-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
As it seems FAS (Fedora Account Ssytem) has been chosen as the central authentication system for CentOS.org infra, I'm now trying to find documentation around it .. One thing that I see is the CLA (default in Fedora, that each user must sign and agree with) so that means that for FAS we also need to have one.
Has someone already looked at it and so what would be the CentOS CLA that we'll use when people will register/sign for a FAS account on centos.org ?
- --
Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
On Mon, Jun 29, 2015 at 11:30:58AM +0200, Fabian Arrotin wrote:
As it seems FAS (Fedora Account Ssytem) has been chosen as the central authentication system for CentOS.org infra, I'm now trying to find documentation around it .. One thing that I see is the CLA (default in Fedora, that each user must sign and agree with) so that means that for FAS we also need to have one.
Note that the Fedora Contributor License Agreement ("CLA") is obsolete and replaced by the "Fedora Project Contributor Agreement" ("FPCA") in 2011 - although we do still use the string "cla" in places for historical reasons.
The FPCA is *not* a copyright assignment. It's basically just a promise that all contributions are acceptably licensed.
On 06/29/2015 07:49 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 11:30:58AM +0200, Fabian Arrotin wrote:
As it seems FAS (Fedora Account Ssytem) has been chosen as the central authentication system for CentOS.org infra, I'm now trying to find documentation around it .. One thing that I see is the CLA (default in Fedora, that each user must sign and agree with) so that means that for FAS we also need to have one.
Note that the Fedora Contributor License Agreement ("CLA") is obsolete and replaced by the "Fedora Project Contributor Agreement" ("FPCA") in 2011 - although we do still use the string "cla" in places for historical reasons.
The FPCA is *not* a copyright assignment. It's basically just a promise that all contributions are acceptably licensed.
Apart from the legalese... We can probably use the majority of the FPCA https://fedoraproject.org/wiki/Legal:Fedora_Project_Contributor_Agreement#FP... for our purposes.
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
On 06/29/2015 06:44 PM, Jim Perrin wrote:
On 06/29/2015 07:49 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 11:30:58AM +0200, Fabian Arrotin wrote:
As it seems FAS (Fedora Account Ssytem) has been chosen as the central authentication system for CentOS.org infra, I'm now trying to find documentation around it .. One thing that I see is the CLA (default in Fedora, that each user must sign and agree with) so that means that for FAS we also need to have one.
Note that the Fedora Contributor License Agreement ("CLA") is obsolete and replaced by the "Fedora Project Contributor Agreement" ("FPCA") in 2011 - although we do still use the string "cla" in places for historical reasons.
The FPCA is *not* a copyright assignment. It's basically just a promise that all contributions are acceptably licensed.
Apart from the legalese... We can probably use the majority of the FPCA https://fedoraproject.org/wiki/Legal:Fedora_Project_Contributor_Agreement#FP... for our purposes.
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
+1. Tweaking FPCA for CentOS should just work fine for the project/community.
-Lala
On Mon, Jun 29, 2015 at 08:14:09AM -0500, Jim Perrin wrote:
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
While not _necessary_, it'd be nice to have basically unified policies here — maybe even to the point where one agreement might cover both CentOS and Fedora contributions.
2015-06-29 16:33 GMT+02:00 Matthew Miller mattdm@mattdm.org:
On Mon, Jun 29, 2015 at 08:14:09AM -0500, Jim Perrin wrote:
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
While not _necessary_, it'd be nice to have basically unified policies here — maybe even to the point where one agreement might cover both CentOS and Fedora contributions.
+2 This would lower the barrier entry between the two projects for contributors. FPCA is very liberal and should not conflict with CentOS goals which are indeed different from Fedora.
Regards, H.
-- Matthew Miller mattdm@fedoraproject.org Fedora Project Leader _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
On 29/06/15 16:02, Haïkel wrote:
2015-06-29 16:33 GMT+02:00 Matthew Miller mattdm@mattdm.org:
On Mon, Jun 29, 2015 at 08:14:09AM -0500, Jim Perrin wrote:
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
While not _necessary_, it'd be nice to have basically unified policies here — maybe even to the point where one agreement might cover both CentOS and Fedora contributions.
