Zoƫ Slattery IBM Tim Ellison <[EMAIL PROTECTED]> wrote on 15/11/2005 11:53:44:
> Geir Magnusson Jr. wrote: > > I'm sorry, but I don't understand the issue here. I'm proposing that > > > > a) We suggest to people that are about to contribute to us to do some > > careful inspection before they do that. The assumption here is that > > people are well-meaning but sometimes makes mistakes or are lazy, and > > we want them to think before the contribute. A keyword scanner (which > > is a glorified "grep") is a great way to find things that you weren't > > aware were there, such as who authors were (if there are author tags), > > what copyright claims are listed in the files, etc. There's nothing > > inherently evil about it. It doesn't matter what SCO or anyone else > > did with a keyword scanner - we're trying to have it used to protect > > ourselves and just as importantly, other copyright holders like Sun. > > The keyword scan would be another tool in the Harmony IP-cleanliness > toolkit, alongside the Contributor Questionnaire and Bulk Contribution > Policy. I'd like to see such a tool used not only on incoming bulk > contributions but also used regularly on the day-to-day developed code > base in svn. I like the idea of Apache owning the IP scanning tools. It's easy to write keyword scanners (not much more complicated than grep). I have a few lines of perl that do basic keyword scanning - I'd be happy to put these in JIRA if it would be useful. > > Such tools and processes will never be perfect, and can only provide > assistance with limited aspects (copyright/trademark) of the > IP-cleanliness goal; however, it does set the tone for the project -- > that we care about such things for the Harmony code, and that we respect > the IP rights of code outside Harmony to not be misappropriated into > Harmony. > > That said, I agree with Leo that naming BlackDuck as the provider of > such cleanliness checks limits the Bulk Contribution Policy in a manner > that is unneccessary. The PPMC should be in a position to decide > whether the actual checks performed by a contributor are sufficient or > whether they think further checks are required. > > > b) We use a tool internally to check code for which the contributor > > can't provide our ASQ for each author. Ok, the tool isn't open source, > > but I don't know of any options, and we need something like this > > *now*. I'd love to see us create a toolsuite like this (because one of > > my goals is to work out a process that we can share with the rest of > > the ASF....), but we don't have the luxury of time to do it. > > I have no experience of using BlackDuck, and no reason to believe they > are anything other than a fine bunch of people. IMHO we will be more > successful by informing people of the risks and adopting good working > practices rather than looking for the biggest stick to hit offenders (I > know that you are not advocating that approach!). > > So my constructive suggestion is to keep the extra questions in the > questionnaire, but remove the single sentence: > "For example, the contribution may be compared against known > proprietary implementations of similar technology using a > service such as that offered by Black Duck or XXXXXXXXXX." > > maybe replacing it with a reference to current best practice. > > > Regards, > Tim > > > -- > > Tim Ellison ([EMAIL PROTECTED]) > IBM Java technology centre, UK.