yah, this is a sticky point. This is one of those scenarios where I put the onus on the person more familiar with the process to inform others for these sort of nuances. Its one of those information asymmetry / familiarity problems. Maybe both were not well versed in the concept of coauthorship though to be fair and it didn't occur to either of them not knowing what they didn't know.
I suspect the maintainer never properly realized how much Co-authorship or authorship of the patch meant to the contributor (given that this was their first contribution), and that was probably informed by the size of the patch, the fact that the OP used their corporate email address and the fact that the patch was very small, required work wasn't properly formatted for immediate inclusion.
One thing I've learned from this thread is that as maintainer of a FOSS package, especially a popular one you are always going to get yelled at (to the point that people will make up reasons and put words in your mouth for yelling at you), no matter what you do. People are literally calling for the maintainer to leave.
My 'fixation' is that if you write a 1000 word angry blogpost attacking a kernel maintainer that you weren't properly credited that you could have at least submitted your patch properly formed. You seem to think that a sign-off is a formality, but it really isn't: it's to shield the kernel maintainers from copyright lawsuits by parties that surreptitiously include copyrighted code. It is a very important item on the checklist for a maintainer. You need to personally certify that you are able to make this particular contribution. See the LKML guideline for submitting patches that I've already linked to twice now.
Having that present would have likely increased the chances of this thing never happening in the first place by a significant factor. Almost every large open source project has their own quirky bits like that and as a newcomer you should at least read the documentation on how to contribute if you want to contribute, especially if that documentation is readily available and meticulously kept up to date.
Note that LKMS treats patches typically as proposals and not as must include verbatim or ignore and that by engaging the Linux kernel security mailing list a whole pile of mechanisms kicks in that remove options to play nice with newbie submitters and to help coach them through how to reach the state of the patch that would have been expected the first time around.
OP is aiming a pretty heavy handed attack on a kernel maintainer (a thankless job on the best of days), does so by misrepresenting their interaction in ways that matter and on top of that couldn't be bothered to read the docs.
I follow your point about the OP maybe not understanding some context and well it's just a hard lesson learned.
I don't follow your fixation on sign-off. I am familiar with the guidelines. Like I said, sign-off is clerical. Yes it's obviously important, but it's still clerical. Nothing you've said changes that.
I agree there's obviously a middle ground here where both the maintainer was acting in the best interest of the community to get a security fix integrated and where the first-time contributor was perhaps miss-attributed in the commotion and feels slighted but also can learn a lesson. I'm not one of those out there calling for a witch hunt to cancel the maintainer (honestly I don't know where to those people are, but I'll take your word that you've encountered a few of them).
Still, your fixation on "well Ariel didn't sign off on the commit so all's fair" is pretty dismissive of the work Ariel did to get to the patch. The bug was acknowledged and outstanding. This obviously wasn't something massively problematic or the original bug would have been fixed when it was reported (I guess maybe it was misunderstood and it really was serious, but I don't get that vibe), so I don't think we're dealing with a case of urgency trumping all human decency.
At the end of the day, Ariel is a contributor. No not someone who has privileged commit access to the software, but a contributor to the project nonetheless, whether a maintainer copy-pasted the work or not. And hopefully someone who will continue to contribute in the future. I hope Ariel can come to see it that way whether the maintainer tries to make things right, or even just apologize for the confusion, or not.
I don't read Ariel sharing his experience as an attack. I read it in his words as:
> Well, I certainly didn’t feel inspired to get involved with the kernel community again. On the contrary, I felt belittled and angry that my work wasn’t properly recognized.
> My first contribution to the kernel was a really frustrating and discouraging experience, dealing with people who do not think it’s important to get proper recognition for your work.
I, at least, hold the "lkml bureaucracy" to higher standards.
He choose explicitly to bring the Linux security mailing list into this and that changed the playbook considerably. That changes the situation from one where you can take your time to coach the new person to one where speed is of the essence.
Whatever work Ariel has done has been grossly negated by this attack piece, besides the fact that it omits and/or materially alters the nature of the interaction. At no point did the maintainer leave any doubt as to their intentions, nor was anything that happened unexpected. If you start off your career as a contributor to the Linux kernel by mailing the security mailing list then that requires you to do your homework because otherwise things will be out of your hands. If that was the OPs intention he would have done better to leave the security mailing list out of it and first strike up a conversation with the maintainer about what the best way to start contributing is (there are guides as well, but since he clearly wanted to target this particular subsystem that would have been a valid approach in my opinion).