+2 This would lower the barrier entry between the two projects for contributors. FPCA is very liberal and should not conflict with CentOS goals which are indeed different from Fedora.
that would indeed be an interesting place. Our focus is purely on the legal aspect of things, and the ability to redistribute. We dont mind too much w.r.t licenses, or even open completely ( in that we welcome binary blobs and/or pre-done partial builds as are common placed in the java world. )
So, what would be a good place to start from ?
For now though, lets just use the turned-off CLA part for the Fas bringup.
On 06/29/2015 09:33 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 08:14:09AM -0500, Jim Perrin wrote:
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
A bit of both. We may need some unlicensed contributions so something like "if you submit code you wrote without a license, the default distro license of GPLv2 applies" or something.
The other bit that may come up is the need to distribute non-free (but legal) code. For example a hardware vendor supplies a binary blob for an aarch64 network card, or a SIG decides to include the nvidia binary etc. So long as they can be legally distributed without cost, it should be possible.
While not _necessary_, it'd be nice to have basically unified policies here — maybe even to the point where one agreement might cover both CentOS and Fedora contributions.
Agreed, or at least the ability to use them in layers. I could see a time in the future where federated auth between CentOS and Fedora would be beneficial.
On Mon, Jun 29, 2015 at 10:53:31AM -0500, Jim Perrin wrote:
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
A bit of both. We may need some unlicensed contributions so something like "if you submit code you wrote without a license, the default distro license of GPLv2 applies" or something.
Right, that "something" is almost all of what the FPCA does — except MIT instead of GPL.
I am kind of getting the sense that people who are opposed to the FPCA haven't actually looked at it. :-/
The other bit that may come up is the need to distribute non-free (but legal) code. For example a hardware vendor supplies a binary blob for an aarch64 network card, or a SIG decides to include the nvidia binary etc. So long as they can be legally distributed without cost, it should be possible.
Under section 1 of the FPCA, as long as there is some authorization from the copyright holder, this would be okay. (Our list of approved open source / free software licenses is explicitly given as one form of authorization, but not necessarily the only one.)
On 06/29/2015 11:03 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 10:53:31AM -0500, Jim Perrin wrote:
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
A bit of both. We may need some unlicensed contributions so something like "if you submit code you wrote without a license, the default distro license of GPLv2 applies" or something.
Right, that "something" is almost all of what the FPCA does — except MIT instead of GPL.
I am kind of getting the sense that people who are opposed to the FPCA haven't actually looked at it. :-/
It *is* a somewhat imposing 'wall-o-text' in legalese, and the FAQs on the wiki page call out the conversion from the old agreement to the new one, not necessarily common scenarios for acceptable code. (I'm looking at https://fedoraproject.org/wiki/Legal:Fedora_Project_Contributor_Agreement, is there a *better* version to read? )
The other bit that may come up is the need to distribute non-free (but legal) code. For example a hardware vendor supplies a binary blob for an aarch64 network card, or a SIG decides to include the nvidia binary etc. So long as they can be legally distributed without cost, it should be possible.
Under section 1 of the FPCA, as long as there is some authorization from the copyright holder, this would be okay. (Our list of approved open source / free software licenses is explicitly given as one form of authorization, but not necessarily the only one.)
In theory, yes however from an outsider's perspective this is rarely if ever used. The nvidia drivers being the primary example of something users would rejoice over.
On Mon, Jun 29, 2015 at 11:31:13AM -0500, Jim Perrin wrote:
It *is* a somewhat imposing 'wall-o-text' in legalese, and the FAQs on the wiki page call out the conversion from the old agreement to the new one, not necessarily common scenarios for acceptable code. (I'm looking at https://fedoraproject.org/wiki/Legal:Fedora_Project_Contributor_Agreement, is there a *better* version to read? )
I've drafted a reformatting of the FAQ https://fedoraproject.org/wiki/Legal_talk:Fedora_Project_Contributor_Agreement and I'll see if Legal will accept that. Hopefully that'll help a bit.
