Trademark and binary publishing

[Sebastien Lambla]

 Hey guys,

I've had to do something today that I really don't like doing, and take down some packages that randomly appeared on nuget with openrasta binaries.

The reason for the take-down is that I have no idea whatsoever what those packages contained, which versions they were built from, or if they were even taken from out source code.

We have to have some rules about publishing things that are related to OpenRasta and OpenWrap. I don't want to have a say in most things you guys build on top of those systems and certainly don't want anyone to publish binaries based on those frameworks, that'd be silly and counter-productive.

I do however want to make sure that when a package that is called OpenRasta and OpenWrap shows up on any repository, be it symbolsource or nuget, people can have the confidence that the stuff we publish is from us, with the guarantee that the binaries come from our source code, with the quality stamp that people would expect from a project that we build.

I have used the trademark that we have on OpenRasta for that take-down, as it was registered exactly to be able to react to those circumstances.

So here's my question to the community. We need clear rules to separate official packages and whatever people build on top of them.

I have a couple of propositions on how we could do this, but i'd like to hear what you think first so i don't skew anyone's creativity in the process.

Please do speak out.

Seb

[Marcin Mikołajczak]

Hi,

I've only skimmed over the Twitter discussion you've had, so I don't really know what degree of DMCA-ishness was necessary for this. But in general, I'm with you. Something that is published with a certain well-known project name or author should come from that trusted source. It's obvious noone other than you should publish under the openrasta username. It's a bit grayer with project names, but since they need to be unique, you can't have two authors publishing the same thing.

This is actually one of the reasons we started SymbolSource. We hate doing our own builds of stuff to enable debugging, we want to use the official binaries that came from project authors. 

If someone wants to publish their own build, why don't they do it under a different name. We've had this discussion internally when we needed to tweak Microsoft.Cci, and we'v ended up packaging it under SymbolSource.Microsoft.Cci, with an appropriate package description. I'm not sure this is 100% trademark-happy, but at least it's totally fair to the users.

Cheers,

Marcin

[Ruben Vandeginste]

I completely understand the reason for the take-down. It really looked
like an official package that was coming from you, while it wasn't.
I think the long-term solution for that is using signed packages, so
that it can always be verified who built a package.

It would be good manner to rename "unofficially (re)packaged" packages
to make it clear that it is not an official package. One can then
still easily use "overrides" to specify explicitly that one wants to
use the unofficial package instead of the official one. Another thing
that might be interesting is a "Publisher" field included in packages.
The "publisher" would then be a global setting in openwrap (probably
name with email address), and each time one builds a package, the
"publisher" field should automatically be filled in.

Related to that, do you expect to have one "official" openwrap
repository, where you also allow other people to upload "official"
packages? So that there is a central place where people can find which
open-source projects are already available as official openwrap
packages?

Ruben

On Mon, Oct 31, 2011 at 2:33 AM, Sebastien Lambla <s...@serialseb.com> wrote: