Re: [legal-discuss] CLA (was: Call for a clear COPYRIGHT-HOLDERS file in all OpenStack projects)
(Disclaimers: I am not a lawyer, which likely explains my lack of interest in perversely pointless paperwork. Also, these opinions are my own and do not necessarily reflect those of my employer. Setting MFT to legal-discuss as a more appropriate forum for these sorts of discussions.) On 2013-10-22 15:11:25 +0200 (+0200), Zane Bitter wrote: [...]
Can't we just write "Copyright OpenStack Contributors"? (Where 'contributors' means individuals or organisations who have signed the CLA.) [...]
Actually, technically not. There are other avenues through which patches come (posts on mailing lists, attachments to bugs) and I know that from time to time contributors git-am other authors' bug fixes without first asking them to go agree to an OpenStack CLA and prove that they have done so. The actual copyright belongs with the author (or their employer under a work-for-hire agreement), not the contributor who uploaded that work--and they aren't necessarily always the same people.
Gerrit ensures that only OpenStack Contributors (those that have signed the CLA) can contribute to OpenStack [...]
To echo Monty's sentiments earlier in the thread, and also as the person who spear-headed the current CLA enforcement configuration in our project's Gerrit instance, I don't see how our CLAs add anything of value. It's patronizing, almost insulting, to ask developers to pinky-swear that they're authorized to license the code they contribute under the license included with the code they contribute. At best it may provide a warm fuzzy feeling for companies who are unfamiliar with contributing to free software projects, since free software licenses are all about waiving your rights rather than enforcing them and that might sound scary to the uninitiated... but better efforts toward educating them about free software may prove more productive than relying on a legal security blanket. Also as mentioned above, Gerrit does not enforce that the copyright holder has agreed to this, it only enforces that the person *uploading* the code into Gerrit has agreed to it... and section 7 of the ICLA has some interesting things to say about submitting third-party contributions, which looks to me like a permitted loophole for getting ASL code into the project without the author directly agreeing to a CLA at all.
7. Should You wish to submit work that is not Your original creation, You may submit it to the Project Manager separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
I wonder if the current de facto practice of allowing git's author header to reflect the identity of the third-party counts as a conspicuous mark for the purposes of ICLA section 7? And whether submitting it to Gerrit where it can be openly inspected by the entire project counts as a submission to the Project Manager (the OpenStack Foundation) as well? At any rate, it seems that the agreement boils down to "copyright holders promise that they're contributing code under this license, or that they're submitting someone else's work who probably is okay with it." -- Jeremy Stanley
On Tue, Oct 22, 2013 at 02:22:52PM +0000, Jeremy Stanley wrote:
To echo Monty's sentiments earlier in the thread, and also as the person who spear-headed the current CLA enforcement configuration in our project's Gerrit instance, I don't see how our CLAs add anything of value. It's patronizing, almost insulting, to ask developers to pinky-swear that they're authorized to license the code they contribute under the license included with the code they contribute.
I think something has to be pointed out here, because I am now seeing a significant degree of confusion. The CLA used by OpenStack projects does not entail the contributor saying "I am authorized to license the code I contribute under the license included with the code I contribute". (Something like that *could* be made the policy. With the introduction of a greater degree of informality or red-tape-reduction it would resemble the Linux kernel's signed-off-by approach.) The CLA used by OpenStack projects says, in essence: "I am authorized to license the code I contribute under a *different* license from that which might be included with the code I contribute". That different license is similar to, but broader than, the Apache License 2.0. There seems to be some understanding, at least post-establishment of the OpenStack Foundation, that contributions to OpenStack are dual-licensed under the Apache License 2.0 and under the broader license signified by the CLA. I would read the OpenStack Foundation bylaws as indicating that the CLA is supposed to give the OpenStack Foundation the ability to license out directly all of OpenStack project code under the Apache License 2.0. IOW, you have a complex scheme of triple licensing involved in OpenStack: 1) Contributors are expected to license their code directly to everyone under the Apache License 2.0, and there seems to be some belief or expectation that this is done in some explicit way. 2) Contributors are giving a broader license to the OpenStack Foundation -- and all downstream recipients. 3) The OpenStack Foundation is in some sense expected to be granting its own Apache License 2.0 license, based (in part) on the licenses it gets under the CLA. I would also note that this triple layer approach is unprecedented. No other Apache License project does anything like this. Some (most) projects do 1. Some projects (notably the common case of single-company-dominated projects using Apache-style CLAs) do 2 + 3. Critics of the CLA approach like you and Monty are saying 'why not just do approach 1', I think. (The ASF btw does something like 2 + 3 except that many contributions are understood to bypass the CLA requirement (or at the other extreme come in under a so-called 'software grant'). And also in general ASF projects as a matter of policy make no effort to keep a public record of inbound copyright holders.)
At any rate, it seems that the agreement boils down to "copyright holders promise that they're contributing code under this license,
Where "this license" means the CLA, not the Apache License 2.0. - RF
On Tue, Oct 22, 2013 at 12:03:16PM -0400, Richard Fontana wrote:
The CLA used by OpenStack projects does not entail the contributor saying "I am authorized to license the code I contribute under the license included with the code I contribute".
Actually, thinking about Jeremy's reference to section 7 of the ICLA, things are even more complex than I described because of the fact that an ICLA-signing individual developer will in many cases not be the copyright holder of the code being contributed that he or she wrote, yet the ICLA might be said to apply to that act of contribution even if the copyright holder has separately signed a CCLA (or even ICLA). In some cases it would seem that the ICLA signer is saying the equivalent of (continuing to use language similar to what Jeremy used in his message) 'I am authorized to contribute this code which my employer has licensed under the Apache License 2.0'. In cases where the employer has signed the CCLA, which may or may not be typical, then you have the double license coming from the employer, and the ICLA may or may not be applicable. In cases where the employer has not signed the CCLA, there is a single (Apache License 2.0) license coming from the employer. Anyway, this is way more complex than necessary. No other open source project handles contributions like this. - RF
participants (2)
-
Jeremy Stanley
-
Richard Fontana