Ask HN: Are GitHub pull-requests governed by the original repository license?
Copyright (C) 2022 My Name
line from every MIT-licensed project I've ever seen.A random contributor forks my repository and sends me a pull-request. They haven't altered the license file in any way.
So, Question 1: are their contributions automatically licensed under the same MIT license as the original repository? (Note that their fork, which I'm being asked to merge, contains the identical license file.)
Question 2: have they (almost certainly inadvertently) assigned copyright over their changes to me? (They're asking me to merge changes from a repository which contains a copyright declaration in my name.)
Question 3: if one, why not the other?
Disclaimer -- personally I hate even having to think about these kinds of questions, which is why I try to make most of my open-source code available under the Unlicense [1]. I've recently discovered the Zero-Clause BSD licence [2] which may be a better alternative as it avoids the potentially problematic concept of a 'public domain' -- I'd love to hear an informed legal analysis of their differences.
[1]: https://unlicense.org
[2]: https://opensource.org/licenses/0BSD
32 comments
[ 3.0 ms ] story [ 76.8 ms ] threadYes. GitHub clarify this in their terms of service: https://docs.github.com/en/github/site-policy/github-terms-o...
> have they (almost certainly inadvertently) assigned copyright over their changes to me? (They're asking me to merge changes from a repository which contains a copyright declaration in my name.)
No. They still own the copyright to their change (unless it's a trivial, un-copyrightable change).
It's not uncommon to require contributors to reassign copyright.
IANAL, but here's my understanding: in the US copyright is automatic. You gain the copyright in anything you write automatically unless you explicitly give it up. A PR does not have this explicitness so it doesn't transfer the copyright. OTOH, the license choice is not an automatic right. By PR'ing on a repo with a license, you are implicitly choosing that license.
The GitHub Terms and Conditions make this implicitness more explicit, but AFAICT it's not theoretically necessary. However clarity is always super useful in a legal context.
They aren't really contradictory as they are separate concepts so covered by different conventions.
Copyright: the new contributor has copyright of the code they produced because this is automatic (in most jurisdictions at least), and they keep that unless they explicitly reassign it.
Licence: as the licence has not been changed in their fork, the old licence remains. If they change the licence in future then things are a little more grey for future contributions, and it depends on the licence. But they can't change the licence of your code unless the existing licence explicitly allows that. There may be limits on whether they can change the licence at all (i.e. if the original license is GPL).
With MIT all is well in this circumstance. A problem will occur if the core project wants to change their licence at a later date. Again IIRC with MIT this is fine, but with stronger licences they would need to get permission from the copyright holder of parts they are not officially the copyright holder of already, just as the new contributor wouldn't be able to arbitrarily relicense code taken from the primary branch.
Yes — that is the common understanding, a foundation upon which vast amounts of collaborative Open Source projects are built.
> Question 2: have they (almost certainly inadvertently) assigned copyright over their changes to me? (They're asking me to merge changes from a repository which contains a copyright declaration in my name.)
No. Copyright assignment is involved and needs more than that incidental quirk of that copyright notice in the MIT license template (which is confusing).
> I'd love to hear an informed legal analysis of their differences.
Go with a standard, popular FOSS license. Avoid "crayon licenses" which are poorly drafted, because they lead to legally ambiguous situations which serve both users and contributors poorly. Resist the urge to cut your nose off to spite your face by adopting a purposefully rebellious license.
The original JSON license is the crayon license whose flaws are easiest to understand. It contains the phrase "shall be used for Good, not Evil", which begs the question "who decides what's evil?" and opens up any user to a potential lawsuit.
The OSI ultimately approved the Unlicense, but with a critique. It's flaws are not as easy to understand as those of the JSON license, but here you go:
https://lists.opensource.org/pipermail/license-review_lists....
