45 comments

[ 2.9 ms ] story [ 42.9 ms ] thread
That doesn’t seem like a terrible deal. $100/per CLA wouldn’t even be that bad for a thousand CLAs, i.e. it would scale for a while.
I may be misreading the Contributor License Agreement Wikipedia page, but it seems to me that the core reason why CLAs exist is to undermine the core concept of OSS software. Essentially it allows some company to randomly re-license free contributions to turn them private/for-profit.

The fact that your contributions are now effectively owned by DataStax and then licensed back to the people who actually wrote them(!) gives me a very bad feeling, like you've just become an unpaid employee of DataStax.

I will fully admit that I haven't read DataStax's CLA in full, but that is because I cannot without giving them access to my GitHub account...

PS - I understand that the FSF does this also, but the FSF isn't a for-profit company so apples and oranges in my view.

FSF, Apache, Python Software Foundation, Canonical, basically everyone who's serious about OSS requires a CLA.

The main exception I can think of is Debian. I'm not sure what the history is there or why their lawyers came to a different conclusion than everyone else.

(Disclaimer: I am the DataStax founder but I am not involved in the drivers team or their CLA.)

The Linux kernel doesn't require a CLA either.

Linus Torvalds: To be fair, people just like hating on Canonical. The FSF and Apache Foundation CLA's are pretty much equally broken. And they may not be broken because of any relicencing, but because the copyright assignment paperwork ends up basically killing the community. Basically, with a CLA, you don't get the kind of "long tail" that the kernel has of random drive-by patches. And since that's how lots of people try the waters, any CLA at all - changing the license or not - is fundamentally broken.

https://plus.google.com/+gregkroahhartman/posts/NstZfwXbAti

IIRC the main point about not doing so is "We're going to ensure that this body of work has so many legal threads hanging off of it that it ensures no single agent can track them all down and relicence the work otherwise.

While, IMO, the FSF & other non-profit agencies are an appropriate holding body, I would seriously have issues with a for-profit company asking for a CLA for open source work. I would instead reply with a request for a Statement of Work & some cash...

"basically everyone who's serious about OSS requires a CLA."

Nonsense. Red Hat don't require a CLA for any of their projects. The Linux kernel doesn't have a CLA. Libreoffice doesn't have a CLA. Mozilla don't require a CLA. The Python CLA might have that name but is actually just an explicit statement that the contribution is licensed under certain terms, which makes it entirely unlike the Apache or Canonical ones.

"I'm not sure what the history is there or why their lawyers came to a different conclusion than everyone else."

Most projects with CLAs have them because they see other projects with CLAs and it seems like the safest option. The common justification of "We need to know that the contribution is authorised" is more elegantly solved by the Developer Certificate of Origin approach, and the secondary justification of "What if an original contributor revokes permission to distribute" is only a problem in countries with string moral rights and a CLA isn't going to save you there anyway.

The FSF has copyright assignment for strategic purposes (they want to be able to launch enforcement lawsuits without requiring that the original authors all register their copyrights), and Canonical have a CLA because they want to be able to release proprietary versions of their code without granting anybody else the same freedom. The majority of cases are just entirely unnecessary.

Couldn't agree more - the claim that "being serious about OSS" requires a CLA is nonsense, and in many cases is just a cargo cult (I need it because others use it). Also, people somehow fail to realize that for CLAs to work, there needs to be a legal entity governing the project - which for many OSS projects is not the case.

CLAs certainly have pros/cons - it gives the project the right to enforce the license independently, but it also gives the project the opportunity to relicense the project without consent from the contributors. That may be a problem, especially when the project is driven by for-profit organizations.

But this is not a CLA with DataStax but with Apache right?

Edit: Oops, no it looks like it's with DataStax. Then I can understand why people wouldn't sign it.

I cannot even read the CLA, so to be honest I'm not sure who it is with.
> Essentially it allows some company to randomly re-license free contributions to turn them private/for-profit.

On the other hand, without signing over your rights, you can effectively hold up a project from moving forward. For example, if a project wanted to move from GPLv2 to GPLv3, IIRC, you can't do that without the permission of all contributors unless they have signed over their rights. And as @trestletech has pointed out not all contributors are created equal[1].

One the one hand, you have people making significant contributions (and you don't want to just stomp all over them), on the other hand you could have people making tiny contributions, yet are holding up everyone else.

[1]: https://github.com/datastax/nodejs-driver/commit/6f3c6b2f454...

