This came up during a short chat in the Fedora Join channels. It seems that not all contributions in Fedora require the FPCA to be signed---or perhaps they do according to the docs but the various platforms do not check for this condition. For example, contributing translations via Weblate does not seem to require it, and while it is documented that one must sign the FPCA before contributing to the magazine, I'm not sure if taiga/wordpress check for this?
We weren't sure if this needs to be checked/verified and whether the infra bits need to be updated to include checks on FPCA signage, and thought a council ticket was warranted.
CC: @jflory7 @alciregi : please correct me if I'm wrong and add any more info you think relevant here.
I don't believe most platforms support checking this. However, all contributions to Fedora directly (in other words, not to upstreams) require FPCA from a policy perspective.
So, yes, the infrastructure should support it, although it's not clear to me how feasible that is.
What exactly are you asking the Council for?
I think @jflory7 had suggested that this may be one of them legal things that need to be looked at, and so the council was the place to bring it up.
(I don't know what needs to be done myself)
Hi, I asked @ankursinha to open this ticket. I believe this is a legal risk that needs a patch. It should be prioritized via the Fedora Council to the Fedora Accounts team. We are both launching a new account system for the first time in more than a decade, and we are also in a vulnerable place as we are working on updating our Code of Conduct for the first time in ten years.
I am concerned about helpful contributions made to the distribution in bad faith, where a bad actor chooses to invoke copyright law or maneuver around legal agreements that are mitigated by the FPCA. This is not an abstract example, it has happened before. Just not in a project or community as large as Fedora. While the bar to do serious damage is much higher in Fedora than the previous example, the fact exists that there is loophole that a bad actor can consciously contribute to Fedora without signing the FPCA, and that is a legal risk as far as Fedora Linux and the RPM package collection is concerned.
I believe this should be opened as a Council ticket first because:
I would agree that we should ensure that any contributions (besides wiki changes) are clearly made by contributors who have agreed to the FPCA, and that our tooling closes any gaps that our community finds with this regard.
I'll put together a list of places that we want to enforce this and give it to the infrastructure team. We won't be able to entirely close the gap, but we can hopefully narrow it somewhat.
Metadata Update from @bcotton: - Issue assigned to bcotton
Thanks @bcotton for looking into this. Agreed that entirely closing the gap is likely not possible, but narrowing it (in my non-lawyer mind) does mitigate the most-damaging legal risk.
We actually have an in-use template for making sure not-necessarily-FPCA-covered contributions are appropriately licensed. See https://ask.fedoraproject.org/tos, which has the statement:
All user contributions must be under an acceptable license for Fedora as defined in the Fedora Project Contributor Agreement. User contributions which do not state otherwise are licensed under the Current Default License, which is Creative Commons Attribution-ShareAlike 4.0 as described in the FPCA.
I propose that where possible we use similar statements -- can we do this for weblate? (In that case, maybe something like "match the license of the open source project which is being translated" or something.)
@bcotton Ping... where did we land on this? I remember we talked about it some.
Here's the list from the notes from our last face-to-face. If no one raises objections, I'll send this to infra:
Discussion: no Magazine: read no, write yes Pagure: yes Taiga: no Copr: yes Fedocal: no Mirrormanager: no Translations: yes Elections: no Wiki: No, although it’s a hack to prevent spam Dist-get: yes Nuancier: no, since it has an explicit agreement at upload time https://github.com/fedora-infra/nuancier/blob/master/nuancier/forms.py#L156-L164 Ask: no Magazine comments: no RHBZ: no Bodhi: no, because it's not copyrightable Badges: no Blockerbugs: no Kerneltest: no Koschei: not copyrightable Notifications: no Element server: no
Pagure: yes
I object to this one. There's a lot of not-contribution-in-the-FPCA sense that happens in Pagure (Council tickets, for example), so I don't think it is appropriate to require it service-wide. (if it's the case that it's already required, then fine, I guess)
Yeah, we have never checked for/required the FPCA for pagure.io or fedorahosted before it.
Also, we never have for copr either.
I sent a list to Aoife Moloney to see if we should do this as an infra ticket or a mini-initiative for CPE. I'm fine we closing this ticket now if we want
Metadata Update from @bcotton: - Issue priority set to: Waiting on External (was: Needs Review)
Metadata Update from @mattdm: - Issue close_status updated to: no action needed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.