Tuesday, 25 May, 2004

Revising the Linux kernel submission process

Linus Torvalds and kernel maintainer Andrew Morton have adopted a revised process for Linux kernel submissions. The revised process requires that developers who submit contributions have to acknowledge their right to submit the code: in effect certifying that the code is their own work or otherwise free of legal entanglements. This acknowledgement, called the Developer's Certificate of Origin (DCO), also ensures that developers get their due credit. See the press release for full information.

The Slashdot comments on this issue are mixed, with some saying that it's a Good Thing, and others forecasting doom, gloom, and Linux kernel development being overwhelmed with bureaucratic process to the detriment of innovation. Conspiracy theories include "big corporations" wanting an audit trail so that they have somebody to sue when something goes wrong, malicious agents of Linux detractors "sneaking" copyrighted code into the kernel, and all manner of other nefarious plots. Seems to me that the kernel and the rest of the open source world would be better off if these people expended their creativity and time on software development rather than on thinking up new and entirely implausible ways that others could hijack or derail kernel development.

The discussion of legal liability is especially humorous. The group is about evenly divided between those who say that the GPL protects them from being sued for liability, and those who say that the GPL's limitation of liability clauses are not recognized in some localities. What's laughable is that most of the people worrying about this have absolutely no grounds to fear being sued, simply because they don't have enough money to make it worthwhile. If something goes wrong and a lawsuit is filed, the lawyers will go after the money, wherever it is, not some poor slob who submitted a kernel patch. Oh, that person might be named in the suit, but the lawyers aren't going to hit him too hard. What's the point of trying to get a million dollar judgement from somebody who makes $50,000 per year? On the other hand, if the developer in question has money, it's doubtful that the GPL will protect him when the big gun lawyers come calling.

Limitation of liability clauses in voluntary contracts like the GPL seem intended to deter small claims that would cost more in legal fees than one would be likely to obtain in a settlement. They're like unlocked gates that deter honest people from walking into somebody's back yard. When claims move up into the nosebleed multi-million dollar range, the rules change and the lawyers start mentioning "malicious intent," "willful negligence," and other things that render liability limitation useless. The simple fact is that if you publish any code, you're opening yourself up to liability claims if somebody experiences problems with it. That's the way the legal system works. Deal with it or keep your code to yourself.

I probably should stop reading comments on Slashdot.