harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@apache.org>
Subject Re: [legal] Proposed changes for the Bulk Contributor Questionnaire
Date Tue, 15 Nov 2005 13:19:50 GMT

On Nov 15, 2005, at 6:53 AM, Tim Ellison wrote:

> Geir Magnusson Jr. wrote:
>> I'm sorry, but I don't understand the issue here.  I'm proposing that
>> a) We suggest to people that are about to contribute to us to do some
>> careful inspection before they do that.  The assumption here is that
>> people are well-meaning but sometimes makes mistakes or are lazy, and
>> we want them to think before the contribute.  A keyword scanner   
>> (which
>> is a glorified "grep") is a great way to find things that you   
>> weren't
>> aware were there, such as who authors were (if there are  author  
>> tags),
>> what copyright claims are listed in the files, etc.    There's  
>> nothing
>> inherently evil about it.  It doesn't matter what SCO  or anyone else
>> did with a keyword scanner - we're trying to have it  used to protect
>> ourselves and just as importantly, other copyright  holders like Sun.
> The keyword scan would be another tool in the Harmony IP-cleanliness
> toolkit, alongside the Contributor Questionnaire and Bulk Contribution
> Policy.  I'd like to see such a tool used not only on incoming bulk
> contributions but also used regularly on the day-to-day developed code
> base in svn.


> Such tools and processes will never be perfect, and can only provide
> assistance with limited aspects (copyright/trademark) of the
> IP-cleanliness goal; however, it does set the tone for the project --
> that we care about such things for the Harmony code, and that we  
> respect
> the IP rights of code outside Harmony to not be misappropriated into
> Harmony.
> That said, I agree with Leo that naming BlackDuck as the provider of
> such cleanliness checks limits the Bulk Contribution Policy in a  
> manner
> that is unneccessary.  The PPMC should be in a position to decide
> whether the actual checks performed by a contributor are sufficient or
> whether they think further checks are required.

We used the phrase "such as" to give people the idea.  We don't want  
to endorse or promote any such technology or company as part of our  
governance process (of course), so it was never meant that we'd have  
specific endorsements in our guidelines for contributors.  The  
phrasing as is was to illustrate and trigger discussion.

However, the key issue is what we do in the project.  I think that we  
should have a baseline set of checks though, as that makes our IP  
pedigree that much simpler and cleaner....

>> b) We use a tool internally to check code for which the contributor
>> can't provide our ASQ for each author.  Ok, the tool isn't open   
>> source,
>> but I don't know of any options, and we need something like  this
>> *now*.  I'd love to see us create a toolsuite like this (because   
>> one of
>> my goals is to work out a process that we can share with the  rest of
>> the ASF....), but we don't have the luxury of time to do it.
> I have no experience of using BlackDuck, and no reason to believe they
> are anything other than a fine bunch of people.  IMHO we will be more
> successful by informing people of the risks and adopting good working
> practices rather than looking for the biggest stick to hit  
> offenders (I
> know that you are not advocating that approach!).
> So my constructive suggestion is to keep the extra questions in the
> questionnaire, but remove the single sentence:
>   "For example, the contribution may be compared against known
>    proprietary implementations of similar technology using a
>    service such as that offered by Black Duck or XXXXXXXXXX."
> maybe replacing it with a reference to current best practice.



Geir Magnusson Jr                                  +1-203-665-6437

View raw message