window also lets us assemble results in time to share at HLGF.
    • HL is requesting mentors for HLGF for a speed mentoring session. Details of the session are being planned. Please contact Celia Stamps <cstamps@linuxfoundation.org> if you would like to volunteer as a mentor.

I think it would be ideal to identify / remind owners for/of the open tasks this week and we all commit to meeting next week with some progress achieved. This is not a full list of open items but a couple items I see after reviewing our last few meeting minutes…

  • Repo structure task force:
  • Cleaning up / reorganizing the governing documents.
    • I believe we need a task force proposal?

 

Regards,
Dan

 

From: <tsc@...> on behalf of Arnaud Le Hors <lehors@...>
Date: Wednesday, January 15, 2020 at 8:40 AM
To: "Technical Steering Committee (TSC)" <
tsc@...>
Subject: [Hyperledger TSC] Call for agenda items for TSC call of Jan 16

 

Hi all,
I'd rather not cancel this week's call but I can't say that I've seen much evidence of progress on the open issues. So, I'm hereby inviting everyone to chime in on what the agenda should cover this week.

The draft is here:
https://wiki.hyperledger.org/display/TSC/2020-01-16+TSC+Agenda

Short of being able to build a decent agenda I will cancel (again).

Thanks.
--
Arnaud  Le Hors - Senior Technical Staff Member, Blockchain & Web Open Technologies - IBM



 






 




 

 

--
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@...
Twitter: @brianbehlendorf

 

 

Join tsc@lists.hyperledger.org to automatically receive all group messages.