[legal-discuss] Trivial contributions and CLAs

Sean Dague sean at dague.net
Wed Apr 23 10:40:48 UTC 2014


Honestly, I think the current model provides a lot less additional
guarantees than people believe it does.

OpenStack currently has ~100 runtime requirements dependencies that are
additional python libraries -
https://github.com/openstack/requirements/blob/master/global-requirements.txt

In order to build a functioning OpenStack system, you must have most of
these. They are under various licenses, with various upstream inclusion
criteria.

If that trivial fix happened in a dependent library, it would just be
merged. The large contributors would be at exactly the same risk, as
they are shipping this new code. They probably have a code scan
mechanism to find the worst of this, but that's clearly not going to
find every instance.

The assumption that the CLA is a massively time saving and protective
shield breaks down the moment that you actually try to ship real
OpenStack as part of a product. In my experience, most people unfamiliar
with the details of OpenStack get taken by surprise on OpenStack the
project vs. OpenStack the code needed to run a cloud (most of which
isn't actually OpenStack "the project" code). It would be good to know
if this level of detail came up in the Legal Affairs committee, because
I can see without it people might come to different conclusions than
with it.

So the material impact of the CLA right now is creating friction for
growing the contributor base from anything other than large entities
with legal teams. It doesn't materially impact the risk for an entity
that wants to productize OpenStack, given the library hole.

