Open Stack

On 22/10/13 16:22, Jeremy Stanley wrote:
> (Disclaimers: I am not a lawyer, which likely explains my lack of
> interest in perversely pointless paperwork. Also, these opinions are
> my own and do not necessarily reflect those of my employer. Setting
> MFT to legal-discuss as a more appropriate forum for these sorts of
> discussions.)
>
> On 2013-10-22 15:11:25 +0200 (+0200), Zane Bitter wrote:
> [...]
>> Can't we just write "Copyright OpenStack Contributors"? (Where
>> 'contributors' means individuals or organisations who have signed
>> the CLA.)
> [...]
>
> Actually, technically not. There are other avenues through which
> patches come (posts on mailing lists, attachments to bugs) and I
> know that from time to time contributors git-am other authors' bug
> fixes without first asking them to go agree to an OpenStack CLA and
> prove that they have done so. The actual copyright belongs with the
> author (or their employer under a work-for-hire agreement), not the
> contributor who uploaded that work--and they aren't necessarily
> always the same people.

Fair point, although as you note below if the contributor does not 
identify the actual copyright holder in the submission, that is their 
responsibility not OpenStack's responsibility. Likely a few copyright 
holders will fall through the cracks here (e.g. from legitimately 
identified external code like https://review.openstack.org/#/c/40330/), 
but many, many *more* will fall through the cracks in trying to compile 
a list of them.

I'm not suggesting here that the CLA can provide an accurate list of 
copyright holders (which is impossible anyway), I'm saying that it 
provides a paper-trail back to somebody who warrants that they have the 
right to licence the code under the ASL (however mistaken they may be 
about that), and that this is precisely the paper trail that the Debian 
FTP masters are looking for.

>> Gerrit ensures that only OpenStack Contributors (those that have
>> signed the CLA) can contribute to OpenStack
> [...]
>
> To echo Monty's sentiments earlier in the thread, and also as the
> person who spear-headed the current CLA enforcement configuration in
> our project's Gerrit instance, I don't see how our CLAs add anything
> of value. It's patronizing, almost insulting, to ask developers to
> pinky-swear that they're authorized to license the code they
> contribute under the license included with the code they contribute.

It's exactly as silly as Debian requiring the copyright holders to be 
identified alongside the licence. As an engineer, I'm inclined to agree 
that it's pretty silly, because it doesn't actually change anything - 
nobody is ever surprised when their contribution to open source ends up 
as open source, and if it turns out that they were not entitled to so 
licence it then it's still effectively everyone's problem, CLA or no. 
Clearly there are lawyers who disagree though.

> At best it may provide a warm fuzzy feeling for companies who are
> unfamiliar with contributing to free software projects, since free
> software licenses are all about waiving your rights rather than
> enforcing them and that might sound scary to the uninitiated... but
> better efforts toward educating them about free software may prove
> more productive than relying on a legal security blanket.
>
> Also as mentioned above, Gerrit does not enforce that the copyright
> holder has agreed to this, it only enforces that the person
> *uploading* the code into Gerrit has agreed to it... and section 7
> of the ICLA has some interesting things to say about submitting
> third-party contributions, which looks to me like a permitted
> loophole for getting ASL code into the project without the author
> directly agreeing to a CLA at all.
>
>>> 7. Should You wish to submit work that is not Your original
>>> creation, You may submit it to the Project Manager separately
>>> from any Contribution, identifying the complete details of its
>>> source and of any license or other restriction (including, but
>>> not limited to, related patents, trademarks, and license
>>> agreements) of which you are personally aware, and conspicuously
>>> marking the work as "Submitted on behalf of a third-party:
>>> [named here]".
>
> I wonder if the current de facto practice of allowing git's author
> header to reflect the identity of the third-party counts as a
> conspicuous mark for the purposes of ICLA section 7? And whether
> submitting it to Gerrit where it can be openly inspected by the
> entire project counts as a submission to the Project Manager (the
> OpenStack Foundation) as well? At any rate, it seems that the
> agreement boils down to "copyright holders promise that they're
> contributing code under this license, or that they're submitting
> someone else's work who probably is okay with it."

That's exactly what it boils down to, and coincidentally exactly what 
the requirement to list copyright holders in Debian also boils down to 
afaict. We should leverage the synergies, or something ;)

cheers,
Zane.