Linus on documenting patch provenance
Linus on documenting patch provenance
Posted May 24, 2004 0:16 UTC (Mon) by Eudyptes (guest, #15589)Parent article: Linus on documenting patch provenance
I seems that Linus wants to track the "chain of custody" as it were. This
is standard with any org that needs to do investigations. From what I can
gather it's seems to go something like this:
A. D. Veloper submits the orignal patch for kpatch.h
Then:
B. D. Veloper changes this patch (still read as) kpatch.h
And then:
C. D. Veloper and D. D. Veloper, etc..
Now some Company screams "foul" and states that this was ripped of their
"proprietary" work. How do you prove or disprove this?
So it comes to light that "C. D. Veloper" worked for or had access to said
company's source code and got lazy and folding in a piece of code for said
company's stuff. Well, now you have a fairly good idea where the "taint"
came from. This would afford you knowledge of who got lazy or careless
(you just didn't get it). Furthermore, should you need to take out that
part that tainted code you could concievably do this without having to
rewrite the entire code for "kpatch.h".
Another thing to consider is moles. Yes, moles!. Is it inconcievable
that some business/corp that takes considerable exception to the work and
success of Linux-F/OSS want to see it derailed? Let's say there's a
particular piece of work that has been difficult to work with. Then
somebody (let's call them X. D. Veloper) submits a patch that solves this
problem, or moreover seems to submit several pieces of code to a number of
projects. Then in time it is contended that these several projects code
bases are tainted with proprietary work/IP stuff. Well, with a chain of
custody a pattern could be seen, such as every project touched by X. D.
Velopers appears to be tainted. This would call into question just who
this person is and where/why he/she has been able to provide so much code
to solve problems.
On the otherhand, the positive aspect of this is that someone that has
"cleanly" provided several fixes can be recognized. Y. D. Veloper has
repeatedly submitted patch work that has indeed solved a good many
problems and provides very cogent and clean work. This person may be
someone that has a yet unrecognized talent that the Dev team may wish to
utilize.
When the whole SCO fiasco started. Many, including my self, did
exhaustive searches to find who from SCO/Caldera had submitted work, as
well as to what and when. Given that people from almost every corner of
the globe and having varied backgrounds have submitted work to Linux and
F/OSS it think it only prudent to have a clear "chain of custody" without
having a cumbersome and overbearing impact on the process.
Just MHO. :)
Posted May 24, 2004 5:47 UTC (Mon)
by lakeland (guest, #1157)
[Link]
What you're suggesting would be an extremely dangerous game. As soon as Linus on documenting patch provenance
the company cried foul, the sources of the patch would come to light and
they'd all be pointing at one person -- an employee of the company.
At this point Linux is largely clear, I'm not even sure they have to
remove the code. And if they do, I would expect they would be given quite
generous timeframes given they'd shown due dilligence, etc.
It might work, but odds are the damage will be minor. I would hazard a
guess that making unsubstantiated lies as a PR gives better mileage with
lower risk.