Also posted on my blog at:
http://bibwild.wordpress.com/2011/12/14/practices-for-simple-contributor-management/
So, like many non-huge non-corporate-supported open source projects,
many of the open source projects I contribute to go something like this
(some of which I was original author, others not):
* Someone starts the project in an publicly accessible repo.
* If she works for a company, in the best case she got permission with
her employer (who may or may not own copyright to code she writes) to
release it as open source.
* She sticks some open source License file in the repo saying “copying
Carrie Coder” and/or the the name of the employer.
Okay, so far so good, but then:
* She adds someone else as a committer, who starts committing code.
And/or accepts pull requests on github etc, committing code by other
authors.
* Never even thinks about licensing/intellectual property issues.
What can go wrong?
* Well, the license file probably still says ‘copyright Carrie Coder’ or
‘copyright Acme Inc’, even though the code by other authors has
copyright held by them (or their employers). So right away something
seems not all on the up and up.
* One of those contributors can later be like “Wait, I didn’t mean to
release that open source, and I own the copyright, you don’t have my
permission to use it, take it out.”
* Or worse, one of the contributors employers can assert they own the
copyright and did not give permission for it to be released open source
and you don’t have permission to use it (and neither does anyone else
that’s copied or forked it from you).
== Heavy weight solutions
So there’s a really heavy-weight solution to this, like Apache
Foundation uses in their Contributor License Agreement. This is
something people have to actually print out and sign and mail in. Some
agreements like this actually transfer the copyright to some corporate
entity, presumably so the project can easily re-license under a
different license later. (I thought Apache did this, but apparently not).
This is kind of too much over-head for a simple non-corporate-sponsored
open source project. Who’s going to receive all this mail, and where are
they going to keep the contracts? There is no corporate entity to be
granted a non-exclusive license to do anything. (And the hypothetical
project isn’t nearly so important or popular to justify trying to get
umbrella stewardship from Apache or the Software Freedom Conservancy or
whatever.(If it were, the Software Freedom Conservancy is a good option,
but still too much overhead for the dozens of different tiny-to-medium
sized projects anyone may be involved in. )
Even so far as individuals, over the life of the project who the
committers are may very well change, and not include the original
author(s) anymore.
And you don’t want to make someone print out sign and wait for you to
receive something before accepting their commits, that’s not internet-speed.
== Best practices for a simpler solution that’s not nothing?
So doing it ‘right’ with that heavy-weight solution is just way too much
trouble, so most of us just keep ignoring it.
But is there some lighter-weight better-than-nothing
probably-good-enough approach? I am curious if anyone can provide
examples, ideally lawyer-vetted examples, of doing this much simpler.
Most of my projects are MIT-style licensed, which already says “do
whatever the heck you want with this code”, so I don’t really care about
being able to re-license under a different license later (I don’t think
I do? Or maybe even the MIT license would already allow anyone to do
that). So I definitely don’t need and can’t really can’t handle paper
print-outs.
I’m imagining something where each
contributor/accepted-pull-request-submitter basically just puts a
digital file in the repo, once, that says something like “All the code
I’ve contributed to this repo in past or future, I have the legal
ability to release under license X, and I have done so.” And then I
guess in the License file, instead of saying ‘copyright Original
Author’, it would be like ‘copyright by various contributors, see files
in ./contributors to see who.’
Does something along those lines end up working legally, or is it
worthless, no better than just continuing to ignore the problem, so you
might as well just continue to ignore the problem? Or if it is
potentially workable, does anyone have examples of projects using such a
system, ideally with some evidence some lawyer has said it’s worthwhile,
including a lawyer-vetted digital contributor agreement?
Any ideas?
