| gmann | fungi: humm, I am not sure about that. At least there is no such requirement in TC 'new project application'. and its hard to verify and add such requirement as we do not know when people has started the code which they are putting in openstack. sometime there is no initial plan when people started the code and later they change plan to be in openstack. | 20:55 |
|---|---|---|
| gmann | this is SIG repo but I am really doubtful on this requirement for SIG or any project repo. | 20:55 |
| fungi | yes, i retracted my concern when i saw it was a sig repo and not a deliverable | 22:04 |
| fungi | in the past, the foundation staff has researched affiliation for past contributions of new additions and followed up with employers to make sure any necessary cla was taken care of | 22:05 |
| gmann | but if it was a deliverables, do we have such requirement? I am making sure that we are not missing anything and we comply with the license need. | 22:05 |
| fungi | but if the project started with cla enforcement to begin with, then it's not needed | 22:05 |
| gmann | for example. new projects venus and skyline we have not checked this | 22:06 |
| fungi | and yes, it's expected that all contributions to openstack (even if made before the project became part of openstack) should be covered by a cla | 22:06 |
| fungi | skyline is pretty easy since it started inside a company which already has an agreement with the foundation | 22:06 |
| gmann | fungi: I am saying before they are openstack contributors. like import code to openstack when becoming openstack | 22:07 |
| fungi | right, the concern is that someone could have contributed code to a project and implemented patent-infringing algorithms without their employer's consent, then that project becomes part of openstack and the patent holder sues the project for patent infringement | 22:08 |
| gmann | ok, so how and who checks those cases? TC does not do. | 22:08 |
| gmann | at least there is no such requirement in TC 'new projects application'. | 22:09 |
| fungi | if the tc does not and the project did not previously enforce such a cla, then like i said it ends up falling on the foundation staff to double-check that adding the project isn't creating undue legal risks | 22:09 |
| gmann | and if we do then it become very complex things to check and verify. | 22:10 |
| fungi | yep, that's why we've previously suggested that projects which are considering becoming part of openstack enforce the icla for contributions, in order to minimize that work in the future | 22:11 |
| gmann | yeah, even TC needs to check this then it has to go with legal-checks/trademark etc by foundation as we cannot do such checks. | 22:11 |
| fungi | usually it's a matter of scraping a list of committer e-mail addresses from the git history and then querying gerrit to see if they're already contributors to any existing official project | 22:12 |
| gmann | so it should be like - new project/repo to openstack 1. if no import and starting code from scratch then we are good 2. if code was imported from other repo then peform the legal checks on existing code? | 22:12 |
| fungi | i'm not 100% sure, usually it doesn't come up, but i'll ask the people who know | 22:13 |
| gmann | yeah, because this is really complex thing to check because it involve how things were in past when someone want to bring their code to openstack | 22:14 |
| fungi | and you raise a great point, which is that any time a repository is imported into opendev with existing commits from somewhere else, this could happen | 22:15 |
| gmann | yeah | 22:15 |
| gmann | it can be 10 years old code :) | 22:15 |
| gmann | or even before openstack was there | 22:15 |
| fungi | to be entirely clear, i'd love to see all of our contributor license agreements die in a fire, but legal counsel for a number of the foundation's member companies is very risk-averse about "scary" things like open source collaboration, and wants to make sure we have sufficient legal contracts signed by anyone involved in the development in order to reduce the chances of being sued | 22:17 |
| gmann | yeah, without cla it is actually complex for company to spend legal checks/time and most of company think twice to even use the OSS, developing might be more complex. | 22:20 |
| gmann | fungi: please check with foundation and let us know if anything we need to care about or adding in process. This needs to be clear as it involves the legal risk. | 22:21 |
| gmann | or let me know if you want me to follow up. | 22:22 |
| fungi | i'll check in with people after the holiday weekend, it's not urgent | 22:44 |
| gmann | thanks. | 22:44 |
| gmann | or at least we can clarify that we in OpenStack Governance does not perform any such checks on the imported code to OpenStack when it become OpenStack official project. after it become the OpenStack then we perform/checks all required things like cla, license etc | 23:25 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!