#364 Are we/our infrastructure correctly checking whether the FPCA is signed before allowing contributions? (If not, should it?)
Opened 6 months ago by ankursinha. Modified 2 months ago

This came up during a short chat in the Fedora Join channels. It seems that not all contributions in Fedora require the FPCA to be signed---or perhaps they do according to the docs but the various platforms do not check for this condition. For example, contributing translations via Weblate does not seem to require it, and while it is documented that one must sign the FPCA before contributing to the magazine, I'm not sure if taiga/wordpress check for this?

We weren't sure if this needs to be checked/verified and whether the infra bits need to be updated to include checks on FPCA signage, and thought a council ticket was warranted.

CC: @jflory7 @alciregi : please correct me if I'm wrong and add any more info you think relevant here.

I don't believe most platforms support checking this. However, all contributions to Fedora directly (in other words, not to upstreams) require FPCA from a policy perspective.

So, yes, the infrastructure should support it, although it's not clear to me how feasible that is.

What exactly are you asking the Council for?

I think @jflory7 had suggested that this may be one of them legal things that need to be looked at, and so the council was the place to bring it up.

(I don't know what needs to be done myself)

Hi, I asked @ankursinha to open this ticket. I believe this is a legal risk that needs a patch. It should be prioritized via the Fedora Council to the Fedora Accounts team. We are both launching a new account system for the first time in more than a decade, and we are also in a vulnerable place as we are working on updating our Code of Conduct for the first time in ten years.

I am concerned about helpful contributions made to the distribution in bad faith, where a bad actor chooses to invoke copyright law or maneuver around legal agreements that are mitigated by the FPCA. This is not an abstract example, it has happened before. Just not in a project or community as large as Fedora. While the bar to do serious damage is much higher in Fedora than the previous example, the fact exists that there is loophole that a bad actor can consciously contribute to Fedora without signing the FPCA, and that is a legal risk as far as Fedora Linux and the RPM package collection is concerned.

I believe this should be opened as a Council ticket first because:

  1. This has far-reaching impacts that likely requires participation from multiple stakeholders
  2. This needs priority in the wider context of everyday things happening across Fedora Infrastructure, and I believe the Council is the best vehicle in the project to convey this kind of priority.

I would agree that we should ensure that any contributions (besides wiki changes) are clearly made by contributors who have agreed to the FPCA, and that our tooling closes any gaps that our community finds with this regard.

I'll put together a list of places that we want to enforce this and give it to the infrastructure team. We won't be able to entirely close the gap, but we can hopefully narrow it somewhat.

Metadata Update from @bcotton:
- Issue assigned to bcotton

6 months ago

Thanks @bcotton for looking into this. Agreed that entirely closing the gap is likely not possible, but narrowing it (in my non-lawyer mind) does mitigate the most-damaging legal risk.

We actually have an in-use template for making sure not-necessarily-FPCA-covered contributions are appropriately licensed. See https://ask.fedoraproject.org/tos, which has the statement:

All user contributions must be under an acceptable license for Fedora as defined in the Fedora Project Contributor Agreement. User contributions which do not state otherwise are licensed under the Current Default License, which is Creative Commons Attribution-ShareAlike 4.0 as described in the FPCA.

I propose that where possible we use similar statements -- can we do this for weblate? (In that case, maybe something like "match the license of the open source project which is being translated" or something.)

Login to comment on this ticket.