Notes: idpy board call, 13 November 2017
by hlflanagan@sphericalcowgroup.com
Notes:
0. Agenda bash
1. Introductions
- Heather Flanagan
- Ivan Kanakarakis (SUNET, lead architect for Satosa, pySAML)
- Leif Johansson (SUNET)
- Roland Hedberg (independent, original developer and architect)
- Christos Kanellopoulos (GÉANT)
- Chris Whalen (individual contributor)
- Mike Jones (Director OIDF, author of OIDC and JWT and OAuth)
2. Governance documents
- https://github.com/IdentityPython/Governance
3. Discussing and possibly approving the use of Commons Conservancy as
our IPR home
-
https://drive.google.com/drive/folders/1h2mFQHGhJualJWTwtt-ivpkJvUZP960f?us…
Why do we want an IPR home? Today, all the code is copyrighted at
various organizations. If we want to have other organizations rely on
it, it might help if the copyright notices are at an organization that
is demonstrated to be neutral, not affiliated with any commercial
interest, and hard to take over. We (probably) would need to reassign
copyright to them.
We also might want the ability to take donations and hire more
developers. Ivan is on staff, paid for by GÉANT, but we might want
additional resources at some point (e.g., students, developers, other).
Commons Conservancy offers a separate service that supports the
financial end of things, and while we don’t need that right now, we
might in the future.
Can the Conservancy defend IPR in court for a project? They have a
network of volunteer lawyers who would be interested in taking on pro
bono work. Note that it is really hard to bring a lawsuit for something
based in The Netherlands. This is a difference between some of the
Foundations out there (e.g., OIDF, Free Software Foundation, Linux
Foundation). Note that organizations like Linux Foundation will charge a
much higher overhead. The Apache Foundation leaves you locked to a
specific license model. So, there are pros and cons for all the above.
Donating money to Commons Conservancy/NLNet gets you some tax advantages.
Note that Commons Conservancy hasn’t been around all that long, so some
of their assertions re: “unlikely to be sued” might be naive.
What is the relationship between IPR and the GEANT project? The default
clause in the consortium agreement is that GEANT holds the IPR on behalf
of the consortium. Need to see how that would play out if that means
handing the IPR over to a third party. Action item for Christos to
follow up on.
Procedural note: board members need to have an opportunity to have their
legal team(s) review anything that requires a signature.
4. The pros/cons for requiring a CLA (and possibly making a decision on
that)
An initial discussion around CLAs had taken place on the mailing list:
https://lists.sunet.se/pipermail/idpy-discuss/2018-April/000146.html
https://lists.sunet.se/pipermail/idpy-discuss/2018-June/000188.html
and, the related discussion for the criteria for new projects:
https://lists.sunet.se/pipermail/idpy-discuss/2018-February/000098.html
Ivan: Given the current GitHub terms, we are probably covered. But the
terms take place from a certain date; before that date all contributions
made are under a different state. We need to figure out whether we want
to bring these changes up to our current license agreements, and whether
or not we’ll need CLAs for everyone from now on.
Roland: When did the GitHub terms change? Need to verify.
Leif: Originally was on the side of needing CLAs, but after reviewing
the arguments, decided against it. This is more like the IETF Note Well.
By being in the room and contributing, you’re acknowledging what you
need to do. That’s slightly different than saying “can I commit this
code/write this draft/be in this meeting” and having to bring this to a
company lawyer that has no interest in understanding whether this is ok
or not.
Roland: Also not in the camp of doing CLAs. The sheer amount of work to
track everyone down is very high.
Leif: will need to do some background work - are there any contributions
we’re unsure of? (e.g., if a project pulled in an external dependency
that had an incompatible license). Perhaps we want to formulate our own
Note Well/Terms of Service?
Chris: what kind of guidance do organizations have for their employees?
It varies significantly
Mike: for contributing to Google projects and OIDF you have to sign CLAs.
Leif: in some organizations, developers are explicitly kept away from
lawyers. We should not put people into a situation where they have to
bring lawyers into it. We should create something “here’s what we think
you should have the right to do. If you don’t, go away.”
Christos: There are two aspects here, one is about the past, one about
the future.
Leif: we have to do something for the past. Some sort of transfer of
authority to Commons Conservancy.
Ivan: Need to decide what to do with contributors for people who
contributed before 2017; we have a list of who has contributed as a
whole, just need to figure out which among those contributed before 2017.
Christos: If we’re going to use something like Commons Conservancy, does
this become their problem? No, because we have to transfer the license
over to them.
Action items: Determine list of contributors from before 2017 GitHub
term changes; create a Note Well
5. review the criteria for bring in new projects to idpy
-
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
Practical use case: evolution of pyFF
Holding topic to next call
6. Administrivia
* Call frequency? More frequent calls to start; next call in 2-3 weeks
* Publicly posted meeting agenda, meeting notes? Heather will post to
the board mailing list; items that shouldn’t be public (which should be
exceedingly rare) shouldn’t be noted. OK to make the mailing list archives.
7. AOB
