Contributor Agreements for Patches - was [Jython-dev] Jython on Google AppEngine!
A question that arose on this thread, which I'm forwarding for context (and we're quite happy about it too!): - What is the scope of a patch that requires a contributor agreement? This particular patch on #1188 simply adds obvious (in retrospect of course) handling on SecurityException so that it's treated in a similar fashion to IOException (possibly a bit more buried), so it seems like a minor patch. - Do Google employees, working on company time, automatically get treated as contributors with existing contributor agreements on file with the PSF? If so, are there are other companies that automatically get this treatment? - Should we change the workflow for roundup to make this assignment of license clearer (see Tobias's idea in the thread about a click-though agreement). In these matters, Jython, as a project under the Python Software Foundation, intends to follow the same policy as CPython. - Jim ---------- Forwarded message ---------- From: Frank Wierzbicki <fwierzbicki@gmail.com> Date: Wed, Apr 8, 2009 at 9:32 AM Subject: Re: [Jython-dev] Jython on Google AppEngine! To: James Robinson <jamesr@google.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net>, Alan Kennedy < jython-dev@xhaus.com> On Wed, Apr 8, 2009 at 11:22 AM, James Robinson <jamesr@google.com> wrote:
I submitted 1188 and I'm a Google employee working on company time. Let me know if anything further is needed, but we have quite a few contributors to the Python project working here. Excellent, and thanks! 1188 was already slated for inclusion in our upcoming RC, but knowing that it is in support of GAE moves it up to a very high priority.
-Frank ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Jython-dev mailing list Jython-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jython-dev -- Jim Baker jbaker@zyasoft.com
Oops, didn't attach the entire thread, so see below: On Wed, Apr 8, 2009 at 9:50 AM, Jim Baker <jbaker@zyasoft.com> wrote:
A question that arose on this thread, which I'm forwarding for context (and we're quite happy about it too!):
- What is the scope of a patch that requires a contributor agreement? This particular patch on #1188 simply adds obvious (in retrospect of course) handling on SecurityException so that it's treated in a similar fashion to IOException (possibly a bit more buried), so it seems like a minor patch. - Do Google employees, working on company time, automatically get treated as contributors with existing contributor agreements on file with the PSF? If so, are there are other companies that automatically get this treatment? - Should we change the workflow for roundup to make this assignment of license clearer (see Tobias's idea in the thread about a click-though agreement).
In these matters, Jython, as a project under the Python Software Foundation, intends to follow the same policy as CPython.
- Jim
Forwarded conversation Subject: [Jython-dev] Jython on Google AppEngine! ------------------------ From: *Alan Kennedy* <jython-dev@xhaus.com> Date: Wed, Apr 8, 2009 at 6:37 AM To: Jython Developers <jython-dev@lists.sourceforge.net>, jython users < jython-users@lists.sourceforge.net> Hi all, As you may know, Google announced Java for AppEngine yesterday! http://googleappengine.blogspot.com/2009/04/seriously-this-time-new-language... And they're also supporting all of the various languages that run on the JVM, including jython. http://groups.google.com/group/google-appengine-java/web/will-it-play-in-app... They say about jython """ - Jython 2.2 works out of the box. - Jython 2.5 requires patches which we'll supply until the changes make it directly into Jython: - jython-r5996-patched-for-appengine.jar is the complete jython binary library, patched for app engine - jython-r5996-appengine.patch is the patch file that contains the source code for the changes """ They provide the patches they used to make 2.5 work http://google-appengine-java.googlegroups.com/web/jython-r5996-appengine.pat... I definitely think this is an important patch to consider for the 2.5RC! It would be nice if Google could say Jython 2.2 works out of the box, and jython 2.5 works out of the box. Alan. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Jython-dev mailing list Jython-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jython-dev ---------- From: *Tobias Ivarsson* <thobes@gmail.com> Date: Wed, Apr 8, 2009 at 8:18 AM To: Alan Kennedy <jython-dev@xhaus.