On Tue, Oct 22, 2013 at 02:22:52PM +0000, Jeremy Stanley wrote:
To echo Monty's sentiments earlier in the thread, and also as the person who spear-headed the current CLA enforcement configuration in our project's Gerrit instance, I don't see how our CLAs add anything of value. It's patronizing, almost insulting, to ask developers to pinky-swear that they're authorized to license the code they contribute under the license included with the code they contribute.
I think something has to be pointed out here, because I am now seeing a significant degree of confusion. The CLA used by OpenStack projects does not entail the contributor saying "I am authorized to license the code I contribute under the license included with the code I contribute". (Something like that *could* be made the policy. With the introduction of a greater degree of informality or red-tape-reduction it would resemble the Linux kernel's signed-off-by approach.) The CLA used by OpenStack projects says, in essence: "I am authorized to license the code I contribute under a *different* license from that which might be included with the code I contribute". That different license is similar to, but broader than, the Apache License 2.0. There seems to be some understanding, at least post-establishment of the OpenStack Foundation, that contributions to OpenStack are dual-licensed under the Apache License 2.0 and under the broader license signified by the CLA. I would read the OpenStack Foundation bylaws as indicating that the CLA is supposed to give the OpenStack Foundation the ability to license out directly all of OpenStack project code under the Apache License 2.0. IOW, you have a complex scheme of triple licensing involved in OpenStack: 1) Contributors are expected to license their code directly to everyone under the Apache License 2.0, and there seems to be some belief or expectation that this is done in some explicit way. 2) Contributors are giving a broader license to the OpenStack Foundation -- and all downstream recipients. 3) The OpenStack Foundation is in some sense expected to be granting its own Apache License 2.0 license, based (in part) on the licenses it gets under the CLA. I would also note that this triple layer approach is unprecedented. No other Apache License project does anything like this. Some (most) projects do 1. Some projects (notably the common case of single-company-dominated projects using Apache-style CLAs) do 2 + 3. Critics of the CLA approach like you and Monty are saying 'why not just do approach 1', I think. (The ASF btw does something like 2 + 3 except that many contributions are understood to bypass the CLA requirement (or at the other extreme come in under a so-called 'software grant'). And also in general ASF projects as a matter of policy make no effort to keep a public record of inbound copyright holders.)
At any rate, it seems that the agreement boils down to "copyright holders promise that they're contributing code under this license,
Where "this license" means the CLA, not the Apache License 2.0. - RF