Re: Signed-off-by and aliases

[Loic Dachary <loic@dachary.org>]

[-- Attachment #1: Type: text/plain, Size: 4409 bytes --]



On 03/08/2015 21:18, John Spray wrote:
> On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <loic@dachary.org> wrote:
>> Hi Ceph,
>>
>> We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs.
>>
>> If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias.
>>
>> I think Ceph should accept contributions that are signed with an alias because it does not make a difference.
>>
>> From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint.
>>
>> What do you think ?
> 
> (Without any legal knowledge whatsoever, and speaking in general terms
> rather than about any particular code or vendor's practices or
> products)

In these matters the project lead needs to make a decision that makes sense and then ask a lawyers to implement it. We don't need to be lawyers to do that.

> 
> My understanding is that projects use a Signed-off-by line for the
> contributor to certify that they agree with the "Developer's
> Certificate of Origin".
> 
> The purpose of a certificate or origin is that if I am distributing
> AcmeProject packages, and EvilCorp says "hey, we found our highly
> patented code in your package!" then I can say "actually this was
> submitted by Elizabeth Windsor <liz@buckinghampalace.org>, who
> certified to me that she had the rights to the code.  I can thus
> demonstrate that the original infringement was by her, and any
> infringement in my distribution of the software was accidental, I
> acted in good faith."
> 
> OTOH if I said "That code was contributed by A.Nonymous", then
> EvilCorp would say "Well, that could just as easily have been one of
> your own developers, acting anonymously, so you have not demonstrated
> that the infringement was unintentional".
> 
> So in my opinion, it is necessary that any project wishing to apply a
> "certificate of origin" process also needs to have a real name policy.

If that was indeed what a Signed-off-by does, I would also be against using aliases. In reality a Signed-off-by is nothing more than a convenient mean to get in touch with someone who claimed to be the author of a patch.

The companies making and distributing Free Software using Signed-off-by like Ceph does, do not attempt to even verify that the person behind the Signed-off-by really is who (s)he claims. I don't think that's because they have been careless for the past decade. I think that's because it would not make a significant difference and that it would be a burden to the project. The company lawyers would certainly claim that it would be better to verify the identity for each Signed-off-by. But in practice they don't push for it, not even for the Linux kernel who went into more legal troubles than any other Free Software project.

My point is that there could already be a dozen of aliases that look like real names in the current Signed-off-by list. Explicitly accepting aliases that look like aliases would just be an acknowledgement of what we already do. 

Cheers

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]