I’m not worried about that part, and I’ve never expressed concern about it. I’m concerned about either requiring real names, with the legal baggage that comes with that, or allowing nicknames, in which case there’s no point in signing anything, regardless of intent.
Say for instance a Bad Actor who doesn’t like Blender decides to submit a patch of proprietary code from Software A and claim it’s GPL, using the “real name” Gordon Matthew Thomas. Then, Software A sends a legal notice to the Foundation demanding that the proprietary code be removed and damages paid.
If the real name policy stands, the BF will go after “Gordon Matthew”, who doesn’t exist, and will be up a creek without a paddle. If the nickname policy is used, the BF can’t go after anyone, so they are… up a creek without a paddle. So, the CLA contributed exactly 0 legal protection.
If the real name policy is enforced with verification, this situation couldn’t happen, but now you have all the problems that come with that PII, which I’ve beat to death already, so I won’t reiterate. In that case, the CLA still offers 0 legal protection but has also introduced new legal problems.
So if the CLA doesn’t offer any protection- what’s the point? To verify that code is GPL? The current process already does that. Except it doesn’t- the Bad Actor scenario above could still happen right now, tomorrow, and nothing would be different with or without the CLA.
So it doesn’t stop bad actors. It doesn’t verify code integrity. It doesn’t provide any security or relevant information different from what is already there. What am I missing?