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net> Most things in that patch look ok. I'd like to do a more thorough analysis of the implications of each change though. The catching of SecurityException is fine, but I want to look at the places where they drop the exceptions that they caught in their context, and make sure that silently ignoring the exception is a valid approach. The other changes are few but slightly more controversial. Are Google willing to sign a contributors agreement and license this patch to us? otherwise someone who has not looked on it yet (i.e. not me), should probably experiment with Jython on GAE and find out what needs to be patched to get Jython to run there. /Tobias ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Jython-dev mailing list Jython-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jython-dev ---------- From: *Jim Baker* <jbaker@zyasoft.com> Date: Wed, Apr 8, 2009 at 8:33 AM To: Alan Kennedy <jython-dev@xhaus.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net>, jython users < jython-users@lists.sourceforge.net> This is the same patch set requested in http://bugs.jython.org/issue1188: "Patch against trunk to handle SecurityExceptions". Now we know the source of the request, and the specific application is very clear: a sandboxed Jython, running under a fairly strict security manager. The bug is a blocker for the release candidate, so this fix will be part of 2.5. We would love to see more work testing the full scope of environments Jython needs to run under, and any resulting bugs. - Jim -- Jim Baker jbaker@zyasoft.com ---------- From: *James Robinson* <jamesr@google.com> Date: Wed, Apr 8, 2009 at 8:30 AM To: Tobias Ivarsson <thobes@gmail.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net>, Alan Kennedy < jython-dev@xhaus.com> I have a patch up on your issue tracker already, I'll ping it shortly. It's a very small patch and the SecurityExceptions that are caught and ignored are treated the same as I/O exceptions in the vast majority of cases (which they really are). - James ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Jython-dev mailing list Jython-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jython-dev ---------- From: *Jim Baker* <jbaker@zyasoft.com> Date: Wed, Apr 8, 2009 at 8:36 AM To: James Robinson <jamesr@google.com> Cc: Tobias Ivarsson <thobes@gmail.com>, Jython Developers < jython-dev@lists.sourceforge.net>, Alan Kennedy <jython-dev@xhaus.com> Right, this is a very small patch, we haven't required contributor agreements in similar cases. I think we want to consider how to replicate this setup however so we don't inadvertently reverse things. - Jim ---------- From: *Tobias Ivarsson* <thobes@gmail.com> Date: Wed, Apr 8, 2009 at 8:40 AM To: Jim Baker <jbaker@zyasoft.com> Cc: James Robinson <jamesr@google.com>, Jython Developers < jython-dev@lists.sourceforge.net>, Alan Kennedy <jython-dev@xhaus.com> Could we add a click-through agreement for patch submissions? Patches are usually small enough to not be a big deal, but such a thing would leave us entirely safe. /Tobias ---------- From: *Frank Wierzbicki* <fwierzbicki@gmail.com> Date: Wed, Apr 8, 2009 at 8:44 AM To: Tobias Ivarsson <thobes@gmail.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net>, Alan Kennedy < jython-dev@xhaus.com> Google is a member of the PSF, so as long as Google wants this contributed I think it's okay. To be safe we should get an explicit statement, but since the patch is small, this probably isn't strictly necessary. FWIW this is how my on-the-clock contributions to Jython are protected (Sun is a member of the PSF and allows my contributions). -Frank ---------- From: *James Robinson* <jamesr@google.com> Date: Wed, Apr 8, 2009 at 9:22 AM To: Frank Wierzbicki <fwierzbicki@gmail.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net>, Alan Kennedy < jython-dev@xhaus.com> I submitted 1188 and I'm a Google employee working on company time. Let me know if anything further is needed, but we have quite a few contributors to the Python project working here. - James ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Jython-dev mailing list Jython-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jython-dev ---------- From: *Frank Wierzbicki* <fwierzbicki@gmail.com> Date: Wed, Apr 8, 2009 at 9:33 AM To: Tobias Ivarsson <thobes@gmail.com> Cc: Jim Baker <jbaker@zyasoft.com>, Jython Developers < jython-dev@lists.sourceforge.net>, Alan Kennedy <jython-dev@xhaus.com> A click through is a very good idea, I think Jim is going to find out what they do for CPython. -Frank ---------- From: *Frank Wierzbicki* <fwierzbicki@gmail.com> Date: Wed, Apr 8, 2009 at 9:32 AM To: James Robinson <jamesr@google.com> Cc: Jython Developers <jython-dev@lists.sourceforge.net>, Alan Kennedy < jython-dev@xhaus.com> Excellent, and thanks! 1188 was already slated for inclusion in our upcoming RC, but knowing that it is in support of GAE moves it up to a very high priority. -- Jim Baker jbaker@zyasoft.com -- Jim Baker jbaker@zyasoft.com
* What is the scope of a patch that requires a contributor agreement?
