Linux and code authorship
There seems to be a lot of buzz today about Linux and the question of who contributed what to it (and did he or she contribute the code legally). It's all emphasized by the ongoing SCO case, of course. A Slashdot post quotes the USENIX association president as saying (correctly) that Linux lacks a "well-documented ownership trail". To correct this, there appears to be a movement to require code contributors to certify that their contribution is legal. The Developer's Certificate of Origin (the DCO) says, in a nutshell, that all the code was either written by the contributor, covered by an open source license, or otherwise certified under the DCO by someone else (and has not been modified since then). See eWeek: Torvalds Changes How Code Can Be Contributed to Linux for more details.
This doesn't surprise me in the least. It really seems mandatory for an operating system that is used legally in the United States. I wonder, though, if it will be enough. There's three things I worry about, all from completely different perspectives.
First, the certification that the contributed work is open source includes the phrase "to the best of my knowledge", which always disturbs me. I suppose that the DCO shouldn't overly restrict code contributors, but still, this is a quagmire of an inclusion.
Second, will it really absolve any company dealing with Linux from responsibility? Let's look here at an invalid certification - someone contributes code and certifies it when it's actually someone else's intellectual property and cannot be used. What happens when this is discovered? Perhaps we can identify that person's contributions and exclude them from future versions of Linux under the concern that they are also possibly illegal. But what about all the companies using the versions of the OS that contain the illegal code? It seems like they could still be liable.
Third, will any of the contributors care? What happens to someone who falsely certifies code? What reason does anyone with code to contribute have to ensure that everything in it is legit? If you're an American, I guess you need to be worried about legal reprisal against you individually. Maybe.
I dunno, maybe I'm being overly critical. It's definitely a step in the right direction, but I don't know if it is enough.
This doesn't surprise me in the least. It really seems mandatory for an operating system that is used legally in the United States. I wonder, though, if it will be enough. There's three things I worry about, all from completely different perspectives.
First, the certification that the contributed work is open source includes the phrase "to the best of my knowledge", which always disturbs me. I suppose that the DCO shouldn't overly restrict code contributors, but still, this is a quagmire of an inclusion.
Second, will it really absolve any company dealing with Linux from responsibility? Let's look here at an invalid certification - someone contributes code and certifies it when it's actually someone else's intellectual property and cannot be used. What happens when this is discovered? Perhaps we can identify that person's contributions and exclude them from future versions of Linux under the concern that they are also possibly illegal. But what about all the companies using the versions of the OS that contain the illegal code? It seems like they could still be liable.
Third, will any of the contributors care? What happens to someone who falsely certifies code? What reason does anyone with code to contribute have to ensure that everything in it is legit? If you're an American, I guess you need to be worried about legal reprisal against you individually. Maybe.
I dunno, maybe I'm being overly critical. It's definitely a step in the right direction, but I don't know if it is enough.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home