Contributor agreement

Martin Pool mbp at canonical.com
Tue Jan 26 17:38:27 GMT 2010 

2010/1/26 Stephen J. Turnbull <stephen at xemacs.org>:

> This clause does need to be revisited.

As I said, this is being revisited.

>  > >   * MAJOR ISSUE: This requirement is open to abuse, as anyone could
>  > >     send such an email with my name in it without my knowledge and it
>  > >     is easy to falsify sender's addresses in email as huge amounts of
>  > >     spam can prove.
>  >
>  > As Karl(?) mentioned, if a miscreant forges mail purporting to be from
>  > you, you obviously are not accountable for what they say.
>
> No, but Canonical won't pay my legal fees, court costs, and any
> incidental costs of proving I sent no such mail.  And I personally
> would have great difficulty proving that, since I don't habitually
> sign my email.

I kind of see your point, and yet this is a bit of an odd
proving-nonexistence situation.  This is not so much a bug in the
agreement as a desire that Canonical not believe that email sent by
you is actually from you.

Many people in business accept plain email to do frankly much more
expensive, important or personal transactions than accepting free
software patches.  To a certain pedantic cyberpunky frame of mind this
is very poor and people should not accept these messages, and yet I do
actually want to be able to talk to travel agents and real estate
agenst that are not cyberpunks.  (Or be introduced to a cyberpunk
travel agent, if you know one... that would be kind of cool.)

If we accepted signed paper contributions there would be an equally
valid question about whether it was really you that signed.

If someone wants to send me a gpg-signed message with some appropriate
bootstrap saying "never trust non-signed mail from me" I will try to
respect that.

> If Canonical is using my own code to compete with me, it might be very
> difficult to extract damages in such a case (unless the miscreant was
> a Canonical employee).
>
> It's one thing for the FSF, with its shoestring budget, to impose
> almost all costs on the contributor.  It's another for Canonical,
> which proposes to make money one way or another from the contribution,
> to do that.  I suspect many contributors who will put up with the
> former will take quite a dim view of the latter.

It sounds a bit like you're conflating this with the earlier question
of reasonable costs.  Our main concern is with the burden on the
contributor: _I_ am perfectly happy to verify gpg signatures with
trust chains, but this would make it hard on many contributors.  At
any rate if you can think of a better solution I would be happy to
hear it.

-- 
Martin <http://launchpad.net/~mbp/>

More information about the bazaar mailing list