Add DCO and commit-message.md

[chriscool]

These are documents we might want to add if we use GitCop. I will perhaps add them to another PR instead of this one. So please don't merge for now.

[chriscool]

Also this should be rebased.

[wking]

Maybe ‘his’ → ‘their’ to get a gender-neutral possessive pronoun?

[wking]

On Sat, Jun 06, 2015 at 10:24:06AM -0700, Christian Couder wrote:

• Add DCO and commit-message.md

It's probably worth mentioning http://developercertificate.org/ in the
commit message, since we didn't write that and it's not under the MIT
license (although its verbatim-copies-only license is pretty clear
from the file itself).

[chriscool]

@wking thanks, I am working on your suggestions.

By the way I tested the new GitCop features here on my fork and it looks like it works:

chriscool#1

[chriscool]

Ok, I think this PR is now ready. I added the script from PR #212 (Add setup_commit_msg_hook.sh). So there is everything in it to enable GitCop.

[chriscool]

One can see how commit-message.md looks like here: https://github.com/chriscool/go-ipfs/blob/commit-messages/commit-message.md

[jbenet]

@chriscool oh sorry i commented over at chriscool#1

---

maybe let's put all the guidelines and commit hook stuff over in https://github.com/ipfs/community ?
I think:

• docs/commit-message.md
• docs/developer-certificate-of-origin
• dev/tools/hooks/setup_commit_msg_hook.sh

I know it's annoying to have it in another repo, but we'll need to enable this for a lot of repos.

[chriscool]

Ok will do that.

[rht]

What is "real name"? What if the author is a vermin without a legal name?

[wking]

On Sat, Jun 06, 2015 at 03:19:37PM -0700, rht wrote:

• where "User Name" is the author's real name and email@address one of

What is "real name"? What if the author is a vermin without a legal
name?

Presumably it's how you'd identify yourself to a court considering a
copyright- or licence-infringement case. I'm not sure how that breaks
down in edge cases, but I imagine most contributors will have a
government-issued ID that has a name on it, and that would probably be
a good choice ;).

[jbenet]

The DCO and copyright licenses are for ensuring protections + rights to use / modify code are respected. These only matter in various nation's legal courts, and these names are only relevant in that context. I am not sure how other projects handle identity, but pseudonyms/personas should be fine according to most legal codes (it's fine in US code and lots of other copyright systems are based on or compatible with the US one).

However, the linux kernel contribution guidelines say:

then you just add a line saying

Signed-off-by: Random J Developer <random@developer.example.org>

using your real name (sorry, no pseudonyms or anonymous contributions.)
-- from https://www.kernel.org/doc/Documentation/SubmittingPatches

I presume this is for both security + legal concerns (It may be tricky to deal with pseudonymous contribution in other countries. And it certainly is easier to trust contributions if you know who wrote them, and why.) I'm sure some pseudonymous contribution case has come up though-- i'd be curious how they handled it.

For our purposes, until further notice, i'm fine accepting pseudonymous contributions that bear the License: MIT trailer, so that it is known -- beyond shadow of a doubt -- that the license has been properly signed off to.

---

one the internet nobody know's i'm a cat :)

[jbenet]

A quick search gives non-promising results: https://www.google.com/webhp#q=pseudonymous+contribution+open+source -- seems like everyone's scared. But this isn't right. I think the right of using pseudonyms is an important part of a free society. (e.g. http://en.wikipedia.org/wiki/The_Federalist_Papers) I will look into this, because I think the copyright concerns aren't real. Hopefully we can find some legal precedent to point to.

[whyrusleeping]

While I dont have an issue using my real name anywhere, I prefer to use whyrusleeping as often as possible.

[wking]

On Sun, Jun 07, 2015 at 01:30:40PM -0700, Juan Batiz-Benet wrote:

Don't think we should go the "required signed pgp commit" route just
yet…

Right, I was just suggesting that as an option for people who were
wondering “how do I convince a court that I am the pseudonymous author
of this commit”.

[rht]

@wking Contribution signing (any of commit/tag/pr) is much preferred even in the non-pseudonymous case. It just happens that it is still not practical nowadays (for large scale projects). When it becomes practical it will enable pseudonymous contributor to verify itself. From your viewpoint, I wonder if this is an unnecessary side effect, or should be prevented by any means? For the latter, e.g. every key has to be tied to a gov id.

