www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Connolly <stephen.alan.conno...@gmail.com>
Subject Re: Continuous release review
Date Fri, 30 May 2014 22:19:20 GMT
We (maven) are slowly turning the RAT screws after identifying some legacy
issues (which we report tracking metrics on to the board for anyone who's
not aware)

On maven core we have RAT well automated. For core releases I know I check
that the RAT config has not changed since previous release or check the
delta. Since we turned it on, we have found it quite useful... But then we
use CI to ensure that everything is awesome (everything is cool when you're
part of the team) after each commit and core is mostly a smaller number if

I was not suggesting that using RAT removes the necessity to keep on top of
the commits going into the code base... I am suggesting that if the PMC as
a whole is on top of the commits, then when release time comes around RAT
is sufficient to act as a check of those requirements.

The tricky part - for me - is the provenance of code stuff... Not that
others get that right either...

Case in point is Eclipse which does a whole rigmarole dance over having
legal people review the changes... When every commiters CLA is an
unverified signature and could thus be forged... Quite possible for
somebody to commit to Eclipse code that they do not have the IP rights to
grant to Eclipse *and* the whole song and dance simply gives the illusion
of protection against that eventuality.

We have a similar problem, but no official song and dance... Nor do we have
(or, to my mind, want) a team of legal people to spend buckets of time
holding up a release for legal review.

It all boils down to the commits and whether the people making those
commits have the required IP rights for the code they are committing.

We trust our committers to do the right thing... Committers that we only
know via an email address... We may not even know their real name or
identity... But short of demanding a physical chain of trusted identity -
which would make it even harder to grow our communities - there is not much
we can do... We just have to trust they are doing things right...

Our committers also commit patches submitted by non ASF people. We don't
give a clear guideline to committers w.r.t. how big a patch must be before
there must be a ICLA on file... Never mind things like easy impersonation
on GitHub... How are our committers supposed to know that the person
claiming to have submitted the patch is actually the same Joe Bloggs who
signed the ICLA... Let alone whether that person has the permission of the
IP owner to license the code to the ASF?

When I ponder what the PMC chair's extra responsibilities are w.r.t.
ensuring that releases comply with legal requirements this problem is the
one that has me look forward to rotating the Maven chair in a couple of
months ;-)

On Friday, 30 May 2014, Jacques Le Roux <jacques.le.roux@les7arts.com>

> We (OFBiz team) are using RAT, I mean it's not enough, it's not completely
> automated
> Jacques
> Le 30/05/2014 17:42, Emmanuel Lécharny a écrit :
>> Le 30/05/2014 16:23, Jacques Le Roux a écrit :
>>> Le 30/05/2014 16:01, Stephen Connolly a écrit :
>>>> * All the source code of the project must be covered by the Apache
>>>> License, version 2.0.
>>>>  We can't rely safely only on RAT (as least as it is now) for that, for
>>> instance too much false positive in my experience
>> What tool are you proposing for that check ?
>> I mean, you are not seriously expecting to do that by hand ?
>> (FTR, Apache Directory has 59 618 files...)
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
> --
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org

Sent from my phone

View raw message