[Python-Dev] cpython: Issue #11750: The Windows API functions scattered in the _subprocess and

[Guido van Rossum]

On Thu, Apr 19, 2012 at 4:19 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>>>>   Issue #11750: The Windows API functions scattered in the _subprocess and
>>>> _multiprocessing.win32 modules now live in a single module "_winapi".
>>>> Patch by sbt.
>>>
>>> Can we use Real Names, please?
>>
>> Do we have a policy about that? sbt seems happy using a pseudonym (and
>> I personally don't have a problem with it).
>
> We would have to ask a lawyer. Apparently, he signed a form, and
> presumably, that can be traced to a real person. However, we need to
> be extremely careful not to accept anonymous contributions, as then
> barrier to contribute stolen code is much lower. It took Linux a ten
> year copyright lawsuit to go through this; I don't want this to happen
> for Python.
>
> In any case, the real policy is that we should not accept significant
> changes without a contributor form.
>
> I, myself, feel extremely uncomfortable dealing with pseudonyms in the
> net, more so since I committed code from (and, IIRC, gave commit rights
> to) Reinhold Birkenfeld. Of course, the issue is different when you
> *know* it's pseudonym (and no, I have no bad feelings towards Georg
> about this at all).

I'd like to copy for posterity what I wrote off-list about this incident:

I'm against accepting anonymous patches, period, unless the core
developer who accepts them vets them *very* carefully and can vouch
for them as if the core developer wrote the patch personally. Giving
an anonymous person commit rights does not meet my standard for good
stewardship of the code base. (But... see below.)

Of course, knowing the name is not *sufficient* to give a person
commit rights -- we know what's needed there, which includes a trust
relationship with the contributor over a long time and with multiple
core committers.

This *process* of vetting committers in turn is necessary so that
others, way outside our community, will trust us. When open source was
new, I got regular requests from lawyers working for large companies
wanting to see the list of contributors. Eventually this stopped,
because the lawyers started understanding open source, but part of
that understanding included the idea that a typical open source
project actually has a high moral code of conduct (written or not).

That said, I can think of plenty of reasons why a contributor does not
want their real name published. Some of those are bad -- e.g. if you
worry that you'll be embarrassed by your contributions in the future
I'm not sure I'd want to see your code in the repository; if you don't
want your employer to find out that you're contributing you might be
violating your employment contract and the PSF could get into trouble
for e.g. incorporating patented code; and I'm not sure we'd like to
accept code from convicted fellons (though I'd consider that a gray
area). But some might be acceptable. E.g. someone who is regularly in
the news might not want to attract gawkers or reveal their personal
email address; someone who is hiding from the law in an oppressive
country (even the US, depending on which law we're talking about)
might need to be protected; someone might have fears for their
personal safety.

In all those cases I think there should be some core contributors who
know the real identity of the contributor. These must also know the
reason for the anonymity and agree that it's important to maintain it.
It must also be known to the community at large that the contributor
is using a pseudonym. If the contributor is not comfortable revealing
their identity to any core contributors, I don't think there is enough
of a trust relationship to build on for a successful career as a
contributor to Python.

-- 
--Guido van Rossum (python.org/~guido)