Keith M Wesolowski wrote: > On Tue, Oct 16, 2007 at 03:13:54PM -0700, Garrett D'Amore wrote: > > >> No it won't. But that doesn't mean that by not doing this we aren't >> creating a huge gaping whole that can ultimately cause massive implosion >> when some GPL or MS or SCO code gets introduced in a weird way because >> no one was looking. >> > > >> Developers make mistakes. There needs to be a second set of eyes on this >> for any code which isn't CDDL, and which the contributor didn't create >> himself. Some of them might be simple checkboxes (e.g. exclusively BSD >> > > Which is why the RTI questionnaire specifically asks about code not > written by the submitter. It's not a mistake to say you wrote the > code if you didn't; it's lying (and maybe perjury, and certainly > copyright infringement). So where's the beef? If you wrote it all > yourself, check that box and there's no problem. If you didn't, some > sort of further review is required. All of this I agree with, and I > believe it addresses your concerns. >
Yes, and its that "further" review that I'm concerned about. Right now we don't delegate that to the developer, or even the RTI advocate. (The RTI demands an OSR# number accompany a bit of code that is not CDDL'd other than that there is a special case for unencumbering code that is Sun's IP. But we needn't worry about *that* bit, it's a Sun internal review. So, once a user ticks the checkbox indicating he is importing code from a 3rd source (say NetBSD), then what? Who double checks it? > What I disagree with is having that review performed by Sun behind > closed doors. As I note below, we could replace "Sun OSR" with "OSR > delegated to Sun", and I think we should. But plugging in our own > thing there seems out of reach at the moment. And, of course, it > makes no difference anyway. > I agree. As long as someone realizes that we still need that, and Sun agrees to be the delegate for that. (Note that a Sun delegated review is really only 100% meaningful for Sun... apparently legal advice from lawyers is not binding to clients that didn't pay for it. But its still helpful to us, because, largely, Sun's interests and ours for the most are closely aligned, at least in this matter. > >> thoroughly. (E.g. Atheros WIFI, which is *binary* redistributable, but >> not modifiable due to FCC regulations.) >> > > It's not our responsibility to ensure that end users of equipment are > complying with FCC regulations (which only apply in one jurisdiction > anyway), nor is modifying the firmware the only way they could violate > them. This argument has never been anything but a red herring from > wifi chipset vendors looking to protect themselves from patent > infringement lawsuits by keeping their code closed. > Doesn't matter. We need Atheros support, we won't get it except with that license. Believing otherwise is sticking your head in the sand. I hope we're not in the business of ostrich farming here. > >> This is a problem that I think OGB *has* to address. Putting its >> collective head in the sand won't make it go away. Right now the only >> reason it isn't an issue is because we can leverage Sun's OSR. Without >> OSR, we're seriously exposed! >> > > Who's "we"? When *you* distribute the code, you are basing your > willingness to do so on a good faith expectation that you hold > licenses permitting you to do so. We is the community who uses distributions, or creates distributions, on the basis of what we believe those licenses to be. Unless you're proposing distro builders check each file themselves, it is in the community's best interest to make sure that everything is as we (collectively) believe it to be. > If you have specific reason to > think that you don't actually have valid licenses, or you believe the > risks of asserting those rights outweigh the benefits, don't > distribute the code. Neither the OGB nor Sun can make that choice for > you, and relying on Sun's legal interpretations (based on its own > interests and conducted by its own lawyers without your involvement) > does not absolve you of one iota of liability if you distribute the > code without a license permitting you to do so. Note that section 3.4 > of the CDDL (other licenses may or may not have similar terms) allows > someone distributing the code *to you* to indemnify you, but does not > require them to do so. If you believe yourself indemnified by the > party from which you received the code, you may consider that when you > evaluate the risks and benefits of redistribution. But, again, it's > your choice, your liability. Nothing we can do changes that. > So, who owns/distributes the code that is OpenSolaris (not the binaries, but the actual *source code*)? Is Hg access or HTTP access considered distribution?? I think so. So the *community* is at risk as well. Anyway, I'm not trying to be all gloom-and-doom. Only to point that if/when the community has direct access to the source repository, then this part of the RTI process needs to have something like moral equivalent, unless we want to put our collective foot down and refuse to allow any contributions that are not covered under a CDDL. I'm not sure that's such a hot idea either, though. -- Garrett