Under section 1 of the FPCA, as long as there is some authorization from the copyright holder, this would be okay. (Our list of approved open source / free software licenses is explicitly given as one form of authorization, but not necessarily the only one.)
In theory, yes however from an outsider's perspective this is rarely if ever used. The nvidia drivers being the primary example of something users would rejoice over.
Yeah, it's just out of scope -- my point is only that it's not the FPCA that constrains this.
On Mon, Jun 29, 2015 at 11:31:13AM -0500, Jim Perrin wrote:
It *is* a somewhat imposing 'wall-o-text' in legalese, and the FAQs on the wiki page call out the conversion from the old agreement to the new one, not necessarily common scenarios for acceptable code. (I'm looking at https://fedoraproject.org/wiki/Legal:Fedora_Project_Contributor_Agreement, is there a *better* version to read? )
FWIW, we've rearranged the FAQ to make this less scary. Reload the page, or jump right down to https://fedoraproject.org/wiki/Legal:Fedora_Project_Contributor_Agreement#FAQ
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/29/2015 09:03 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 10:53:31AM -0500, Jim Perrin wrote:
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
A bit of both. We may need some unlicensed contributions so something like "if you submit code you wrote without a license, the default distro license of GPLv2 applies" or something.
Right, that "something" is almost all of what the FPCA does — except MIT instead of GPL.
I am kind of getting the sense that people who are opposed to the FPCA haven't actually looked at it. :-/
There are two things here.
First, the flag being *_cla continues to create an impression that there is a CLA in Fedora; note that in fact the Subject: of this thread is really a misnomer. I think it makes for a prejudiced reading.
Second, the only problem I've ever had with the FPCA is that it is written as a legal document, so causes people's eyes to glaze over.
I've got an alternative to consider, which is a bit easier to read and accomplishes the same thing. I wrote it with Richard Fontana, who was lead author and legal counsel on the FPCA.
http://www.theopensourceway.org/wiki/Contribution_policy
This policy is specifically written so that it can be reused -- it's released under the CC BY SA.
To make the goal clear for all -- if you have contributors to a project, it is a great boon to have a clear contribution policy.
These contributor agreements focus on what Richard terms "Inbound == Outbound" -- incoming contributions are licensed under the terms of the overall project contributed to. If there is no associated license or coverage, the agreement provides a default one for code and software.
It doesn't need to be a complicated policy (read the above, IMO it accomplishes what the FPCA does in fewer words.)
This project is now handling contributors more than before (x5 or more when you add the SIGs and other activity to the pre-existing Core, QA, Infra, etc. groups.) It makes sense to have an agreement in place for inbound contributions.
- - Karsten
The other bit that may come up is the need to distribute non-free (but legal) code. For example a hardware vendor supplies a binary blob for an aarch64 network card, or a SIG decides to include the nvidia binary etc. So long as they can be legally distributed without cost, it should be possible.
Under section 1 of the FPCA, as long as there is some authorization from the copyright holder, this would be okay. (Our list of approved open source / free software licenses is explicitly given as one form of authorization, but not necessarily the only one.)
- -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
On 29 June 2015 at 11:09, Karsten Wade kwade@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Second, the only problem I've ever had with the FPCA is that it is written as a legal document, so causes people's eyes to glaze over.
I've got an alternative to consider, which is a bit easier to read and accomplishes the same thing. I wrote it with Richard Fontana, who was lead author and legal counsel on the FPCA.
http://www.theopensourceway.org/wiki/Contribution_policy
This policy is specifically written so that it can be reused -- it's released under the CC BY SA.
To make the goal clear for all -- if you have contributors to a project, it is a great boon to have a clear contribution policy.
These contributor agreements focus on what Richard terms "Inbound == Outbound" -- incoming contributions are licensed under the terms of the overall project contributed to. If there is no associated license or coverage, the agreement provides a default one for code and software.
It doesn't need to be a complicated policy (read the above, IMO it accomplishes what the FPCA does in fewer words.)
OK this was brought up in Fedoraland before and I remember Richard saying that the reason for the difference depended on what type of contributions and what they may need to do later on for the parties involved. However, I think it would be better to get Richard to directly comment than rely on my bad memory or my inability to parrot legal theory.
