harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@apache.org>
Subject Re: [legal] Proposed changes for the Bulk Contributor Questionnaire
Date Mon, 14 Nov 2005 11:57:10 GMT

On Nov 14, 2005, at 4:51 AM, Leo Simons wrote:

> Rant below. Decided not to tone it down.

That's our Leo :)

> On Mon, Nov 14, 2005 at 12:11:57AM -0500, Geir Magnusson Jr. wrote:
>> Comments welcome.
> I like everything but the references to "Black Duck Software". I took
> a look at their website and their licensing policies and everything
> about it "feels" wrong. I don't like basing a big part of our  
> processes
> on some commercial black box "service-like" offering.

Clearly this is something we'll want to talk about.  The key is to  
give people an indication that we're serious about this and will be  
using tools to help us along.

> Taking another look around the web for similar companies, they seem to
> be about "open source risk management" where the risk is to avoid
> "contaminating" propietary stuff with "open source" stuff. I resent  
> the
> idea of "open source" being "contaminating" or anything like that (GPL
> is viral, but most other stuff is not). There's this entire  
> category of
> companies who capitalize on FUD. I can imagine SCO having stock  
> options
> on some of 'em.

Well, I have a different view, but that's because I spent some time  
with them trying to understand.  I think what they originally set out  
to do is to provide risk management by letting you know what's  
happening in your codebases wrt license mingling.  If a developer  
mistakenly brings GPL-ed software into your product codebase and you  
distribute it, you have a big problem, right?

None of that is intrinsically evil or a comment on OSS - developers  
don't understand the nuances of OSS licensing, and this is bound to  
happen.  They also do it for proprietary codebases that they have  
access to (Sun's Java code for example) and you can load in your own.

Now, I'm not defending BD in any way here.  I was really interested  
in how we could use their technology to help us respect the rights of  
other IP holders, as well as ensure that what we accept and create is  

Another thing - they are really interested in working with OSS  
communities.  I have a note to go to infra@ about this which I'll  
post later today if I can get the time.

> I think we should avoid the ASF being seen as being part of any of  
> that.
> ---
> Leading Open Source Foundation Does Not Trust Its Own Processes
> The ASF has recently started using the same tools that intellectual
> property sharks use when figuring out whom to send cease and desist
> letters.


> When asked for comments, the ASF said: "We finally gave up trying to
> understand why people are so scared of open source, so now we're just
> using some incomprehensible piece of commercial software which  
> makes us
> feel secure. We think its pretty silly, but if we already have run the
> tools, at least companies like SCO can't really use them as grounds  
> for
> suing us since we'll look pretty clean when they run the tool."
> Darl McBride said: "We think the ASF is making a very smart decision
> by employing code scanning techniques. Its the only way to be safe  
> from
> prosecution. Of course, most other open source organisations don't
> employ code scanning techniques (since they do have a brain of their
> own) so we're just going to sue all of those."
> IP firm XXX said: "What Darl said. Don't use any of that scary open
> source stuff. Even the ASF understands that now. Won't be long before
> they turn into a commercial entity themselves!"
> ---
> Grrrrr.
> Hmm. Didn't SCO run keyword scanners and the like? Didn't they find  
> out
> that they'd actually taken code from open source codebases? Didn't  
> much
> of the same happen at JBoss some time ago?

There have been many times when keyword scanners have informed us of  
code that had accidentally snuck into our codebase.  There's nothing  
intrinsically wrong with using tooling to find code that shouldn't be  

The point of mentioning a keyword scanner (e.g. grep -R ....) is to  
get people to look at the code, and do some basic due diligence.

> I doubt there's a lot of keyword scanning tools or any kind of other
> automated technology that I wouldn't be able to circumvent with a few
> hours of work. Its just such a stupid idea. If I take source code from
> (say) the sun jdk, work on it for a few weeks to make it look  
> completely
> different so no line of the original code remains, I still have a
> derivative work but no scanner is going to be able to detect that.  
> Just
> like spam still manages to make it into my inbox.

Right.  We are *never* secure from the efforts of a bad actor.   
Ever.  People can lie on their ICLA, their CCLA, the software grant.   
They can change the copyright, license and munge the code around a bit.

We're not trying to stop that - we're trying to stop accidents, and  
create a very clean developer base.

So they keyword scanner is for people to use on their code before  
contribution, to make them look at the list and ensure that what they  
find doesn't surprise them.

I ran a keyword scanner on the IBM contribution and found "Sun".  :)   
That made me want to look, and there is some code that (c) Sun that  
is included, and can legally be.  But it just made me go look,  
because there are lots of bits of Sun code that can't be included.

So again - the scanner is to just get people to think and do some  
work, rather than just tossing code over the fence at us.

> I can imagine how some people or companies would feel safe if we were
> to say "we scanned everything using this intellectual property risk
> management tool XXX" but we'd be legitimizing something silly and  
> giving a
> false sense of security.

Ah - this is for our purpose, IMO.  Any company that is significantly  
worried about this will do their own examination of anything we  
produce.  We're not trying to make a warranty claim about our  
software, but just do whatever we can to help ensure that stuff we  
don't want doesn't get in via bulk contributions, and our day to day  
efforts working on the codebase don't allow things to accidentally  
slip in either.

> Now, if these tools were open source and I'd be able to take a look at
> how they work I might put some trust in them. But fancy websites, lots
> of press releases, not a lot of technical details, anal usage
> restrictions and total lack of a "download" button just sets off a lot
> of alarm bells.

Yes, well.... that's one of the reasons I decided to go say "howdy"  
to them.  This is just the beginning.  If this doesn't work for us,  
it won't work for us.  But it's worth looking into because they do  
some pretty nice and interesting things.  That's the subject for  
another post, though.

> With my infra@ hat on I'd probably be against running this kind of
> black box software under this kind of policy on ASF hardware. With
> something like jira, I at least know how it works (or doesn't work)  
> and what
> technology is under the cover and can get at the source code if I  
> want to.



> - LSD

Geir Magnusson Jr                                  +1-203-665-6437

View raw message