Fedora-Council/tickets ticket #471: Fedora Council needs to own FE-Legal

@ngompa filed Fedora-Council/tickets ticket #471. Discuss here and record votes and decisions in the ticket.

Ticket text:

FYI, I’m lifting FE-Legal on RHBZ#1942132 after @catanzaro’s comment in the bug. I do not believe there’s anything worth blocking on and we’ve been waiting for far too long (the package review itself started in 2021!)

I’m sorry that this has been frustrating, @ngompa.

My first thought is that this seems like a responsibility squarely under liaising with Fedora Legal. A Council member who is not employed at Red Hat is not going to be solve this as easily as a Council member who is.

So, instead, I think the ownership should fall to one of the appointed Fedora Council seats, i.e. Project Leader, Operations Architect, Community Architect. Ownership here likely mean liaising with Fedora Legal who can unblock these requests in Bugzilla.

I agree, it makes sense. I would further suggest that it would fall either under Project Leader or Operations Architect roles. Both of those roles have some alignment for “greasing the wheels”, so to speak.

I might have picked different words, but I agree with Neal here. The current situation is really frustrating for packagers. Things are blocked on legal review for months on end, and if we do get responses, they are often not actionable at all - requiring another months-long round-trip-time for another response (if any).

Another example where I waited for six months and only got an actionable response after asking if my suggested workaround is OK for a third time: Permissibility of P-434 based elliptic curve in Fedora - legal - Fedora Mailing-Lists

I can also confirm that the issue that originally caused be to open #408 is still unresolved. The effort to package the Wasmtime WebAssembly runtime has been abandoned long ago because of it, even though all that would’ve been needed was a simple “yes this is OK, not copyrightable” or “this is copyrightable and upstream should choose a license for it” response … (and all I got was this non-response).

PS: In my old ticket, @mattdm pointed out that getting things moving on FE-Legal stuff would be his responsibility: https://pagure.io/Fedora-Council/tickets/issue/408#comment-809611 - there was apparently some discussion about changing this process, but as far as I can tell, it was decided to change nothing.

PS: In my old ticket, @mattdm pointed out that getting things moving on FE-Legal stuff would be his responsibility: Issue #408: Is the FE-Legal tracker bug being monitored at all? - tickets - Pagure.io - there was apparently some discussion about changing this process, but as far as I can tell, it was decided to change nothing.

We actually had some progress on this, not involving blocking on me^[1]. But I (and the rest of the Council) do need to take responsibility for making sure that works and stays working.

This shouldn’t have taken so long to get a response. I’m sorry about that. Often, a slow response actually means that something significant is happening in the background, which was the case with this ecc question too. But that shouldn’t be indistinguishable from “no one is looking at this”.

1. which is usually a bad idea ↩︎

Hi, a few comments:

• I personally have never liked how “FE-Legal” has been used.
• Often the most difficult FE-Legal issues are questions of third-party patent risk. I am not involved in advising Red Hat on such issues directly. Red Hat’s patent team has had some significant personnel changes over the past year. Both the patent SME expert and their manager, the head of IP, left. There is a new head of IP and a new patent SME who is still sort of getting up to speed.
• I am not sure that it is a good idea for patent risk issues to be the basis for an FE-Legal block in the first place (such issues are obviously important and need to be resolved but I think there may be a better way of enabling such issues to be raised and resolved).
• Regarding @decathorpe’s comment on the wasmtime issue, I get that you are angry because you keep bringing this up from time to time but I am not sure what I should have done differently. The questions raised in the bugzilla were (to me) pretty confusing – again going to this not being the best medium for dealing with these kinds of problems even where I feel authorized to do so. You don’t care that there is a policy problem with CC0, but I do. I don’t consider it an open source license and I feel personally responsible for encouraging its use (particularly in Fedora) several years ago. Ignoring this policy issue has led to some significant problems around standards development and ‘open-washing’. You closed the ticket before I could act further on it.
• In Bugzillas that block on FE-Legal, the legal issue or problem is often not clearly framed. It’s often more like “I feel there may be a legal problem here”. That makes it difficult if not impossible for “Fedora Legal” or the Red Hat legal team to take any action on them.
• I have notified Jilayne and John Whetzel (Red Hat’s new-ish patent lawyer) of Neal’s disposition of RHBZ #1942132. I have no opinion on that but if anyone can lift FE-Legal then I am not sure why we speak of it being “officially lifted” in Fedora Legal Resources :: Fedora Docs and maybe we should just remove that from the Fedora legal documentation.

@ref I spoke to @amoloney about this (in her role as Fedora Operations Architect) — let’s schedule a meeting sometime soon to figure this out.

I think @ngompa. has some valid requirements, but they might not be as achievable as we would all like and/or hope. An SLA (Service Level Agreement) is probably too high a bar to meet on ticket turnaround time, but an SLE (Service Level Expectation) should be within reach. Im happy to serve as a point of contact for those who file a ‘fedora legal’ ticket to reach out to and assist in tracking those requests so the requestor is kept informed of the tickets progress, and triage those tickets appropriately, in consultation with perhaps Richard, Jilayne and John where and when needed.

I’m missing a wealth of context Im sure, so I look forward to learning more about this process and working with those who are and/or should be involved to come up with a proposal for a meaningful plan of action to address this obviously frustrating gap.