Some projects use "GPLv2 or any later version", though I'm not sure how that holds up legally.
The GPLv2 requires that all derivative works be licensed under the GPLv2 or any later version of the GPL. The maintainer can get a way with this in a way semantically equivalent to forking the project using a later version of the GPLv2.

As long as contributors are licensing their contributions under the terms of the GPLv2, they're also licensing them under all future versions.

> The GPLv2 requires that all derivative works be licensed under the GPLv2 or any later version of the GPL

No it doesn't. The relevant part of the license is:

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

ie, it's optional to use the "or any later version" language.

> if a project wanted to move from GPLv2 to GPLv3, IIRC, you can't do that without the permission of all contributors unless they have signed over their rights

You only need them to license their code under "GPLv2 or later" while you license the project only under "GPLv2". This way you're free to upgrade the license if and when you want.

A contributor can have legitimate reasons for not wanting their code re-licensed. For example, the Linux kernel deliberately did not move to GPLv3. Would such a contributor be "holding the project up" or would they be rightly demanding that the license under which they contributed code be honored?

Obviously the devil's in the details of the terms of the CLA. I had previously thought the purpose of the CLA was to allow the projects organizers to make copyright claims in court, not to allow them to re-license.

My "holding up the project" comment was more in relation to people that make small contributions (e.g. correct spelling mistakes and/or typos), but (maybe?) legally still need to sign off on a relicense. In this case, it really comes across as petty to put up a huge fight.
What huge fight? The guy is just saying that he isn't willing to invest the time in understanding the full implications of the contract he's being asked to sign, and that they can pay him if they want him to bother. At a very reasonable rate, I might add, considering he's a software developer and that carefully reading a CLA might take an hour or more.
I wasn't aiming in particular at this person with the "huge fight" part.
It's an ambiguous question that AFAIK/IANAL doesn't have a clear-cut answer. A while after the GPLv3 came out Eben Moglen ventured an opinion that a work like Linux could probably, from a purely legal perspective, change licenses but he made clear that was just his guess:

http://www.cnet.com/news/linux-to-gplv3-a-practical-matter-n...

> but it seems to me that the core reason why CLAs exist is to undermine the core concept of OSS software. Essentially it allows some company to randomly re-license free contributions to turn them private/for-profit.

While your assertion is true, it's not the only reason (or even the main reason) for CLAs in OSS.

IANAL, but this has actually happened in the past (the big case I'm aware of predates open source but not free software -- google for Diku MUD). Let's say that someone infringes on the license. So you take them to court to get them to follow the license. If you have a CLA you are the copyright holder so you can just do this. If you don't, to make your case you have to round up virtually everyone who has ever contributed to your project because they are copyright holders too. So, in effect, it doesn't matter if they infringe on the license or not because you can't hold them to it.

So you take them to court to get them to follow the license. If you have a CLA you are the copyright holder so you can just do this. If you don't, to make your case you have to round up virtually everyone who has ever contributed to your project because they are copyright holders too.

How so? As long as your code is also being used, you can sue for copyright infringement on your work. I don't see why you need to call up anyone else.

You can sue for anything you damn well please, that doesn't mean you're going to get anywhere.

I'm not a lawyer and can't explain why things are the way they are. I can only inform you that this is the way things have shaked out in the past.

Then can you point out specific cases when that has happened? Because frankly, it doesn't make sense to me, nor is it my recollection, that a copyright infringement suit can only be won if every single holder is part of the accusation.
You're right - you only need an author whose contributions were (supposedly) infringed. Of course, if you have more of them, covering larger amounts of code, that might help.

A prime example is the SFC vs. VMWare lawsuit, where SFC represents a single contributor to Linux Kernel (Christoph Hellwig).

https://sfconservancy.org/news/2015/mar/05/vmware-lawsuit/

> If you don't, to make your case you have to round up virtually everyone who has ever contributed to your project because they are copyright holders too.

This is demonstrably untrue - all the Linux kernel GPL enforcement cases have been brought by individuals without involving any other kernel copyright holders.

Which cases? Help add to my knowledge and I'll gladly admit I'm wrong here -- every successful GPL infringement case I know of was from Busybox.
> Let's say that someone infringes on the license. So you take them to court to get them to follow the license. If you have a CLA you are the copyright holder so you can just do this. If you don't, to make your case you have to round up virtually everyone who has ever contributed to your project because they are copyright holders too.

No, if you hold a valid sublicensable license (which includes any F/OSS license, as that's rather the point of Free Software/Open Source Software), and make a derivative work as authorized by that license, you hold the copyright on the derivative work and can enforce it without any participation by the upstream copyright holders.

