harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoe Slattery <...@uk.ibm.com>
Subject Re: [legal] Proposed changes for the Bulk Contributor Questionnaire
Date Tue, 15 Nov 2005 14:58:55 GMT
Zoƫ Slattery
IBM

Tim Ellison <t.p.ellison@gmail.com> wrote on 15/11/2005 11:53:44:

> Geir Magnusson Jr. wrote:
> > I'm sorry, but I don't understand the issue here.  I'm proposing that
> > 
> > a) We suggest to people that are about to contribute to us to do some 
> > careful inspection before they do that.  The assumption here is that 
> > people are well-meaning but sometimes makes mistakes or are lazy, and 
> > we want them to think before the contribute.  A keyword scanner (which
> > is a glorified "grep") is a great way to find things that you  weren't
> > aware were there, such as who authors were (if there are  author 
tags),
> > what copyright claims are listed in the files, etc.    There's nothing
> > inherently evil about it.  It doesn't matter what SCO  or anyone else
> > did with a keyword scanner - we're trying to have it  used to protect
> > ourselves and just as importantly, other copyright  holders like Sun.
> 
> The keyword scan would be another tool in the Harmony IP-cleanliness
> toolkit, alongside the Contributor Questionnaire and Bulk Contribution
> Policy.  I'd like to see such a tool used not only on incoming bulk
> contributions but also used regularly on the day-to-day developed code
> base in svn.

I like the idea of Apache owning the IP scanning tools. It's easy to write 

keyword scanners (not much more complicated than grep). I have 
a few lines of perl that do basic keyword scanning - I'd be happy to put 
these 
in JIRA if it would be useful. 

> 
> Such tools and processes will never be perfect, and can only provide
> assistance with limited aspects (copyright/trademark) of the
> IP-cleanliness goal; however, it does set the tone for the project --
> that we care about such things for the Harmony code, and that we respect
> the IP rights of code outside Harmony to not be misappropriated into
> Harmony.
> 
> That said, I agree with Leo that naming BlackDuck as the provider of
> such cleanliness checks limits the Bulk Contribution Policy in a manner
> that is unneccessary.  The PPMC should be in a position to decide
> whether the actual checks performed by a contributor are sufficient or
> whether they think further checks are required.
> 
> > b) We use a tool internally to check code for which the contributor 
> > can't provide our ASQ for each author.  Ok, the tool isn't open 
source,
> > but I don't know of any options, and we need something like  this
> > *now*.  I'd love to see us create a toolsuite like this (because  one 
of
> > my goals is to work out a process that we can share with the  rest of
> > the ASF....), but we don't have the luxury of time to do it.
> 
> I have no experience of using BlackDuck, and no reason to believe they
> are anything other than a fine bunch of people.  IMHO we will be more
> successful by informing people of the risks and adopting good working
> practices rather than looking for the biggest stick to hit offenders (I
> know that you are not advocating that approach!).
> 
> So my constructive suggestion is to keep the extra questions in the
> questionnaire, but remove the single sentence:
>   "For example, the contribution may be compared against known
>    proprietary implementations of similar technology using a
>    service such as that offered by Black Duck or XXXXXXXXXX."
> 
> maybe replacing it with a reference to current best practice.
> 
> 
> Regards,
> Tim
> 
> 
> -- 
> 
> Tim Ellison (t.p.ellison@gmail.com)
> IBM Java technology centre, UK.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message