[legal-discuss] CLA (was: Call for a clear COPYRIGHT-HOLDERS file in all OpenStack projects)

Jeremy Stanley fungi at yuggoth.org
Tue Oct 22 14:22:52 UTC 2013

(Disclaimers: I am not a lawyer, which likely explains my lack of
interest in perversely pointless paperwork. Also, these opinions are
my own and do not necessarily reflect those of my employer. Setting
MFT to legal-discuss as a more appropriate forum for these sorts of

On 2013-10-22 15:11:25 +0200 (+0200), Zane Bitter wrote:
> Can't we just write "Copyright OpenStack Contributors"? (Where
> 'contributors' means individuals or organisations who have signed
> the CLA.)

Actually, technically not. There are other avenues through which
patches come (posts on mailing lists, attachments to bugs) and I
know that from time to time contributors git-am other authors' bug
fixes without first asking them to go agree to an OpenStack CLA and
prove that they have done so. The actual copyright belongs with the
author (or their employer under a work-for-hire agreement), not the
contributor who uploaded that work--and they aren't necessarily
always the same people.

> Gerrit ensures that only OpenStack Contributors (those that have
> signed the CLA) can contribute to OpenStack

To echo Monty's sentiments earlier in the thread, and also as the
person who spear-headed the current CLA enforcement configuration in
our project's Gerrit instance, I don't see how our CLAs add anything
of value. It's patronizing, almost insulting, to ask developers to
pinky-swear that they're authorized to license the code they
contribute under the license included with the code they contribute.
At best it may provide a warm fuzzy feeling for companies who are
unfamiliar with contributing to free software projects, since free
software licenses are all about waiving your rights rather than
enforcing them and that might sound scary to the uninitiated... but
better efforts toward educating them about free software may prove
more productive than relying on a legal security blanket.

Also as mentioned above, Gerrit does not enforce that the copyright
holder has agreed to this, it only enforces that the person
*uploading* the code into Gerrit has agreed to it... and section 7
of the ICLA has some interesting things to say about submitting
third-party contributions, which looks to me like a permitted
loophole for getting ASL code into the project without the author
directly agreeing to a CLA at all.

> > 7. Should You wish to submit work that is not Your original
> > creation, You may submit it to the Project Manager separately
> > from any Contribution, identifying the complete details of its
> > source and of any license or other restriction (including, but
> > not limited to, related patents, trademarks, and license
> > agreements) of which you are personally aware, and conspicuously
> > marking the work as "Submitted on behalf of a third-party:
> > [named here]".

I wonder if the current de facto practice of allowing git's author
header to reflect the identity of the third-party counts as a
conspicuous mark for the purposes of ICLA section 7? And whether
submitting it to Gerrit where it can be openly inspected by the
entire project counts as a submission to the Project Manager (the
OpenStack Foundation) as well? At any rate, it seems that the
agreement boils down to "copyright holders promise that they're
contributing code under this license, or that they're submitting
someone else's work who probably is okay with it."
Jeremy Stanley

More information about the legal-discuss mailing list