Open Stack

Hi Richard,

On Thu, 2012-01-05 at 14:11 -0500, Richard Fontana wrote:
> On Wed, Jan 04, 2012 at 09:49:29PM +0000, Mark McLoughlin wrote:
> > Hi Rick,
> > 
> > On Tue, 2012-01-03 at 09:02 -0600, Rick Clark wrote:
> > > Hey Mark,
> > > 
> > > First of all, orthogonally, we are very lucky to not have Copyright
> > > Assignment crushing this project.  That is what the management at
> > > Rackspace wanted, only NASA's inability to sign such a document
> > > prevented it.
> > 
> > Copyright assignment would certainly be worse than an Apache-style CLA.
> 
> I currently regard Apache-style CLAs are "worse" (scare quotes
> intentional) than copyright assignment, since (1) they are essentially
> equivalent to copyright assignment in the legal effect that seems like
> it ought to matter to developers the most -- that is, under both
> copyright assignment and an Apache-style CLA, the inbound party gets
> to do whatever they want with the code contributed, yet (2) for
> strange sociological reasons many developers tend to see copyright
> assignment as bad but Apache CLAs as inherently benign. To put it more
> simply, my concern is that Apache-style CLAs are deceptive in a way
> that copyright assignment is not, given the well-established antipathy
> to copyright assignment in open source development culture.
> 
> For an Apache-licensed project like OpenStack this is not too
> significant, however. Just kind of perplexing.

Ah. The Apache license is so permissive, that licensing your work under
that license is not all that different in its effect from assigning the
copyright to a licensee?

I hadn't thought of it that way. I guess the hangups folks have around
copyright assignment make more sense in the context of copyleft licensed
projects.

> > > IANAL, but I was told by lawyers when we were in the planning stages of
> > > starting Openstack, that while in the US submitting code under the
> > > Apache License 2.0 was enough to bind the submitter to it, that is not
> > > the case in all countries.  Some countries require explicit acceptance
> > > to be bound by it.
> > 
> > I've cc-ed Richard Fontana who I'm sure can comment on that.
> 
> Thank you, Mark, for the opportunity for a bit of a rant. I can't
> resist talking about this topic. :)
> 
> I've heard many arguments in favor of formal CLAs and copyright
> assignment and the like, but this may be a new one. It is not
> necessary to consider the underlying legal issue, because the argument
> collapses on its own logic. 
> 
> If it's important to have explicit acceptance to bind a contributor to
> OpenStack to the license granted on the inbound contribution to the
> OpenStack project (or whatever entity is acting as the alter ego of
> it), it ought to be equally important to bind such project/entity
> (Rackspace, OpenStack Foundation, the non-corporate collective of
> individual OpenStack committers, whatever) in their offering of the
> Apache License 2.0 outbound to any given member of the public
> downstream from OpenStack. Yet when I download OpenStack code, I don't
> get any such formal indication of binding assent from upstream. I
> don't get any signed statement with a wax seal affixed committing the
> upstream contractually to giving me the rights I'm supposed to be
> getting under the Apache License 2.0. All I get is some software with
> a text file containing a copy of the Apache License 2.0.

Hmm, sounds like we need to organize some wax and sealing apparatus :-)

> Now, I think that's perfectly fine, because that's how free
> software/open source has always worked. Indeed it is a key part of why
> it works. It would be strange if OpenStack did things any
> differently. But if *that's* okay, why is it not okay for contributors
> to OpenStack to have the same freedom to indicate their licensing in
> of contributions in a traditional manner -- namely, by merely
> providing notice of the license (which might as well be the Apache
> License 2.0)?  It doesn't make sense. 

I do agree, but I'm curious what you would argue makes it clear that a
contribution is intended to be licensed under Apache License 2.0 if that
contribution is merely a (significant) patch to an existing file
containing an Apache License 2.0 header in a project containing an
Apache License 2.0 LICENSE file.

Is simply by contributing the patch to such a project that makes the
licensing intent sufficiently clear? Or is it simply modifying such a
file and making the modifications publicly available?

This is the one area that some form of "contributor agreement" makes
sense to me - requiring the contributor to explicitly make their
licensing intent clear.

Simply adding Signed-off-by: to a commit message would be my preferred
way of doing it, but do you think that helps clarify the intent or even
whether such clarification is useful?

> Moreover, anyone who thinks that open source is unsafe or unreliable
> without a system of explicit acceptance by the licensor of inbound
> contributions should immediately cease using it altogether, since 99%
> or so of it was produced without any such system in place. Any
> suggestion otherwise is dismissable, but I think it does some damage
> to suggest that there's something unsafe about using an
> alternate-universe version of OpenStack where the project did not make
> use of a CLA, as it unnecessarily casts doubt on that 99 or so % of
> open source software that is developed without such cumbersome
> mechanisms, and indeed it casts doubt on the reliability of open
> source licensing itself. Thus, by using an Apache-style CLA, OpenStack
> is shooting itself in the foot.

Nice.

> There are other things one might mention, such as the fact that the
> Apache License 2.0 ingeniously contains a built-in contributor
> agreement of sorts already.

Right, so the "Submission of Contributions" clause in the license puts
the onus on licensee to explicitly state that they do not intend their
modifications to be contributed to the project under the license?

> > > We have a bigger hole in the Corporate CLA, IMHO.  I have been told that
> > > since it is necessary for a corporate signer to explicitly name their
> > > individual contributers, and we have no way of updating the document,
> > > openstack is potentially left open to a lawsuit, if an employee
> > > unspecified in the CLA, contributes something they consider IP.  I
> > > seriously hate all this legal stuff.
> 
> I sympathize...
>  
> > I'll leave that one for Richard too :-)
> 
> On this one, I'd just say that this degree of risk aversion is out of
> place in open source. When has it happened that some company or
> project was sued because of failure to add a name to a Corporate CLA?
> Where are all these lawsuits brought by contributors to open source
> projects?

Where does one go about finding lawyers with the degree of risk aversion
appropriate for open source? :-)

> I hope it is of some value for OpenStack developers to at least hear a
> gratuitous alternative legal viewpoint from whatever they have
> previously heard on this topic.

A pleasure, as always.

Thanks,
Mark.