	-Sean

On 04/23/2014 02:37 AM, Radcliffe, Mark wrote:
> We actually discussed this issue at the Legal Affairs committee meeting
> in January.  The issues raised by Marc led the Committee to conclude
> that, at present, it would be very difficult to find a general rule and
> a case by case approach would be difficult to manage and potentially
> unfair to the major contributors.  The fundamental issue raised at the
> Legal Affairs Committee meeting was that such a policy would be unfair
> to the major contributors because it would actually favor “small
> contributors” over the major contributors. 
> 
>  
> 
> I also don’t think that the bylaws actually give the Executive Director
> that authority and it would be difficult to have the Board grant it to
> him.  My memory was that the approach in drafting this section was
> consistent in minimizing discretion in the manner in which contributions
> could be accepted.  Although I suggested giving the Board more
> flexibility, the decision was that method of contribution needed to
> tightly controlled.  As currently drafted, the Bylaws always contemplate
> the use of a CLA. The bylaws set up the following hierarchy: (1)
> contributions under the OpenStack Contributor License Agreements in
> Appendix 7 (2) contributions under a modified CLA  (or license) approved
> by the Board and (3) contributions under the OpenStack Contribution
> License Agreements with non-material  amendments by the Executive
> Director if the Board grants such power to the Executive Director.  The
> relevant section is:
> 
>  
> 
> /The Foundation shall generally accept contributions of software made
> pursuant to the terms of the Contributor License Agreements attached as
> Appendix 7. The Board of Directors may adopt additional contributor
> license agreements as may be appropriate for certain organizations or
> contributions to secure a license on terms which will permit
> distribution under the Apache License 2.0, and may require inclusion of
> the Apache License 2.0 license header in code contributions. The Board
> of Directors may delegate the authority to make non material amendments
> to the Contributor License Agreement to the Executive Director so long
> as such modifications permit distribution of the software under Apache
> License 2.0./
> 
>  
> 
>  
> 
> *From:*Alice King [mailto:alice_king at att.net]
> *Sent:* Tuesday, April 22, 2014 6:57 PM
> *To:* 'Marc Ehrlich'
> *Cc:* legal-discuss at lists.openstack.org
> *Subject:* Re: [legal-discuss] Trivial contributions and CLAs
> 
>  
> 
> Hi Marc!   In the order of your comments:
> 
>  
> 
> I am fine and hope you are too!!  I know all of you have been carefully
> working on these issues and it has been quite a while since I have been
> in the trenches.  So apologies if I am speaking “out of school,” but
> here are my thoughts:
> 
>  
> 
> I think the Executive Director would make the call, and would probably
> want the advice of legal counsel.  I want to stress that I am talking
> only about exceptional cases.  The Board can set parameters for the ED
> and can set them as conservatively as they think wise. In any domain the
> application of rules with human judgment can lead to unintended and
> unwanted results.  The Foundation does not have a judiciary, but the
> Bylaws do contemplate the ED having this type of discretion on
> intellectual property matters. 
> 
>  
> 
> On the patent risk – forgive me if I missing something, but I am not
> sure I see much additional risk here either.  Any contributor can expose
> the project to the risk of a patent infringement claim by someone
> outside of the community.  I don’t think the CLA helps manage that risk.
> It only creates a disincentive for a contributor to make a patent claim
> based on their own contribution.    Again, in this particular edge case
> I think the risk is low that a contributor would make that one slight
> change that then brings the technology under a patent that the very same
> contributor holds.  But this would be a judgment call for the ED. 
>  Certainly the patent risk would be part of the equation in every case.
> 
>  
> 
> Alice
> 
> *From:*Marc Ehrlich [mailto:mehrlich at us.ibm.com]
> *Sent:* Tuesday, April 22, 2014 8:20 PM
> *To:* Alice King
> *Cc:* legal-discuss at lists.openstack.org
> <mailto:legal-discuss at lists.openstack.org>; 'Richard Fontana'
> *Subject:* Re: [legal-discuss] Trivial contributions and CLAs
> 
>  
> 
> Hi Alice!!  Nice to know I am not the only one hanging out on this list
> and not responding much.  Hope all's well with you!
> 
> As it relates to IP I guess I do have a few concerns with the trajectory
> of this discussion.   I apologize if I am missing something obvious and
> if so feel free to disregard this...
> 
> For example how do we determine what  "trivial contribution" is?  Who
> makes that call?  Would it be the same to all participants?  Why are IBM
> and HP and others who have signed the CLA held to a different standard
> and denied the ability to make trivial contributions (not that I think
> we should be able to make them I don't think they should be made at all)
> but if some can make them why not all?  
> 
> Most importantly it is the patent IP I think we should be worried about.
>  What if that line or two of code trivially contributed completes the
> steps of a patent claim held by the contributer's company that then
> makes open stack users infringers of that code?  Remember our committee
> discussions about contributors licenses which extend not only to the
> code they contribute but its combination with the work?  This is exactly
> the same point.  Even a trivial contribution  in terms of size or
> function can render a body of code infringing.  I think that one of the
> great benefits of the  CLA is that it addresses that scenario.  So in my
