[Cryptech Core] contributor license agreement

[Stephen Farrell]

Hiya,

On 06/08/18 23:16, Peter Stuge wrote:
> Stephen Farrell wrote:
>> One thing that seems to come up regardless of which home we find,
>> is the need for a contributor license agreement for the project.
> 
>> So the question for now is would folks be ok if we adopted
>> something like the one that's used by openssl?  [2]
> 
> The question is moot until a rationale explains the "need".
> 

My assumption was that folks on the core team would be familiar
with such things. If that's a bad assumption I'm happy to try
explain why these things seem to be useful.

> 
>> [2] https://www.openssl.org/policies/cla.html
> 
> So trying to do some second-degree analysis I find:
> 
> "The purpose of this agreement is to clearly define the terms under
> which intellectual property has been contributed to OpenSSL and
> thereby allow us to defend the project should there be a legal
> dispute regarding the software at some future time."
> 
> Is that the full story with The Commons Conservancy? What are the details?
We have a couple more things we're checking with the commons
conservancy folks, will send the full details when we have 'em.
(Mostly, like other potential "homes" it involves a little more
bureaucracy than we've seen, but that's inevitable I guess. We
hope to keep that to an acceptable level, for all our sakes:-)

> But - and maybe more importantly - what are the goals for "finding a
> home" in the first place? What are the desired new and changed
> processes within the project, respectively?

See the notes of the f2f meetings from last Sept/Feb. Basically,
Nordunet have been handling the money since we started and don't
really see doing that for open-source projects as a core function
of theirs, so we need to find some other entity to do that. We
explored the Linux foundation before, which generated some push
back. Now we're exploring the commons conservancy. There are not
many such organisations existing, btw, and we need someone to
handle the dosh from donors so getting this sorted is a thing
we kinda have to succeed at, without there being anything mega
urgent afaik.

> 
> 
> Popular choices are always convenient and of course politically safe,
> but usually not the best.

I fail to see the relevance tbh - which is the "popular" thing here? :-)

> 
> CrypTech is relevant because we improve the state of the art - let's
> not lose that.

Agreed. I don't see that replacing Nordunet's kindness in processing
payments with someone else doing just that job really risks that. (Not
replacing Nordunet would eventually put that at risk I guess.)

> Oh, and I noticed that The Commons Conservancy secretary's bio mentions
> as an accomplishment "deployment of complex niche builds such as an
> Internet voting system during national elections" - I don't know how
> that fits with the project.

They'd not be an owner or responsible for anything but the cheque
book and minimal related logistics, such as CLAs. Within fairly broad
limits, I don't see that we need to agree or disagree with other things
they do, no more than we need to like the banks that hold/distribute the
money that donors contribute to fund the project.

Hope that helps, and still looking for feedback as to whether the
openssl CLA is something problematic or ok for folks on the core
team...

Cheers,
S.


> 
> 
> //Peter
> _______________________________________________
> Core mailing list
> Core at cryptech.is
> https://lists.cryptech.is/listinfo/core
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x5AB2FAF17B172BEA.asc
Type: application/pgp-keys
Size: 6730 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/core/attachments/20180806/33506520/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/core/attachments/20180806/33506520/attachment.sig>