It's an attack to me because (1) it mentions an exchange that names individuals and (2) it does so using some very expensive words ('robbery'). That's not the kind of accusation that you make lightly and in this case I think it is vastly misrepresenting what actually happened. You only have to read the responses in this thread to OPs misrepresented account to realize how much effect such a thing can have.
What happened is that someone new chose a wrong and ultimately broken way to submit a patch to LKML and that the maintainers did their best to get maximum mileage out of it without wasting time on formalities. Note that these are pretty busy people, to put it mildly and by mailing the security list you've just made them that much more busy still (even though, technically the patch was an improvement it still required work that then ended up becoming high priority).
As for Ariel being a contributor: according to LKML he submitted a proposed patch that needed work, wasn't properly signed off and according to the git commit log he created a report. That's the extent of it, and that's fairly accurate given the standards for these things.
If you want to argue that those standards need work then you may well have a point. But within the current framework this all was 'business as usual' and totally expected.
I'm not arguing with any established contribution process. I'm arguing with your interpretation of this entire issue because it's plain and simply uncharitable and wrong and furthermore doesn't come from any position of authority. You've littered the entire comments section with your snooty attitude and it really doesn't progress the dialog one bit. More importantly, it's not how a community should treat contributors which is why I'm even commenting in the first place. I can handle internet divas being pathetic asshats on HN when it's only hurts themselves. I can't handle the same at the expense of a well-meaning contributor who put in hard work to fix an issue that makes the kernel better for everyone and especially where it involves spreading blatant misinformation about how the kernel community supposedly is allowed to treat people, and takes liberties with IP law.
I even tried to reach a middle ground understanding and you've doubled down asserting that there's no world in which the author's lived experience can be valid because he didn't initially add a signed-off-by line. If you actually read the post, the author spends most of the time describing the issue and the fix. He takes maybe 5 sentences to explain how he didn't feel like his contribution was accepted in a considerate manner and it's discouraged him from making further contributions. It's not some grand 1000 work attack and if anybody has the thick skin to withstand one of those it's the goliath of the LKML.
Anyway, the author pretty explicitly states that he did go back and forth with the maintainer privately and provided a fixed up patch which addressed feedback he'd received on the first patch (presumably with a signed-off-by line, now) and the maintainer still didn't want to give credit. You've conveniently ignored this part of the narrative entirely. This really discredits your whole "it was a quick security list issue and wasn't even formatted properly lol this guy obviously deserves no respect for engaging the security list and generally being a noob" angle.
Everything that we know points to the contributor trying to act responsibly by engaging the security list first since they didn't know the security impact of a possibly major security issue (overwriting the stack of a traced process). I completely fail to understand your logic whereby doing so means the OP obviously fucked up and deserves to have his contribution belittled and stolen and that's just life on the LKML... seriously I think it's time you just admit you're in the wrong here and stop shit posting.
We've already been through the whole "you shouldn't need to have thick skin and tolerate insults and disrespect to contribute to the linux kernel" as a community. Linus even took a leave of absence over this shit. Your stance that this stuff is acceptable and par for the course is no longer the status quo. Grow up.
Not adding much to the conversation with my comment here, but I'd like to thank you for calling jaques out on their attitude.
I've been trying to browse this thread and before I started checking usernames I got the the impression that there's a whole world of maintainers who think it's acceptable to be disrespectful to people spending a lot of time and effort on trying to contribute.
It turns out it's just a few (very prolific) people creating a lot of negative noise across the thread. Thank you for stepping up.
FWIW, that "Signed-off" gate isn't as solid a shield as one might want.
If someone put the work in to identify a bug, contributed a fix, and that fix wasn't accepted but another fix inspired by the previous fix was accepted... That could be plagarism.
Burden of proof is on the plaintiff to prove the fix was inspired by the RCA and proposed fix, of course, but this isn't exactly a clean-room work and kernel maintainers should probably be careful about taking ideas without signoff on the lead-in side too. There's a reason Marvel et. al. in the publishing world can't accept new character concepts.
The purpose of DCO is to move the guilt of plagiarism etc from the Linux kernel project to the individual contributor who added the Signed-off-by line.
Indeed. What I'm saying is it might not work to remove that guilt if a bug is reported and a solution presented, and then instead of incorporating the solution presented the kernel team (without DCO in hand) fixes the bug using code that looks suspiciously inspired by the provided solution.
This is murky enough that it would have to be decided in the court of law, but it's not cut and dry enough that it would be immediately thrown out of that court of law.
