1. 29
    1. 28

      There’s a simple solution to this:

      1. Create a Google account
      2. Send a PR
      3. Agree to the CLA
      4. Have the PR merged
      5. Send a GDPR notice to Google requiring that they delete all PII associated with the Google account and close it.

      Repeat this process for every single patch that you submit. Eventually, Google’s compliance team will either bankrupt the company or come up with a better process.

      There’s also a plan B solution that works well for me:

      1. Don’t contribute to Google-run open source projects until they learn how to work with the community.
      1. 8

        You say “the community” as though there is just one, or that it is a well-defined term.

        We have a large community of Go contributors from outside Google that we do work well with. It so happens that these people all have created Google accounts to log in to Google-run web sites - including our code review site go-review.googlesource.com - much the same way I have to create a GitHub account to post on Go’s issue tracker. We may be losing out on contributions from a few people, perhaps yourself included, who for one reason or another cannot create such an account. That’s unfortunate but hardly the common case.

        1. 5

          How can you measure the number of folks who would contribute if there wasn’t a silly requirement to make a google account vs the number of folks who did in order to contribute? Sounds an awful lot like a survivorship bias.

        2. 1

          Even Apple is able to interact with the open source community better than this

      2. 6

        Becoming a contributor […] Step 0: Decide on a single Google Account you will be using to contribute to Go. Use that account for all the following steps and make sure that git is configured to create commits with that account’s e-mail address.


        I guess you’re not supposed create multiple accounts. But I do think your suggestion is clever.

        1. 3

          I guess you’re not supposed create multiple accounts. But I do think your suggestion is clever.

          The solution does not require multiple accounts, assuming each is deleted after use.

      3. 6

        I don’t think this really works. It also requires you to have a phone number to create a Google account in the first place. So people without phone numbers are effectively banned from contributing.

        1. 7

          Indeed, new Google accounts requiring a phone number is the worst aspect. Virtual phone numbers may not work.

          1. 3

            Wait until they ask you for a scan of your ID when you send them a GDPR request.

          2. 1

            Which means contributing to Go (and presumably other google projects?) requires giving Google your phone number as well? In addition to the various “you give up your right to ever sue us if we break the law” contracts?

            1. 1

              If I remember correctly, it only needs the number to register, and you may use an anonymous burner SIM, if you can buy one in your country (more and more countries are banning this). It is a nuisance in any case.

              1. 1

                “It only needs a number to register”: I don’t want thinks it’s reasonable that I should have to give Google - the advertising and surveillance company - my phone number when I already have an email address, a couple of alias addresses, and now things like iCloud that provides automatic alias addresses whenever you need them, etc.

                There is no justification for requiring your email be from a specific provider, unless you want to do more than simply email the account. I feel a little conspiracy nutter saying stuff like that, but we’re talking about a company that has been caught, and sued, and lost, for intentionally circumventing privacy measures. That has repeatedly attempted to tied a browser’s state their platform’s identity mechanisms, and then automatically share that information with sites, periodically “forgetting” a user had opted out of that, and relinking the browser’s identity.

                I respect many of the engineers working at Google. But I do not, and will not ever trust them. They’ve demonstrated that they are not trustworthy on far too many occasions for it to not be a systemic problem.

      4. 3

        They’ve almost certainly streamlined the account deletion process to the point where the handful of developers doing this would add almost no appreciable burden to Google.

      5. 1

        Let’s automate this process~

    2. 12

      I’ve actually had some very reasonable patches that I didn’t submit because of this.

      This is not under the control of the Go team.

      Whose control is it under? I don’t like it when people say that “it can’t be done”. It can, there is a difference between “can’t” and “we don’t want to”.

      1. 3

        It sounds like it’s a requirement for all Google projects, so whoever at Google is in charge of open-source.

    3. 7

      I don’t see a difference between this and contributions to most other projects requiring a Microsoft (GitHub) account.

      1. 5

        you don’t have to have a @outlook.com account to contribute to projects on microsoft github.

      2. 5

        I think the point is that since Google develops both their email service and Go, they are the first party in both situations and have total control over whether this is required. If you were contributing to microsoft/dotnet on GitHub it would be the same situation, but most developers on that code hosting site are not Microsoft and don’t also control the account requirements.

    4. 17

      Or, don’t use Go.

      There’s plenty other programming languages out there. And, I see Google giving its mark here as a net negative, not a positive. Perhaps in the past, Google was cool. Not anymore.

      1. 11

        Note that using Go does not require a Google account. Only contributing code to the Go project does.

        1. 12

          Pretty sure that’s not how anyone hoped free software would pan out.

          1. 4

            I really don’t understand this comment. Requiring you to sign away or otherwise give up legal rights in order to contribute is a long-standing tradition of Free Software projects. I’m sure the FSF would officially condemn this, of course, but in a “well, it’s OK when we do it because we have the best interests of Free Software at heart” way rather than anything constructive.

            1. 7

              Leaving aside the issue of CLAs, what I meant was: I don’t think that anyone had hoped that contributors would have to sign up for an account with an advertising / surveillance company in order to contribute.

              1. 4

                The problem is that the hard uncompromising stance on never having a Google account, or any other major federated-identity-provider account, is no less and no more valid than a hard uncompromising stance on never signing away one’s rights to one’s own work. So it’s very hard to frame one as OK and the other as not OK in a way that stands up to scrutiny.

