[legal-discuss] CLA (was: Call for a clear COPYRIGHT-HOLDERS file in all OpenStack projects)

Richard Fontana rfontana at redhat.com
Tue Oct 22 16:03:16 UTC 2013

On Tue, Oct 22, 2013 at 02:22:52PM +0000, Jeremy Stanley wrote:

> To echo Monty's sentiments earlier in the thread, and also as the
> person who spear-headed the current CLA enforcement configuration in
> our project's Gerrit instance, I don't see how our CLAs add anything
> of value. It's patronizing, almost insulting, to ask developers to
> pinky-swear that they're authorized to license the code they
> contribute under the license included with the code they contribute.

I think something has to be pointed out here, because I am now seeing
a significant degree of confusion.

The CLA used by OpenStack projects does not entail the contributor
saying "I am authorized to license the code I contribute under the
license included with the code I contribute".  (Something like that
*could* be made the policy. With the introduction of a greater degree
of informality or red-tape-reduction it would resemble the Linux
kernel's signed-off-by approach.)

The CLA used by OpenStack projects says, in essence: "I am authorized
to license the code I contribute under a *different* license from that
which might be included with the code I contribute". That different
license is similar to, but broader than, the Apache License 2.0.

There seems to be some understanding, at least post-establishment of
the OpenStack Foundation, that contributions to OpenStack are
dual-licensed under the Apache License 2.0 and under the broader
license signified by the CLA. I would read the OpenStack Foundation
bylaws as indicating that the CLA is supposed to give the OpenStack
Foundation the ability to license out directly all of OpenStack
project code under the Apache License 2.0.

IOW, you have a complex scheme of triple licensing involved in OpenStack:

1) Contributors are expected to license their code directly to
   everyone under the Apache License 2.0, and there seems to be some
   belief or expectation that this is done in some explicit way.

2) Contributors are giving a broader license to the OpenStack
   Foundation -- and all downstream recipients.

3) The OpenStack Foundation is in some sense expected to be granting
   its own Apache License 2.0 license, based (in part) on the licenses
   it gets under the CLA.

I would also note that this triple layer approach is unprecedented. No
other Apache License project does anything like this. Some (most)
projects do 1. Some projects (notably the common case of
single-company-dominated projects using Apache-style CLAs) do 2 + 3. 

Critics of the CLA approach like you and Monty are saying 'why not
just do approach 1', I think.

(The ASF btw does something like 2 + 3 except that many contributions
are understood to bypass the CLA requirement (or at the other extreme
come in under a so-called 'software grant'). And also in general ASF
projects as a matter of policy make no effort to keep a public record
of inbound copyright holders.)

> At any rate, it seems that the
> agreement boils down to "copyright holders promise that they're
> contributing code under this license,

Where "this license" means the CLA, not the Apache License 2.0.

 - RF

More information about the legal-discuss mailing list