(The issue with CC0 perhaps merits a separate breakout discussion. I’m extremely surprised to see this license no longer accepted for software in Fedora, and I wonder about the scope of the consequences. Does it require removing a huge number of packages? Is there a very strong reason for this explained somewhere?)

This is very surprising.

Fedora Legal should probably at least respond and say this, rather than ignore the packagers?

Ideally only Fedora Legal would lift the FE-Legal tag, but we seem to have consensus that the intended process has completely broken down and can no longer be followed.

In this specific case, the intel-media-sdk package review is blocking hardware acceleration support for non-encumbered codecs. There is no clearly-framed legal concern and not even a hint that there may be a legal problem; instead, it was tagged for legal review to be conservative because of the high-risk nature of packages that implement multimedia codecs. In theory the encumbered codecs are all disabled, so it doesn’t even rise to the level of “I feel there may be a legal problem here.” It would certainly be prudent for Fedora Legal to review it to make sure there are no mistakes, because Red Hat has historically been especially concerned about multimedia codec risk, but review is not required if Red Hat does not wish to do so. In any case, this package is too important to block on any longer and removing the FE-Legal tag was reasonable.

Basically it looks like Fedora Legal has completely ghosted the packagers in this and many other scenarios. When Fedora Legal does not respond, Fedora packagers with no legal training who often do not even work for Red Hat wind up making IP risk decisions for Red Hat on their own. This won’t be the last time it happens.

I’m sorry, but it really sounds like we’re talking about different things here? I don’t have a problem with the decision to no longer consider CC0-1.0 to be an acceptable license for code.

The content in question was distributed by the upstream project under no specified license, which was why it was flagged as potentially being copyrighted. Explicitly licensing it as CC0-1.0 was only suggested by somebody else in the upstream project (not me!), and that never even happened - and the project was also informed that CC0-1.0 is no longer considered a good license for code.

So the current status of that project is the same as ~2 years ago - the project still distributes this content without any license terms attached to it. And there’s not even consensus yet if those interface descriptions even count as “code” or “content” or whether they are copyrightable in the first place …

This is why “CC0-1.0 is no longer considered an acceptable license for code” as a response on the BugZilla didn’t make any sense to me, as it doesn’t even apply to the status quo, and was not at all actionable - neither for me as the packager, nor for the upstream project.

Side note I guess but it may be worth acknowledging finally that there really is no such thing as “Fedora Legal”. Historically, “Fedora Legal” was a sort of moniker that Tom Callaway used, and it was mostly understood (I thought) to be distinct from “Red Hat Legal”. I think we may have made a mistake in continuing to indulge in the use this term after he left Red Hat and ceased being involved in his historical Fedora Legal work. I believe we have since then used this term (sometimes it’s “the Fedora Legal team”) to refer to an unnamed set of individuals who are sometimes me, sometimes me along with some other people, and sometimes people other than me.

OK, I don’t remember everything that occurred but maybe I assumed that not every comment in a Bugzilla has to be actionable. I was probably trying to indicate that if they used CC0, that would be problematic given that we had reclassified CC0 as “not allowed” for code.

Yes, this was announced on legal@lists.fp.o and devel@lists.fp.o in July/August 2022 and was (somewhat to my surprise) covered quite a bit in the tech press. It does affect a large number of packages in theory but we’ve been dealing with this through the formation of pragmatic exceptions to the rule. The notion of exceptions to general Fedora license policy was something that hadn’t really existed prior to last year.

Originally, it referred to “Fedora Extras” legal evaluation, which was apparently quite necessary in the beginning as Red Hat Linux and Fedora Linux^[1] projects merged into the Fedora Project containing Fedora Core (RHL) and Fedora Extras (the old Fedora Linux project).

This is by design. It has been distinct from “Red Hat Legal” because that function was managed by Tom Callaway because Red Hat Legal didn’t want to staff it or care about it, as I recall^[2].

1. The original one was not a Linux distribution, confusingly enough… ↩︎

2. He gave a talk about this at FOSDEM 2017, which was quite fascinating overall ↩︎

I guess it doesn’t matter at this point, but this is not accurate. The Red Hat Legal team supported the creation of an official Fedora-Legal sort of role, corresponding to the de facto role created historically by spot (maybe you’re talking about really ancient history, though). Given budget constraints it was not feasible for such a role to exist within the legal team but we tried unsuccessfully to get Red Hat Engineering and the Red Hat OSPO to fund the role.

This is way off the core topic, but originally, I was approached by the Fedora leadership and asked to work to address the outstanding legal challenges that were not being dealt with. I went to Red Hat’s Legal team at the time, who provided feedback initially, then expressed that they did not have the staff nor the time to work to address “common and obvious” issues. They then empowered me to make those decisions, and I escalated to the Red Hat Legal team for things that were not “common and obvious”.

Later, Red Hat did investigate making this “address Fedora Legal issues” work into a full-time role, but decided not to do so.

Hi folks, is there anything else to drive forward on this topic? I have a recollection that @amoloney is monitoring the FE-Legal tag and is acting as a liaison for legal issues when they need an escalation. Is this recollection correct?

I believe the original context which drove this issue into discussion has been resolved. I am not sure if there is further action for the Council to take at this point. I suggest closing this ticket as fixed.

Well, there’s still the question of actually having formal ownership going forward. This needs to be codified.