                1. 2

                  I wasn’t attempting to frame it that way at all; I was disregarding CLAs as off-topic.

                  But to bring them into scope - why do you consider them a package deal? I’d have said they were entirely separate, though valid, concerns.

                  1. 4

                    The thing is that the FSF historically didn’t just require a CLA giving them permission to use your contribution; they required a full assignment of copyright. They claimed it was done for good reasons, but that’s a line some people weren’t willing to cross just to contribute to a project.

                    That is the source of the analogy here: I’m sure Google has an argument that requiring a Google account is done for good reasons, but that’s a line some people aren’t willing to cross just to contribute.

                    And my point is thus that this phenomenon — of being required to give up something one considers too precious to give up, “just to contribute” — is not new, and in fact has previously been done by the literal Free Software Foundation. So lamenting “that’s not how anyone hoped free software would pan out” does not make sense to me.

                    1. 1

                      No, but the phenomenon of having to create an account with an advertising / surveillance company that then explicitly prevents logging in using the majority of free software web browsers, is new.

                      1. 2

                        I’m not trying to be mean here, but what you’re really saying is: “People who didn’t want to assign copyright have trivial concerns that don’t matter, and excluding them from all projects of the Free Software Foundation was acceptable; people who don’t want to have a Google account, however, have valid concerns that do matter, and excluding them from the Go language’s project is not acceptable”.

                        If it does sound mean, that’s because it’s surfacing some things that maybe were never looked at critically before.

                        1. 1

                          Ah I see - no, I think the FSFs requirement around copyright assignment is wrong too. Neither is really a good model for collaboration IMO.

              2. 1

                Funny, I read it as being upset about the user versus leech versus developer split.

            2. 1

              Certainly the FSF has a long history a demanding they get ownership of uncompensated contributor’s IP, but the FSF is not the only community.

              Outside of the FSF, the majority of major opensource projects don’t steal contributor’s IP. One of the big things such IP theft allows is changing the license in future: If there’s only one owner for all the code, that owner gets free reign over the license terms.

              1. 2

                I was replying to someone who seemed to lament that ideals of Free Software we’re not being lived up to. Pointing out that the supposed steward and paragon of Free Software required people to sign away their rights seemed appropriate.

                1. 1

                  I was lamenting that - but also think that the FSF also got it wrong, just in a different way. Perhaps it was a misunderstanding; my desire to disregard CLAs wasn’t because I support them, but because I thought it was off topic.

                  To be super clear, when I talk about free software I don’t mean Free Software ;-P

              2. 1

                Allowing one party to unilaterally change the license of a project can also prevent an impasse. For example, I want to develop an add-on for a program that’s licensed under the GPL 2. I may also eventually contribute to the core of that program. As part of this work, I want to use a library that’s licensed under the Apache 2.0 license, which is incompatible with GPL 2. Neither the GPL-covered program nor the Apache-licensed library require copyright assignment for contributors, so changing the license of either is likely to be impractical. So it’s likely that I’ll have to make a suboptimal technical choice to avoid a license incompatibility. That just feels wrong. Of course, I know that’s a minor problem in the grand scheme of things, but it still feels wrong.

    5. 1

      That’s a weird hill to die upon. What’s wrong with creating a gmail account with the minimum required info and using it just for that? Do you even have to provide real info?

      Are you equally offended when you need to create a Stackexchange account to post Cc-By-Sa content on Stackoverflow?

      1. 2

        It is reasonable that I should need an account on your project’s bug tracker.

        It is not unreasonable that that account should be email address based - after all that’s the primary mens of contact in many cases.

        It is absolutely unreasonable that I should have to also create an email account, on google’s own email service, in which they demand a pile of personal information.

        It is unreasonable that they should require you create another account for their primary tracking platforms. Remember, Google IDs are used for unique tracking across every site with analytics, Chrome routinely “forgets” settings and logs the browser itself into your google id.

        Given the actual business use for Google IDs, and their interest in pulling people into their mail system, it isn’t reasonable for Google to demand people inflict that on themselves.

        Obviously people can always choose not to contribute, but it’s so stupid for that to be the required option.

        Look at everyone* else: Plenty of projects use GitHub for project sources and bug DBs, etc and interacting with a GitHub hosted repo or bug DB requires a GitHub account. But a GitHub account doesn’t require you adopt a Microsoft account as well.

        That’s what people have a problem with. Google already has a horrendous track record with user and data privacy, despite that, they still have some good projects that people want to contribute to, but then they require you to submit to then tracking and abuse infrastructure to do so. For no reason.

        It just seems unnecessary.

        • I said everyone and then realized I can’t think of any other project hosts that are subsidiaries of other companies?
        1. 1

          I am on board with refusing to use a Google email to contribute to a project. However, in this case, it is to contribute to golang, a project that is created and led by Google, and to which every accepted contribution is, in effect, free labor to the benefit of Google.

          That doesn’t add up to me.

          1. 1

            Any contribution to to an open source project has a “cost” - you have committed time, energy, etc creating whatever it is you’re contributing. You’re generally ok providing that free labour, so other people can use/benefit from your work.

            What is happening in cases like this (and I include the FSF IP theft) is you are actually being charged to contribute. That is where it has become a problem. Google demanding you use their unrelated services, which have mandatory contract terms that surrender even more rights, and that are primarily designed to support surveillance, is a very heavy price to provide them with your own labour.