> view we need to think long and hard about letting companies take a pass
> on what everyone else has agreed to lest we find ourselves facing patent
>  claims based on trivial additions.   I would not expect (though please
> correct me if I am wrong) that someone planning on doing a patent
> clearance against the contributor when such contributions are made
> before they are deemed trivial?  I would think that would be more than a
> trivial undertaking.  
> 
> Sorry if I am missing something that covers us for patents but I think I
> have this right.
> 
> Marc A. Ehrlich
> 
> 
> 
> 
> Inactive hide details for "Alice King" ---04/22/2014 08:55:37 PM---Thank
> you Richard. That helps put it in perspective. The "Alice King"
> ---04/22/2014 08:55:37 PM---Thank you Richard.  That helps put it in
> perspective.   The process needs to permit a trusted person
> 
> From: "Alice King" <alice at alicelkingpc.com <mailto:alice at alicelkingpc.com>>
> To: "'Richard Fontana'" <rfontana at redhat.com
> <mailto:rfontana at redhat.com>>, <legal-discuss at lists.openstack.org
> <mailto:legal-discuss at lists.openstack.org>>,
> Date: 04/22/2014 08:55 PM
> Subject: Re: [legal-discuss] Trivial contributions and CLAs
> 
> ------------------------------------------------------------------------
> 
> 
> 
> 
> Thank you Richard.  That helps put it in perspective.  
> 
> The process needs to permit a trusted person to exercise discretion in edge
> cases like this.  That is true of every process involving human interaction.
> The Foundation Bylaws contemplate the Board giving this kind of edge-case
> discretion to the Executive Director.
> 
> I don't see that there is much risk around intellectual property in this
> kind of contribution.  Who would make a claim?  There is a secondary risk
> that the project is viewed as being lax on IP issues generally, which would
> scare off some users.  I think this is also unlikely.  My impression is that
> the project is viewed as exercising an abundance of caution.  
> 
> The kind of participation represented by this contribution is valuable.
> Reward significantly outweighs risk.
> 
> Still on the list and felt like chiming in!  
> 
> Alice
> 
> 
> -----Original Message-----
> From: Richard Fontana [mailto:rfontana at redhat.com]
> Sent: Tuesday, April 22, 2014 7:32 PM
> To: legal-discuss at lists.openstack.org
> <mailto:legal-discuss at lists.openstack.org>
> Subject: Re: [legal-discuss] Trivial contributions and CLAs
> 
> For anyone on this list not accustomed to looking at such things, I think it
> might be interesting to point out what this patch actually is and what
> Stefano means by triviality (even though the CLA may not be the relevant
> issue in this instance, the issue of contribution process around trivial
> patches is the larger issue that Stefano was raising):
> 
> The patch would cause one existing line in one file:
> 
>    options = sorted([(ip.id, ip.ip) for ip in ips if not ip.port_id])
> 
> to be replaced with this:
>    
>    options = sorted([(ip.id, ip.ip) for ip in ips if not ip.port_id],
> key=lambda ip: ip[1])
> 
> That is: all this patch does is add the following text to one line of a
> file:
>  ", key=lambda ip: ip[1]"
> The file itself contains about ~100 lines of code, and Horizon, the relevant
> project, contains, I believe, about 2000 files.
> 
> - RF
> 
> 
> Stefano wrote:
>> I have been notified of another very small patch that is left in a 
>> limbo, with the author not allowed to sign the CLA and the developers 
>> stuck in unknown legal territory. You can read more about it on
>>
>> https://bugs.launchpad.net/bugs/1308984
>>
>>  From what I can see, the patch is trivial and shouldn't even be
> copyrightable but the person spotting the issue and fixing it is not
> comfortable signing the CLAs. Can any other developer copy the patch and put
> it into our trunk? Until when is this sort of behaviour safe?
>>
>> We're getting more of these small blockers and I think it's already a
> problem. Having to sign a Corporate CLA and Individual CLA for a trivial
> patch, from an operator (whose job is to run clouds, resulting in small and
> rare patches, not to develop large features) can conflict with our effort to
> get more operators involved in OpenStack.
>>
>> I'm not sure what solutions are available. If we can't change the CLA
> processes easily, what else can we do to get small contributions like these?
> 
> 
> _______________________________________________
> legal-discuss mailing list
> legal-discuss at lists.openstack.org <mailto:legal-discuss at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
> 
> 
> _______________________________________________
> legal-discuss mailing list
> legal-discuss at lists.openstack.org <mailto:legal-discuss at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
> 
> Please consider the environment before printing this email.
> 
> The information contained in this email may be confidential and/or
> legally privileged. It has been sent for the sole use of the intended
> recipient(s). If the reader of this message is not an intended
> recipient, you are hereby notified that any unauthorized review, use,
> disclosure, dissemination, distribution, or copying of this
> communication, or any of its contents, is strictly prohibited. If you
> have received this communication in error, please reply to the sender
> and destroy all copies of the message. To contact us directly, send to
> postmaster at dlapiper.com. Thank you.
> 
> 
> _______________________________________________
> legal-discuss mailing list
> legal-discuss at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
> 


-- 
Sean Dague
http://dague.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/legal-discuss/attachments/20140423/0cbc37b2/attachment-0001.pgp>


More information about the legal-discuss mailing list