Unfortunately, that question was never fully answered (or I forgot what the answer was).
* Do Google employees, working on company time, automatically get treated as contributors with existing contributor agreements on file with the PSF?
Yes, they do.
If so, are there are other companies that automatically get this treatment?
Not that I know of.
* Should we change the workflow for roundup to make this assignment of license clearer (see Tobias's idea in the thread about a click-though agreement).
I think we do need something written; a lawyer may be able to tell precisely. I still hope that we can record, in the tracker, which contributors have signed an agreement.
In these matters, Jython, as a project under the Python Software Foundation, intends to follow the same policy as CPython.
Please keep pushing. From this message alone, I find two questions to the lawyer, and one (possibly two) feature requests for the bug tracker. Regards, Martin
On Wed, Apr 8, 2009 at 8:37 PM, "Martin v. Löwis" <martin@v.loewis.de>wrote: --8<--
* Should we change the workflow for roundup to make this assignment of license clearer (see Tobias's idea in the thread about a click-though agreement).
I think we do need something written; a lawyer may be able to tell precisely.
The company I work for does open source development. And our lawyers said that our model of having contributors send an e-mail with the text "I agree" and our CLA as an attachment was perfectly valid, no hand written signature needed. From there the step to a click through for something as simple as a patch isn't too far. But I would not claim that I know any of these things, I'm just hoping that we can have a simple process with no legal gray areas.
I still hope that we can record, in the tracker, which contributors have signed an agreement.
That would be good. Cheers, Tobias
* What is the scope of a patch that requires a contributor agreement?
Van's advise is as follows: There is no definite ruling on what constitutes "work" that is copyright-protected; estimates vary between 10 and 50 lines. Establishing a rule based on line limits is not supported by law. Formally, to be on the safe side, paperwork would be needed for any contribution (no matter how small); this is tedious and probably unnecessary, as the risk of somebody suing is small. Also, in that case, there would be a strong case for an implied license. So his recommendation is to put the words "By submitting a patch or bug report, you agree to license it under the Apache Software License, v. 2.0, and further agree that it may be relicensed as necessary for inclusion in Python or other downstream projects." into the tracker; this should be sufficient for most cases. For committers, we should continue to require contributor forms. Contributor forms can be electronic, but they need to name the parties, include a signature (including electronic), and include a company contribution agreement as necessary. Regards, Martin P.S. I'm sure Van will jump in if I misunderstood parts of this.
On Mon, Apr 13, 2009 at 4:44 PM, "Martin v. Löwis" <martin@v.loewis.de>wrote:
* What is the scope of a patch that requires a contributor agreement?
Van's advise is as follows:
There is no definite ruling on what constitutes "work" that is copyright-protected; estimates vary between 10 and 50 lines. Establishing a rule based on line limits is not supported by law. Formally, to be on the safe side, paperwork would be needed for any contribution (no matter how small); this is tedious and probably unnecessary, as the risk of somebody suing is small. Also, in that case, there would be a strong case for an implied license.
So his recommendation is to put the words
"By submitting a patch or bug report, you agree to license it under the Apache Software License, v. 2.0, and further agree that it may be relicensed as necessary for inclusion in Python or other downstream projects."
into the tracker; this should be sufficient for most cases. For committers, we should continue to require contributor forms.
Sounds great to me. Cheers, Tobias
participants (3)
-
"Martin v. Löwis"
-
Jim Baker
-
Tobias Ivarsson