harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@apache.org>
Subject Re: [legal] Proposed changes for the Bulk Contributor Questionnaire
Date Tue, 15 Nov 2005 03:33:39 GMT

On Nov 14, 2005, at 9:57 AM, Stefano Mazzocchi wrote:

> Leo Simons wrote:
>> Rant below. Decided not to tone it down.
>> On Mon, Nov 14, 2005 at 12:11:57AM -0500, Geir Magnusson Jr. wrote:
>>> Comments welcome.
>> I like everything but the references to "Black Duck Software". I took
>> a look at their website and their licensing policies and everything
>> about it "feels" wrong. I don't like basing a big part of our  
>> processes
>> on some commercial black box "service-like" offering.
>> Taking another look around the web for similar companies, they  
>> seem to
>> be about "open source risk management" where the risk is to avoid
>> "contaminating" propietary stuff with "open source" stuff. I  
>> resent the
>> idea of "open source" being "contaminating" or anything like that  
>> (GPL
>> is viral, but most other stuff is not). There's this entire  
>> category of
>> companies who capitalize on FUD. I can imagine SCO having stock  
>> options
>> on some of 'em.
>> I think we should avoid the ASF being seen as being part of any of  
>> that.
>> ---
>> Leading Open Source Foundation Does Not Trust Its Own Processes
>> The ASF has recently started using the same tools that intellectual
>> property sharks use when figuring out whom to send cease and desist
>> letters.
>> When asked for comments, the ASF said: "We finally gave up trying to
>> understand why people are so scared of open source, so now we're just
>> using some incomprehensible piece of commercial software which  
>> makes us
>> feel secure. We think its pretty silly, but if we already have run  
>> the
>> tools, at least companies like SCO can't really use them as  
>> grounds for
>> suing us since we'll look pretty clean when they run the tool."
>> Darl McBride said: "We think the ASF is making a very smart decision
>> by employing code scanning techniques. Its the only way to be safe  
>> from
>> prosecution. Of course, most other open source organisations don't
>> employ code scanning techniques (since they do have a brain of their
>> own) so we're just going to sue all of those."
>> IP firm XXX said: "What Darl said. Don't use any of that scary open
>> source stuff. Even the ASF understands that now. Won't be long before
>> they turn into a commercial entity themselves!"
>> ---
>> Grrrrr.
>> Hmm. Didn't SCO run keyword scanners and the like? Didn't they  
>> find out
>> that they'd actually taken code from open source codebases? Didn't  
>> much
>> of the same happen at JBoss some time ago?
>> I doubt there's a lot of keyword scanning tools or any kind of other
>> automated technology that I wouldn't be able to circumvent with a few
>> hours of work. Its just such a stupid idea. If I take source code  
>> from
>> (say) the sun jdk, work on it for a few weeks to make it look  
>> completely
>> different so no line of the original code remains, I still have a
>> derivative work but no scanner is going to be able to detect that.  
>> Just
>> like spam still manages to make it into my inbox.
>> I can imagine how some people or companies would feel safe if we were
>> to say "we scanned everything using this intellectual property risk
>> management tool XXX" but we'd be legitimizing something silly and  
>> giving a
>> false sense of security.
>> Now, if these tools were open source and I'd be able to take a  
>> look at
>> how they work I might put some trust in them. But fancy websites,  
>> lots
>> of press releases, not a lot of technical details, anal usage
>> restrictions and total lack of a "download" button just sets off a  
>> lot
>> of alarm bells.
>> With my infra@ hat on I'd probably be against running this kind of
>> black box software under this kind of policy on ASF hardware. With
>> something like jira, I at least know how it works (or doesn't  
>> work) and what
>> technology is under the cover and can get at the source code if I  
>> want to.
> Leo++

I'm sorry, but I don't understand the issue here.  I'm proposing that

a) We suggest to people that are about to contribute to us to do some  
careful inspection before they do that.  The assumption here is that  
people are well-meaning but sometimes makes mistakes or are lazy, and  
we want them to think before the contribute.  A keyword scanner  
(which is a glorified "grep") is a great way to find things that you  
weren't aware were there, such as who authors were (if there are  
author tags), what copyright claims are listed in the files, etc.    
There's nothing inherently evil about it.  It doesn't matter what SCO  
or anyone else did with a keyword scanner - we're trying to have it  
used to protect ourselves and just as importantly, other copyright  
holders like Sun.

b) We use a tool internally to check code for which the contributor  
can't provide our ASQ for each author.  Ok, the tool isn't open  
source, but I don't know of any options, and we need something like  
this *now*.  I'd love to see us create a toolsuite like this (because  
one of my goals is to work out a process that we can share with the  
rest of the ASF....), but we don't have the luxury of time to do it.


Geir Magnusson Jr                                  +1-203-665-6437

View raw message