Re: [PATCH 01/12] thinkpad_ec: New driver for ThinkPad embedded controller access

From: Theodore Tso
Date: Sun Aug 06 2006 - 23:39:42 EST


On Mon, Aug 07, 2006 at 01:08:40AM +0300, Shem Multinymous wrote:
> Hi Ted,
>
> Thanks for the explanation. Point taken, though I can't help parsing it as:
>
> On 8/6/06, Theodore Tso <tytso@xxxxxxx> wrote:
> >For legal reasons, we need a way to to contact and identify the author
> >in the real world, not just in cyberspace, and a pseudonym doesn't
> >meet that requirement.
>
> "We want to be able to sue you if they sue us."

That would be the FSF ink contract that they ask you to sign, which states:

I hereby represent and warrant that I am the sole copyright holder for the
Work and that I have the right and power to enter into this contract. I
hereby indemnify and hold harmless the Foundation, its officers, employees,
and agents against any and all claims, actions or damages (including
attorney's reasonable fees) asserted by or paid to any party on account of a
breach or alleged breach of the foregoing warranty.

(Free advice from someone who is not a lawyer: if you are _ever_ asked
to sign a contract or agreement which has the language,
"I... indemnify and hold harmless...", and you have any kind of
significant assets, like a house, car, trust fund, etc., run, don't
walk, to your friendly neighborhood lawyer and get some real legal
advice about what your exposure might be. In any case, the rough
translation of the above is, "If anyone ever sues the FSF over code
that you are giving us for free, regardless of whether or not the
claim has any merit or not, you hereby give us permission to turn
around and sue you for any damanges _or_ legal fees that we might have
to pay out." But don't take my word for it, talk to a lawyer first. :-)

As far as the DCO is concerned, at least to my mind, it's so when
someone shows up, we can say, "Hey, your beef is with him, not us."
This might be especially true if the code was allegedly taken from
company X's intellectual property, and it turns out the person who
contributed it was an employee of company X.

And in any case, it's certainly better than the FSF situation, where
the "alleged breach" language means that even if the claims are
totally bogus, and funded by some PIPE-smoking crack fairy, your
assets would still be at risk to the FSF, which wouldn't be the case
if you hadn't signed a contract with such language in it.

> >just as the fact that we aren't requiring ink signatures and public notary
> >checks doesn't mean we shouldn't stop doing what we are doing.
>
> Understood, but still a bit silly. You have no idea how many of the
> 2252 people in `git-whatchanged | grep Signed-off-by: | sort | uniq`
> gave their legal name, and I doubt you could contact most of them in
> the real world without their cooperation (and with my cooperation, you
> could contact me too). Heck, some of those email domains don't even
> resolve. So this "chain of responsibiliy" is pretty worthless if
> someone really tries to inject legally malicious code into mainline,
> i.e., you end up blindly trusting people anyway.

Sure, but if someone really wanted, they could infect malicious code
into FSF's repositories, too. And if we let fear paralyze us, we
wouldn't get anything done at all. But at the same time, by having a
process, such as the DCO, we can claim that we've mad a good faith
attempt to collect a chain of accountability for contributions to the
kernel.

- Ted

P.S. Can you say, why you prefer contribute this from a pseudonym, if
isn't for legal reasons?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/