You may run into difficulty if the offender can show by a preponderance of the evidence that their allegedly-infringing work is derived from the upstream rather than your derivative work, in which case the upstream would have to take action.

As they're releasing the code under Apache 2.0 anyway, what is the motivation for having contributors sign an additional CLA?

I'd much rather see them use a Contributor License Agreement (e.g. the Harmony ones that Canonical uses [1]) than requiring the contributors to assign their rights to the source code (which he or she might not be able to do legally).

[1] http://harmonyagreements.org

Those contributors contributed when it was not under the Apache license. They either need to get all rights assigned to them (DataStax) and then they can relicense it under Apache, or they need to get all contributors to agree to relicense under Apache. Looks like they are taking option 1 because it will make relicensing less of a headache in the future if it becomes necessary.
Ah, thanks. That part was missing from the issue.
An opposing viewpoint on CLAs: Why Your Project Doesn't Need a Contributor Licensing Agreement [0] (by Bradley M. Kuhn of the Software Freedom Conservancy)

Essentially he argues that all a project needs is an "inbound=outbound" rule for contributions, in that any contributor agrees to license their code to the project under the same license as the project. This protects the contributor's interests while still ensuring that the project has the right to use the code.

[0] https://sfconservancy.org/blog/2014/jun/09/do-not-need-cla/

The CLA protects users of the software from contributors coming back later and saying: "Hey I own that code and now you need to pay me!" Apache projects in general rely on CLA documents.

It's totally in the right of the contributor to refuse to sign this document. But don't expect your contributions to be applied, or work on any Apache licensed projects :)

I am not a lawyer, but I'm pretty sure that how non-cla open source projects handle it also protects them from that eventuality.

All contributors are required to say "This code is released under X license" which prevents the person from later coming back and asking for money for them to use the code.

Edit: Assuming my above comment is correct, what this means is that the only real point of a CLA that I'm aware of is to allow the owner of the CLA to change the license on code without asking the contributors.

I think the point is that if a project is big enough, it will inevitably go to court at some point (probably at many points). Having a CLA will make this a lot less expensive for the project maintainers.
Why is it cheaper with a CLA?
Because the Contributors, in advance, have already agreed to confer a certain set of IP rights to the mainter and manager with respect to the code they've contribute. This means there's less questions during litigation about the rights to the code the maintainer holds and prevents the maintainer from having to track down individual contributors during a lawsuit.
chmac's single, substantive contribution to the project: https://github.com/datastax/nodejs-driver/commit/6f3c6b2f454...
I think he still has a point. Perhaps not for him in particular on this project.
I think he all-the-more has a point: that he shouldn't waste his time reading and signing some scary contract to be able to contribute a correction of a typo.
I've looked at his other submissions, I don't think he'll be missed.

He comes across as your typical junior/mid webdev "programmer", very busy making himself look too busy to deal with a simple task like reading a CLA.

Had he read it, and objected, sure. But instead he is such a titan of tech that he doesn't even have the time to READ the contract that he disagrees with.

I won't sign Apache/Google-style CLAs either, because there's no way to terminate the agreement for any future contribution. Once you've signed, you're bound forever that anything you "submit" is a contribution - and basically everything is a contribution - from Google's CLA:

  For the purposes of this definition, "submitted" means any
  form of electronic, verbal, or written communication sent
  to Google or its representatives, including but not limited
  to communication on electronic mailing lists, source code
  control systems, and issue tracking systems that are 
  managed by, or on behalf of, Google for the purpose of
  discussing and improving the Work, but excluding
  communication that is conspicuously marked or otherwise
  designated in writing by You as "Not a Contribution."
For example, if you so much as talk to a Googler at the airport bar about a project you've signed a CLA for, bam, it's a contribution unless you remember to be explicit about saying "This is not a contribution". On the other hand, if you don't sign, only things that you explicitly mark as a contribution or otherwise suitably license are contributions, and someone who's signed the CLA is free to integrate it without needing to ask you.

I don't want some agreement following me around for life, and I don't want to have to disclose to every future employer that "Oh yeah, I've got an agreement with X that unless I remember to say otherwise X gets the rights to use it".

I'd sign a CLA that included a clause that said "This agreement may be terminated by either party in writing. Terminating this agreement does not revoke any licenses granted to the project while the agreement was in force."

Ignoring the issue of CLAs, I can't help but find the "You did it!" confirmation message a bit patronizing.