This project is now handling contributors more than before (x5 or more when you add the SIGs and other activity to the pre-existing Core, QA, Infra, etc. groups.) It makes sense to have an agreement in place for inbound contributions.
Especially in the wonderful world of mixed up copyright laws.
On Mon, Jun 29, 2015 at 10:09:12AM -0700, Karsten Wade wrote:
First, the flag being *_cla continues to create an impression that there is a CLA in Fedora; note that in fact the Subject: of this thread is really a misnomer. I think it makes for a prejudiced reading.
https://fedorahosted.org/fedora-infrastructure/ticket/4806
Second, the only problem I've ever had with the FPCA is that it is written as a legal document, so causes people's eyes to glaze over. I've got an alternative to consider, which is a bit easier to read and accomplishes the same thing. I wrote it with Richard Fontana, who was lead author and legal counsel on the FPCA.
If Richard is interested in going through this again with Fedora, I won't say no. :)
It doesn't need to be a complicated policy (read the above, IMO it accomplishes what the FPCA does in fewer words.)
Honestly, I think that once one gets through the gigantic "Terms" section Fedora has, and over the monospace formatting, it's really no more or less complicated. But whatever. :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/29/2015 11:54 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 10:09:12AM -0700, Karsten Wade wrote:
First, the flag being *_cla continues to create an impression that there is a CLA in Fedora; note that in fact the Subject: of this thread is really a misnomer. I think it makes for a prejudiced reading.
https://fedorahosted.org/fedora-infrastructure/ticket/4806
Second, the only problem I've ever had with the FPCA is that it is written as a legal document, so causes people's eyes to glaze over. I've got an alternative to consider, which is a bit easier to read and accomplishes the same thing. I wrote it with Richard Fontana, who was lead author and legal counsel on the FPCA.
If Richard is interested in going through this again with Fedora, I won't say no. :)
Sounds like something the Board should look at.
With the precedence of inbound == outbound we may have all we need right there.
It doesn't need to be a complicated policy (read the above, IMO it accomplishes what the FPCA does in fewer words.)
Honestly, I think that once one gets through the gigantic "Terms" section Fedora has, and over the monospace formatting, it's really no more or less complicated. But whatever. :)
Actually you are right, the core of it is all similar (theopensourceway.org one came later iirc), without the "Terms" section that I think strikes the fear in hearts of many. And glaze ...
- - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
On Mon, Jun 29, 2015 at 10:53:31AM -0500, Jim Perrin wrote:
On 06/29/2015 09:33 AM, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 08:14:09AM -0500, Jim Perrin wrote:
It's a bit too restrictive in some areas, but we can make some adjustments as needed.
I'm curious which areas you find too restrictive. The list of acceptable open source / free software licenses? Or, you need to be able to accept unlicensed contributions? (Note that the list includes a number of very unrestrictive licenses, including CC0 and WTFPL (or NLPL if you prefer.)
A bit of both. We may need some unlicensed contributions so something like "if you submit code you wrote without a license, the default distro license of GPLv2 applies" or something.
Not specifying a license means it's proprietary and if you were to use 'public domain', it cannot be used in some countries such as France.
All what the FPCA does is saying: if you do not put a license on your work yourself, the MIT license will apply to it.
Pierre
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jun 29 11:30, Fabian Arrotin wrote:
Hi,
As it seems FAS (Fedora Account Ssytem) has been chosen as the central authentication system for CentOS.org infra, I'm now trying to find documentation around it .. One thing that I see is the CLA (default in Fedora, that each user must sign and agree with) so that means that for FAS we also need to have one.
Has someone already looked at it and so what would be the CentOS CLA that we'll use when people will register/sign for a FAS account on centos.org ?
--
Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
The FPCA/CLA bits have been patched out in the version of FAS I built in the CBS. It's not a final solution, but this will get us started with the minimum bits we need to get up and running.
