harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Ellison <t.p.elli...@gmail.com>
Subject Re: [legal] Proposed changes for the Bulk Contributor Questionnaire
Date Tue, 15 Nov 2005 11:53:44 GMT
Geir Magnusson Jr. wrote:
> I'm sorry, but I don't understand the issue here.  I'm proposing that
> a) We suggest to people that are about to contribute to us to do some 
> careful inspection before they do that.  The assumption here is that 
> people are well-meaning but sometimes makes mistakes or are lazy, and 
> we want them to think before the contribute.  A keyword scanner  (which
> is a glorified "grep") is a great way to find things that you  weren't
> aware were there, such as who authors were (if there are  author tags),
> what copyright claims are listed in the files, etc.    There's nothing
> inherently evil about it.  It doesn't matter what SCO  or anyone else
> did with a keyword scanner - we're trying to have it  used to protect
> ourselves and just as importantly, other copyright  holders like Sun.

The keyword scan would be another tool in the Harmony IP-cleanliness
toolkit, alongside the Contributor Questionnaire and Bulk Contribution
Policy.  I'd like to see such a tool used not only on incoming bulk
contributions but also used regularly on the day-to-day developed code
base in svn.

Such tools and processes will never be perfect, and can only provide
assistance with limited aspects (copyright/trademark) of the
IP-cleanliness goal; however, it does set the tone for the project --
that we care about such things for the Harmony code, and that we respect
the IP rights of code outside Harmony to not be misappropriated into

That said, I agree with Leo that naming BlackDuck as the provider of
such cleanliness checks limits the Bulk Contribution Policy in a manner
that is unneccessary.  The PPMC should be in a position to decide
whether the actual checks performed by a contributor are sufficient or
whether they think further checks are required.

> b) We use a tool internally to check code for which the contributor 
> can't provide our ASQ for each author.  Ok, the tool isn't open  source,
> but I don't know of any options, and we need something like  this
> *now*.  I'd love to see us create a toolsuite like this (because  one of
> my goals is to work out a process that we can share with the  rest of
> the ASF....), but we don't have the luxury of time to do it.

I have no experience of using BlackDuck, and no reason to believe they
are anything other than a fine bunch of people.  IMHO we will be more
successful by informing people of the risks and adopting good working
practices rather than looking for the biggest stick to hit offenders (I
know that you are not advocating that approach!).

So my constructive suggestion is to keep the extra questions in the
questionnaire, but remove the single sentence:
  "For example, the contribution may be compared against known
   proprietary implementations of similar technology using a
   service such as that offered by Black Duck or XXXXXXXXXX."

maybe replacing it with a reference to current best practice.



Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.

View raw message