openstack team mailing list archive

Thread
Date

Re: Do we really need a CLA? [was Re: Using Gerrit to verify the CLA]

To: Mark McLoughlin <markmc@xxxxxxxxxx>
From: Rick Clark <rick@xxxxxxxxxxxxx>
Date: Tue, 03 Jan 2012 09:02:14 -0600
Cc: OpenStack Mailing List <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1325593374.15629.41.camel@sorcha>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0

Hey Mark,

First of all, orthogonally, we are very lucky to not have Copyright
Assignment crushing this project.  That is what the management at
Rackspace wanted, only NASA's inability to sign such a document
prevented it.

IANAL, but I was told by lawyers when we were in the planning stages of
starting Openstack, that while in the US submitting code under the
Apache License 2.0 was enough to bind the submitter to it, that is not
the case in all countries.  Some countries require explicit acceptance
to be bound by it.

As far as changing anything about the way the CLA works, until we have a
foundation, the discussion of which seems to have stalled, we, as a
group, have no real authority to change anything.

We have a bigger hole in the Corporate CLA, IMHO.  I have been told that
since it is necessary for a corporate signer to explicitly name their
individual contributers, and we have no way of updating the document,
openstack is potentially left open to a lawsuit, if an employee
unspecified in the CLA, contributes something they consider IP.  I
seriously hate all this legal stuff.

Cheers,

Rick

On 01/03/2012 06:22 AM, Mark McLoughlin wrote:
> Hey,
> 
> I'm not sure whether this has been discussed recently, but do we really
> need a CLA?
> 
> I had a long discussion with Richard Fontana about the Apache CLA in the
> context of another project and I came away from that convinced that the
> Apache CLA is fairly pointless.
> 
> Compare the CLA to the Apache License 2.0 - there's a couple of fairly
> minor, arbitrary differences but, on the whole, they're the same. So,
> the CLA is effectively just the contributor granting OpenStack LLC the
> contribution under the Apache License 2.0.
> 
> There are other ways to go about this:
> 
>   - Put in place an assumption that anyone contributing to the project 
>     (e.g. by pushing to gerrit) are contributing under the existing 
>     license of the project.
> 
>   - Follow the kernel's approach of making Signed-off-by: in each mean
>     that you are contributing (and have the right to contribute) the
>     code under the existing license of the project (http://goo.gl/lRhmQ)
> 
>   - Have a contributor agreement which explicitly says "I am the 
>     Copyright holder and submit my contributions under the Apache 
>     License 2.0"
> 
> Each of these schemes are used elsewhere and have significant advantages
> over the current CLA scheme - e.g. less bureaucracy, not as scarey to
> new contributors, less chance of the CLA being confused with copyright
> assignment, etc.
> 
> Cheers,
> Mark.
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Do we really need a CLA? [was Re: Using Gerrit to verify the CLA]
From: Mark McLoughlin, 2012-01-04
Re: Do we really need a CLA? [was Re: Using Gerrit to verify the CLA]
From: Lloyd Dewolf, 2012-01-03

References

Using Gerrit to verify the CLA
From: James E. Blair, 2011-12-30
Do we really need a CLA? [was Re: Using Gerrit to verify the CLA]
From: Mark McLoughlin, 2012-01-03