On Tue, Oct 16, 2007 at 03:13:54PM -0700, Garrett D'Amore wrote: > No it won't. But that doesn't mean that by not doing this we aren't > creating a huge gaping whole that can ultimately cause massive implosion > when some GPL or MS or SCO code gets introduced in a weird way because > no one was looking.
> Developers make mistakes. There needs to be a second set of eyes on this > for any code which isn't CDDL, and which the contributor didn't create > himself. Some of them might be simple checkboxes (e.g. exclusively BSD Which is why the RTI questionnaire specifically asks about code not written by the submitter. It's not a mistake to say you wrote the code if you didn't; it's lying (and maybe perjury, and certainly copyright infringement). So where's the beef? If you wrote it all yourself, check that box and there's no problem. If you didn't, some sort of further review is required. All of this I agree with, and I believe it addresses your concerns. What I disagree with is having that review performed by Sun behind closed doors. As I note below, we could replace "Sun OSR" with "OSR delegated to Sun", and I think we should. But plugging in our own thing there seems out of reach at the moment. And, of course, it makes no difference anyway. > thoroughly. (E.g. Atheros WIFI, which is *binary* redistributable, but > not modifiable due to FCC regulations.) It's not our responsibility to ensure that end users of equipment are complying with FCC regulations (which only apply in one jurisdiction anyway), nor is modifying the firmware the only way they could violate them. This argument has never been anything but a red herring from wifi chipset vendors looking to protect themselves from patent infringement lawsuits by keeping their code closed. > This is a problem that I think OGB *has* to address. Putting its > collective head in the sand won't make it go away. Right now the only > reason it isn't an issue is because we can leverage Sun's OSR. Without > OSR, we're seriously exposed! Who's "we"? When *you* distribute the code, you are basing your willingness to do so on a good faith expectation that you hold licenses permitting you to do so. If you have specific reason to think that you don't actually have valid licenses, or you believe the risks of asserting those rights outweigh the benefits, don't distribute the code. Neither the OGB nor Sun can make that choice for you, and relying on Sun's legal interpretations (based on its own interests and conducted by its own lawyers without your involvement) does not absolve you of one iota of liability if you distribute the code without a license permitting you to do so. Note that section 3.4 of the CDDL (other licenses may or may not have similar terms) allows someone distributing the code *to you* to indemnify you, but does not require them to do so. If you believe yourself indemnified by the party from which you received the code, you may consider that when you evaluate the risks and benefits of redistribution. But, again, it's your choice, your liability. Nothing we can do changes that. > Its something we need to have plan for, which is why I called it out. I'd love to plan for it. In fact, I'd love to take all of this and spend the next year forming a foundation to manage this stuff, running it openly, and making into something genuinely independent and useful. Unfortunately, I don't have time to do that, and as James pointed out, there are about 30,000 more serious problems that directly harm our ability to get work done. And as part of fixing those, we'll be clarifying all the things that Sun does *NOT* control and does *NOT* have the right to dictate to us. One correct outcome here could be that we allow (but do not require) C-teams to voluntarily ask any qualified individual (who may or may not work for Sun) to review certain things; if we later decide that a different policy makes sense, Sun's lawyer volunteering his or her time is replaced by something more open that better protects the broader community's interests. But going off and forming a legal committee to protect ??? from the risk of ??? associated with ??? doesn't really make any sense to me. And, really, this has been done to death. How about evaluating a DTS for the Tools Group instead? -- Keith M Wesolowski "Sir, we're surrounded!" FishWorks "Excellent; we can attack in any direction!"
