← Back to team overview

openstack team mailing list archive

Re: Do we really need a CLA? [was Re: Using Gerrit to verify the CLA]

 

That was a refreshing perspective, Richard -- thanks for taking the time
to write that for us. This one's a keeper.

d

On 05 Jan 2012 - 14:11, Richard Fontana wrote:
> On Wed, Jan 04, 2012 at 09:49:29PM +0000, Mark McLoughlin wrote:
> > Hi Rick,
> >
> > On Tue, 2012-01-03 at 09:02 -0600, Rick Clark wrote:
> > > Hey Mark,
> > >
> > > First of all, orthogonally, we are very lucky to not have Copyright
> > > Assignment crushing this project.  That is what the management at
> > > Rackspace wanted, only NASA's inability to sign such a document
> > > prevented it.
> >
> > Copyright assignment would certainly be worse than an Apache-style CLA.
>
> I currently regard Apache-style CLAs are "worse" (scare quotes
> intentional) than copyright assignment, since (1) they are essentially
> equivalent to copyright assignment in the legal effect that seems like
> it ought to matter to developers the most -- that is, under both
> copyright assignment and an Apache-style CLA, the inbound party gets
> to do whatever they want with the code contributed, yet (2) for
> strange sociological reasons many developers tend to see copyright
> assignment as bad but Apache CLAs as inherently benign. To put it more
> simply, my concern is that Apache-style CLAs are deceptive in a way
> that copyright assignment is not, given the well-established antipathy
> to copyright assignment in open source development culture.
>
> For an Apache-licensed project like OpenStack this is not too
> significant, however. Just kind of perplexing.
>
> > > IANAL, but I was told by lawyers when we were in the planning stages of
> > > starting Openstack, that while in the US submitting code under the
> > > Apache License 2.0 was enough to bind the submitter to it, that is not
> > > the case in all countries.  Some countries require explicit acceptance
> > > to be bound by it.
> >
> > I've cc-ed Richard Fontana who I'm sure can comment on that.
>
> Thank you, Mark, for the opportunity for a bit of a rant. I can't
> resist talking about this topic. :)
>
> I've heard many arguments in favor of formal CLAs and copyright
> assignment and the like, but this may be a new one. It is not
> necessary to consider the underlying legal issue, because the argument
> collapses on its own logic.
>
> If it's important to have explicit acceptance to bind a contributor to
> OpenStack to the license granted on the inbound contribution to the
> OpenStack project (or whatever entity is acting as the alter ego of
> it), it ought to be equally important to bind such project/entity
> (Rackspace, OpenStack Foundation, the non-corporate collective of
> individual OpenStack committers, whatever) in their offering of the
> Apache License 2.0 outbound to any given member of the public
> downstream from OpenStack. Yet when I download OpenStack code, I don't
> get any such formal indication of binding assent from upstream. I
> don't get any signed statement with a wax seal affixed committing the
> upstream contractually to giving me the rights I'm supposed to be
> getting under the Apache License 2.0. All I get is some software with
> a text file containing a copy of the Apache License 2.0.
>
> Now, I think that's perfectly fine, because that's how free
> software/open source has always worked. Indeed it is a key part of why
> it works. It would be strange if OpenStack did things any
> differently. But if *that's* okay, why is it not okay for contributors
> to OpenStack to have the same freedom to indicate their licensing in
> of contributions in a traditional manner -- namely, by merely
> providing notice of the license (which might as well be the Apache
> License 2.0)?  It doesn't make sense.
>
> Moreover, anyone who thinks that open source is unsafe or unreliable
> without a system of explicit acceptance by the licensor of inbound
> contributions should immediately cease using it altogether, since 99%
> or so of it was produced without any such system in place. Any
> suggestion otherwise is dismissable, but I think it does some damage
> to suggest that there's something unsafe about using an
> alternate-universe version of OpenStack where the project did not make
> use of a CLA, as it unnecessarily casts doubt on that 99 or so % of
> open source software that is developed without such cumbersome
> mechanisms, and indeed it casts doubt on the reliability of open
> source licensing itself. Thus, by using an Apache-style CLA, OpenStack
> is shooting itself in the foot.
>
> There are other things one might mention, such as the fact that the
> Apache License 2.0 ingeniously contains a built-in contributor
> agreement of sorts already.
>
> > > We have a bigger hole in the Corporate CLA, IMHO.  I have been told that
> > > since it is necessary for a corporate signer to explicitly name their
> > > individual contributers, and we have no way of updating the document,
> > > openstack is potentially left open to a lawsuit, if an employee
> > > unspecified in the CLA, contributes something they consider IP.  I
> > > seriously hate all this legal stuff.
>
> I sympathize...
>
> > I'll leave that one for Richard too :-)
>
> On this one, I'd just say that this degree of risk aversion is out of
> place in open source. When has it happened that some company or
> project was sued because of failure to add a name to a Corporate CLA?
> Where are all these lawsuits brought by contributors to open source
> projects?
>
> I hope it is of some value for OpenStack developers to at least hear a
> gratuitous alternative legal viewpoint from whatever they have
> previously heard on this topic.
>
> Thanks,
>
> Richard Fontana
> Open Source Licensing & Patent Counsel
> Red Hat, Inc.
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


References