- --Brian
On 29/06/15 10:30, Fabian Arrotin wrote:
Hi,
As it seems FAS (Fedora Account Ssytem) has been chosen as the central authentication system for CentOS.org infra, I'm now trying to find documentation around it .. One thing that I see is the CLA (default in Fedora, that each user must sign and agree with) so that means that for FAS we also need to have one.
Has someone already looked at it and so what would be the CentOS CLA that we'll use when people will register/sign for a FAS account on centos.org ?
Lets change it to 'I will do no evil, I will break no laws, I will play in a community friendly manner'. Perhaps better worded, we dont need anything more than that.
Regards,
On Mon, Jun 29, 2015 at 04:00:31PM +0100, Karanbir Singh wrote:
Has someone already looked at it and so what would be the CentOS CLA that we'll use when people will register/sign for a FAS account on centos.org ?
Lets change it to 'I will do no evil, I will break no laws, I will play in a community friendly manner'. Perhaps better worded, we dont need anything more than that.
For what it's worth, this is significantly — very significantly! — broader in scope and more restrictive than the FPCA.
On 29/06/15 16:08, Matthew Miller wrote:
On Mon, Jun 29, 2015 at 04:00:31PM +0100, Karanbir Singh wrote:
Has someone already looked at it and so what would be the CentOS CLA that we'll use when people will register/sign for a FAS account on centos.org ?
Lets change it to 'I will do no evil, I will break no laws, I will play in a community friendly manner'. Perhaps better worded, we dont need anything more than that.
For what it's worth, this is significantly — very significantly! — broader in scope and more restrictive than the FPCA.
'evil' and 'nice' are both fairly subjective, so all were saying is dont do anything illegal. I cant imagine the FPCA welcomes illegal activity.
On Mon, Jun 29, 2015 at 04:47:34PM +0100, Karanbir Singh wrote:
Lets change it to 'I will do no evil, I will break no laws, I will play in a community friendly manner'. Perhaps better worded, we dont need anything more than that.
For what it's worth, this is significantly — very significantly! — broader in scope and more restrictive than the FPCA.
'evil' and 'nice' are both fairly subjective, so all were saying is dont do anything illegal. I cant imagine the FPCA welcomes illegal activity.
Fedora doesn't, of course, but the FPCA doesn't cover any of that. It just asks that all contributions be under _some_ legitimate license and specifies a default (CC-BY-SA for content, MIT for code). That's all. It doesn't place any further restrictions or require you to agree to anything else.
While we _want_ contributors to be non-evil and play nicely, that's out of scope here. Possibly "don't contribute code to which you do not have the right" is covered under both "break no laws" and "play in a community friendly manner", but so, presumably, are a host of other things.
On 06/29/2015 10:47 AM, Karanbir Singh wrote:
'evil' and 'nice' are both fairly subjective, so all were saying is dont do anything illegal. I cant imagine the FPCA welcomes illegal activity.
<devil's advocate> I could see this quite easily. OpenVPN can be used to circumvent a country's restrictive laws and publish information about government corruption, protesting treatment of LGBT folks, etc..
</devil's advocate>
I don't care about 'evil', 'nice' etc.
1. Can I legally distribute software that people want to use. 2. Can the community contribute to the project with a fairly low barrier to entry.
Everything else is personal belief and opinion.
On 29/06/15 17:01, Jim Perrin wrote:
On 06/29/2015 10:47 AM, Karanbir Singh wrote:
'evil' and 'nice' are both fairly subjective, so all were saying is dont do anything illegal. I cant imagine the FPCA welcomes illegal activity.
<devil's advocate> I could see this quite easily. OpenVPN can be used to circumvent a country's restrictive laws and publish information about government corruption, protesting treatment of LGBT folks, etc..
</devil's advocate>
I don't care about 'evil', 'nice' etc.
- Can I legally distribute software that people want to use.
- Can the community contribute to the project with a fairly low barrier
to entry.
Everything else is personal belief and opinion.
yes, so subjective.
-
Brian Stinson -
Fabian Arrotin -
Haïkel -
Jim Perrin -
Karanbir Singh -
Karsten Wade -
Lalatendu Mohanty -
Matthew Miller -
Pierre-Yves Chibon -
Stephen John Smoogen