[wking]

On Mon, Jun 08, 2015 at 01:28:01AM -0700, rht wrote:

@wking Contribution signing (any of commit/tag/pr) is much preferred
even in the non-pseudonymous case. It just happens that it is still
not practical nowadays (for large scale projects).

I don't understand why it's not practical. I think Gerwitz explains
things well in 1, but the main issues he points out include:

a. What good are signatures by a one-off key?
b. How do you handle signatures in the context of rebases or
additional commit-message trailers?
c. How do you aggregate signatures as commits trickle up a lieutenant
tree? Or equivalently, as external auditors review the changes.

and I don't see those being addressed in the near future. In any
case, those features would be nice, but don't seem to be major
adoption blockers. I expect the major issue with adoption is just
lack of motivation, just like it is for the majority of email users
not using OpenPGP.

When it becomes practical it will enable pseudonymous contributor to
verify itself.

For this purpose, I think it's practical now.

From your viewpoint, I wonder if this is an unnecessary side effect,
or should be prevented by any means? For the latter, e.g. every key
has to be tied to a gov id.

I haven't looked up any previous case history (and I don't even know
if previous cases exist), but I expect tying the singing key to a
government ID isn't neccessary. For proving ownership of a commit,
I'd expect a court to accept either:

a. The commit is written by Trevor King, and here's my passport
proving that that's me, and here's a bit of background
differentiating me from other Trevor Kings who may be claiming that
commit.

b. The commit is written by foobar, and here's the signature by
foobar's key, and here's the fooboar-signed copy of that challenge
text you gave me yesterday, proving that I have access to foobar's
secret key and am therefore likely foobar.

I personally prefer (a), but I think (b) is a valid choice for folks
who prefer a pseudonym and expect to only address courts that
recognize pseudonyms.

[rht]

If it were practical today then you would have already seen contribution/review signing in linux kernel / any high stake project DCO (as one of the sufficient conditions of being practical).
(b), (c) are among the real obstacles to contribution/review signing, which has nothing to do with the lack of motivation (neither is this the reason for the state of email+pgp).

When it becomes practical it will enable pseudonymous contributor/reviewer to
verify itself.

For this purpose, I think it's practical now.

I think you are referring to 1. pseudonymous contributor/reviewer for sign-off or commit author field + pgp-signed emails / fake real name, but those are not signed commits, 2. one/few author(s) case where merges are unneeded/manageable, then sure this is practical and has been done for a very long time.

For the second (a) case, so given the choice, you are substituting a permanent pki gov id with a pki + one-off 2nd factor auth. Why?
For the second (b) case, this is what US law http://www.copyright.gov/fls/fl101.html says

In no case should you omit the name of the copyright claimant. You can use a pseudonym for the claimant name. But be aware that if a copyright is held under a fictitious name, business dealings involving the copyrighted property may raise questions about its ownership. Consult an attorney for legal advice on this matter.

So it is up to the lawyers.

[wking]

On Tue, Jun 09, 2015 at 05:04:11AM -0700, rht wrote:

When it becomes practical it will enable pseudonymous
contributor/reviewer to verify itself.

For this purpose, I think it's practical now.

I think you are referring to 1. pseudonymous contributor/reviewer
for sign-off or commit author field + pgp-signed emails / fake real
name, but those are not signed commits, 2. one/few author(s) case
where merges are unneeded/manageable, then sure this is practical
and has been done for a very long time.

No, I meant author-signed commits that are merged without having the
signature blown away (at least most of the time, see 1).

For the second (a) case, so given the choice, you are substituting a
permanent pki gov id with a pki + one-off 2nd factor auth. Why?

Pseudonymous commits signed by a pseudonymous key allow you to
decouple your government ID from the contributions. Folks might want
that for all the usual reasons they choose to use pseudonyms. The PKI
bit just gives you a tool to demonstrate your ownership of the
psuedonym if/when you decide to claim the association.

So it is up to the lawyers.

I'm pretty sure this is going to be true for copyright issues however
you dice it ;). And I'm not a lawyer, and I haven't read any previous
case history 2. But I'd put good odds on a court accepting the
“signed by a pseudonymous key for which I've just demonstrated
secret-key access” argument.

[chriscool]

I am closing this as Closing this as ipfs/community#25 is merged.