openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #06544
Re: Do we really need a CLA? [was Re: Using Gerrit to verify the CLA]
On Wed, Jan 04, 2012 at 09:49:29PM +0000, Mark McLoughlin wrote:
> Hi Rick,
>
> On Tue, 2012-01-03 at 09:02 -0600, Rick Clark wrote:
> > Hey Mark,
> >
> > First of all, orthogonally, we are very lucky to not have Copyright
> > Assignment crushing this project. That is what the management at
> > Rackspace wanted, only NASA's inability to sign such a document
> > prevented it.
>
> Copyright assignment would certainly be worse than an Apache-style CLA.
I currently regard Apache-style CLAs are "worse" (scare quotes
intentional) than copyright assignment, since (1) they are essentially
equivalent to copyright assignment in the legal effect that seems like
it ought to matter to developers the most -- that is, under both
copyright assignment and an Apache-style CLA, the inbound party gets
to do whatever they want with the code contributed, yet (2) for
strange sociological reasons many developers tend to see copyright
assignment as bad but Apache CLAs as inherently benign. To put it more
simply, my concern is that Apache-style CLAs are deceptive in a way
that copyright assignment is not, given the well-established antipathy
to copyright assignment in open source development culture.
For an Apache-licensed project like OpenStack this is not too
significant, however. Just kind of perplexing.
> > IANAL, but I was told by lawyers when we were in the planning stages of
> > starting Openstack, that while in the US submitting code under the
> > Apache License 2.0 was enough to bind the submitter to it, that is not
> > the case in all countries. Some countries require explicit acceptance
> > to be bound by it.
>
> I've cc-ed Richard Fontana who I'm sure can comment on that.
Thank you, Mark, for the opportunity for a bit of a rant. I can't
resist talking about this topic. :)
I've heard many arguments in favor of formal CLAs and copyright
assignment and the like, but this may be a new one. It is not
necessary to consider the underlying legal issue, because the argument
collapses on its own logic.
If it's important to have explicit acceptance to bind a contributor to
OpenStack to the license granted on the inbound contribution to the
OpenStack project (or whatever entity is acting as the alter ego of
it), it ought to be equally important to bind such project/entity
(Rackspace, OpenStack Foundation, the non-corporate collective of
individual OpenStack committers, whatever) in their offering of the
Apache License 2.0 outbound to any given member of the public
downstream from OpenStack. Yet when I download OpenStack code, I don't
get any such formal indication of binding assent from upstream. I
don't get any signed statement with a wax seal affixed committing the
upstream contractually to giving me the rights I'm supposed to be
getting under the Apache License 2.0. All I get is some software with
a text file containing a copy of the Apache License 2.0.
Now, I think that's perfectly fine, because that's how free
software/open source has always worked. Indeed it is a key part of why
it works. It would be strange if OpenStack did things any
differently. But if *that's* okay, why is it not okay for contributors
to OpenStack to have the same freedom to indicate their licensing in
of contributions in a traditional manner -- namely, by merely
providing notice of the license (which might as well be the Apache
License 2.0)? It doesn't make sense.
Moreover, anyone who thinks that open source is unsafe or unreliable
without a system of explicit acceptance by the licensor of inbound
contributions should immediately cease using it altogether, since 99%
or so of it was produced without any such system in place. Any
suggestion otherwise is dismissable, but I think it does some damage
to suggest that there's something unsafe about using an
alternate-universe version of OpenStack where the project did not make
use of a CLA, as it unnecessarily casts doubt on that 99 or so % of
open source software that is developed without such cumbersome
mechanisms, and indeed it casts doubt on the reliability of open
source licensing itself. Thus, by using an Apache-style CLA, OpenStack
is shooting itself in the foot.
There are other things one might mention, such as the fact that the
Apache License 2.0 ingeniously contains a built-in contributor
agreement of sorts already.
> > We have a bigger hole in the Corporate CLA, IMHO. I have been told that
> > since it is necessary for a corporate signer to explicitly name their
> > individual contributers, and we have no way of updating the document,
> > openstack is potentially left open to a lawsuit, if an employee
> > unspecified in the CLA, contributes something they consider IP. I
> > seriously hate all this legal stuff.
I sympathize...
> I'll leave that one for Richard too :-)
On this one, I'd just say that this degree of risk aversion is out of
place in open source. When has it happened that some company or
project was sued because of failure to add a name to a Corporate CLA?
Where are all these lawsuits brought by contributors to open source
projects?
I hope it is of some value for OpenStack developers to at least hear a
gratuitous alternative legal viewpoint from whatever they have
previously heard on this topic.
Thanks,
Richard Fontana
Open Source Licensing & Patent Counsel
Red Hat, Inc.
Follow ups
References