James Carlson wrote: > Garrett D'Amore writes: > >> It seems that we (OpenSolaris) need to have some kind of legal oversight >> committee or somesuch. >> > > We've discussed that issue before, and I suspect it's a lot more > involved than anyone wants to bite off right now, and the benefits are > much less clear than they should be. > > To do that, we would need to have a distinct budget and a distinct > legal entity. That may be doable, but I doubt that it's the biggest > issue we have to solve right now, and the same people who'd be working > on that are the ones now working on web site and tool upgrades. > > It wouldn't come for free. >
No it won't. But that doesn't mean that by not doing this we aren't creating a huge gaping whole that can ultimately cause massive implosion when some GPL or MS or SCO code gets introduced in a weird way because no one was looking. Developers make mistakes. There needs to be a second set of eyes on this for any code which isn't CDDL, and which the contributor didn't create himself. Some of them might be simple checkboxes (e.g. exclusively BSD or MIT/X licensed), while others need to get someone to review it more thoroughly. (E.g. Atheros WIFI, which is *binary* redistributable, but not modifiable due to FCC regulations.) This is a problem that I think OGB *has* to address. Putting its collective head in the sand won't make it go away. Right now the only reason it isn't an issue is because we can leverage Sun's OSR. Without OSR, we're seriously exposed! > >> It also comes, as I discussed, because of a hole that will be created >> when we open up the source tree to putbacks from outside of Sun (and >> therefore don't require Sun's Open Source Review.) >> > > They'll still require Sun's contributor agreement, which is apart from > OSR. > Actually, there are several imports which come from source code that doesn't carry a SCA. SCA by itself guarantees nothing, unless the code also carries a CDDL. (For example, look at the afe ethernet driver, which carries a BSD license.) We will want to incorporate other sources (JDS, Perl, Atheros WIFI, etc.) many of which won't carry a CDDL. > >> To be more clear, someone needs to make sure that the code being >> committed into OpenSolaris has licenses that are compatible with the >> project, and which do not create undue restrictions. And also, for >> example, checking that LGPL libraries or programs don't call GPL >> libraries, etc. >> > > That's what the contributor agreement does. The "new foundation" > would need to do the same, but likely starting from scratch. > See again the problem here. Not all code is SCA/CDDL (and you need *both* SCA and CDDL.) In fact, CDDL by itself is *probably* okay without SCA, but SCA by itself is meaningless. > I agree it's attractive to consider this, but my inclination is to say > that we ought to stick with the existing agreement (even if some may > not like the idea of relying on Sun's good intentions), and avoid the > complexity that launching a new entity would involve. > > That can come later, when most of the rest of it has been repaired -- > like the closed C-teams, the missing source commit rights, and the > lack of external bug tracking. > > Of course, if someone thinks the legal part is "easy," he can have at > it today. Take a copy of the code, create new communities, and give > it a go. > Its something we need to have plan for, which is why I called it out. -- Garrett
