Re: Can I have a package with no real name of upstream maintainer?
On Wed, Sep 29, 1999 at 07:07:07PM +0200, Henning Makholm wrote:
> Christian Surchi <firstname.lastname@example.org> writes:
> > I have a package (tkpgp) from munitions.vipul.net archive and the
> > upstream maintainer wants distribute only his email and his
> > nick. The program is GPL. Can this package stay in Debian, without
> > real name of author in debian/copyright?
> An interesting question. Personally I'd doubt it: what sort of
> guarantees do we have that the anonymous guy who claims copyright
> really has copyright?
This is a bad situation.
I'm assuming the tkpgp maintainer wants to remain anonymous because
distributing tkpgp might place him in violation of export laws in his home
> A concrete scenario: by the time J. Random CD Manufacturer has
> pressed 100.000 sets of Potato disks, somebody stands forward and
> asserts the copyright to the package, demanding that he be paid
> a humongous license fee or the disks are destroyed. Now, who can
> JRCM sue for making the false claim that the program was GPL?
Here in the US, we name a pseudonym like John Doe in the initial filing.
Then legal tools (subpeona, court order, etc.) are used to determine the
true identity of the anonymous offender.
> If the identity of the upstream maintainer who claimed GPL was
> known, things would be relatively easy - the culprit can be held
> responsible, and even if he's nowhere to find Debian has acted in
> good faith and made any reasonable effort to identify the sources
> of the rumors we act upon.
The ideal thing for the author of tkpgp to do in this case would be to
assign the copyright of tkpgp to the Free Software Foundation under the
condition that they keep his identity a secret.
> However, if Debian started accepting code based on anonymous hearsay
> that whoever wrote this means it to be under GPL, and a scenario
> like the above came true, Debian's general reputation would go way
Yes. It would be unwise to rely on the author's word alone. Perhaps there is
some way he can provide some evidence that he is the author without
revealing his identity?
PGP timestamp servers would be an excellent way of showing the progression
of development and proving that a given document or program was in existance
at a certain time in order to be signed by the author and the timestamp
server, but this is not something that can be done retroactively. In this
case, the author would have the first and only copy in existance immediately
after creating it by nature of the author, and thus would be able to produce
the oldest signed and timestamped version of the program. Like a notary mark
on an engineering notebook, it would prove them to be the first
> However, it is another question if the anonymous maintainer simply
> maintains code that some earlier author or maintainer (who was a real,
> identifyable person) put under the GPL.
In this case, it's a bit more safe because we're assured the program hasn't
been stolen wholesale. But it's still more difficult to make someone
accountable if he's snagged a few functions from a proprietary codebase and
incorporated them into his program. Nobody wants to sue a pseudonym, so
they're very likely to point the finger at someone else who's not
responsible but somehow connected to the incident -- like Debian/SPI or the
I'm not a lawyer, but I hear the Free Software Foundation has a few good
ones working for them. I'm sure they'd see to it that everything was taken
care of if the author of tkpgp was to assign his copyright. It is probably
worth looking into.