On Fri, Jul 31, 2015 at 8:59 PM, Loic Dachary <loic@xxxxxxxxxxx> wrote: > Hi Ceph, > > We require that each commit has a Signed-off-by line with the name and email of the author. The general idea is that the Ceph project trusts each developer to understand what it entails[1]. There is no formal verification : the person submitting the patch could use a fake name or publish code from someone else. In reality the odds of that happening and causing problem are so low that neither Ceph nor the Linux kernel felt the need to impose a more formal process. There is no bullet proof process anyway, it's all about balancing risks and costs. > > If a contributor was using an alias that looks like a real name (for instance I could contribute under the name Louis Lavile), (s)he would go unnoticed and her/his contribution would be accepted as any other. If the same contributor was using an alias that is obviously an alias (such as A. Nonymous), it would raise the question of accepting contributions Signed-off with an alias. > > I think Ceph should accept contributions that are signed with an alias because it does not make a difference. > > From a lawyer perspective, there is a difference between an alias and a real name, of course. Should the author be in court, (s)he would have to prove (s)he is the person behind the alias. If (s)he was using her/his real name, an ID card would be enough. And probably other differences that I don't see because IANAL. However since we already accept Signed-off-by that are not formally verified, we're already in a situation where we implicitly accept aliases. Explicitly accepting aliases would not change that, therefore it is not actually something we need to run by lawyers because nothing changes from a legal standpoint. > > What do you think ? (Without any legal knowledge whatsoever, and speaking in general terms rather than about any particular code or vendor's practices or products) My understanding is that projects use a Signed-off-by line for the contributor to certify that they agree with the "Developer's Certificate of Origin". The purpose of a certificate or origin is that if I am distributing AcmeProject packages, and EvilCorp says "hey, we found our highly patented code in your package!" then I can say "actually this was submitted by Elizabeth Windsor <liz@xxxxxxxxxxxxxxxxxxxx>, who certified to me that she had the rights to the code. I can thus demonstrate that the original infringement was by her, and any infringement in my distribution of the software was accidental, I acted in good faith." OTOH if I said "That code was contributed by A.Nonymous", then EvilCorp would say "Well, that could just as easily have been one of your own developers, acting anonymously, so you have not demonstrated that the infringement was unintentional". So in my opinion, it is necessary that any project wishing to apply a "certificate of origin" process also needs to have a real name policy. John -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