> There is general agreement that the document is poorly drafted. It is an attempt to dedicate a work to the public domain (which, taken alone, would not be approved as an open source license) but it also has wording commonly used for license grants. There was some discussion about the legal effectiveness of the document, in particular how it would operate in a jurisdiction where one cannot dedicate a work to the public domain. The lawyers who opined on the issue, both US and non-US, agreed that the document would most likely be interpreted as a license and that the license met the OSD. It is therefore recommended for approval.
What I usually do for the copyright attribution on my own projects is "Copyright My Name and Contributors". That makes it clearer that there may be contributions from others merged into the code and I'm not claiming copyright over everything.
I personally like the FOAF license, which is like the original JSON license, but specifies that "what's evil" is determined by the originator of the project.
https://opensource.org/osd
> 6. No Discrimination Against Fields of Endeavor
> The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
(Friend Of A Friend) != (Fuck Around Find Out)
To elaborate on "is involved", you need to have it in writing that you are transferring ownership and that has to be signed. See 17 USC 104 [1] and/or page 3 of the "Copyright Basics" circular [2] from the US Copyright Office.
[1] https://www.law.cornell.edu/uscode/text/17/204
[2] https://www.copyright.gov/help/faq/faq-assignment.html
This is exactly why most big companies require new contributors to sign a copyright assignment before any of their PRs can be merged. Gray areas don't work when lots of money is at stake.
(2) There is no implicit copyright assignment. The author of the change retains copyright in that code, and you retain copyright in your code. You may want to look in to copyright license agreements in which you get your contributors to agree to allow you to use their code in your project and maybe agree not to revoke that permission.
Boilerplate headers have no real legal standing: copyright applies the minute you type the text of the source code and is only worth what you can prove in a court of law. Should you wish to change the distribution licensing at some point in the future, you will need to secure the permission of all copyright holders. In the absence of copyright assignment or copyright license agreements that means everyone who has ever contributed a line of code.
https://www.gnu.org/licenses/why-assign.en.html
https://softwareengineering.stackexchange.com/questions/1857...
(2) No, unless they have stated that they have transferred ownership to you they own the copyright of their changes.
(1): probably, but not necessarily; they could choose a different license for their contributions, though it would be unlikely to get merged
(2): no, they still have copyright on their changes unless they reassign it
But if the repo was GPL then their contributions would automatically be GPL also
Because the GPL requires all (conveyed) derivative works to be GPL licensed. If they intended it to be anything else they would be in violation of the GPL.
It may be worth thinking of "the work" as the code + the revision history. Historically this was done by actually embedding something like a changelog with different author information in the code itself, so that there's version A of the work with just you and your code, and other version B of the work with you and someone else and their changes with their changes called out explicitly. With version control we don't usually bother with such embedding because it's part of the history, but you still have version A of the work with just you and version B with you + the other author, even if nothing in the source code itself (or the license file) indicates the presence of another author. The revision history alone is enough to establish their partial authorship and any copyright claim. And probably implicit agreement to the original license, barring any signs to the contrary, per your question 1 and github's official doc on the matter -- adding something to your readme for a public domain project like "contributions implicitly agree to relinquish their copyright and dedicate changes to the public domain" seems like it'd be in the realm of weird EULA clauses that may or may not be enforceable.
I like the Unlicense too since I learned of it. I mean, I like the public domain and screwing thinking more about this license stuff, but I also like putting in a "don't sue me if something bad happens while using this" disclaimer, and even if it's "clumsily worded" as others have said when it comes to countries that don't recognize the public domain, it seems less clumsy than some of my prior attempts at "this is public domain or MIT if your country doesn't recognize such a thing". The CC0 is also acceptable as public-domain-unless-your-country-sucks-then-as-close-as-possible, even if it's not exactly meant for software. In a recent Unlicensed library of mine that I think has a slightly-greater-than-epsilon chance of ever seeing a pull request someday, I decided in the readme to call out a request that contributions include a blurb explicitly relinquishing to the public domain (Unlicense's site it...
However, I believe this is exactly the scenario the GPL and Apache address. The GPL by copyleft and Apache by contributor agreements.
Neither is a free lunch. Then again neither are lawyers.