On Wed, Jan 04, 2012 at 09:49:29PM +0000, Mark McLoughlin wrote: > Hi Rick, > > On Tue, 2012-01-03 at 09:02 -0600, Rick Clark wrote: > > Hey Mark, > > > > First of all, orthogonally, we are very lucky to not have Copyright > > Assignment crushing this project. That is what the management at > > Rackspace wanted, only NASA's inability to sign such a document > > prevented it. > > Copyright assignment would certainly be worse than an Apache-style CLA.
I currently regard Apache-style CLAs are "worse" (scare quotes intentional) than copyright assignment, since (1) they are essentially equivalent to copyright assignment in the legal effect that seems like it ought to matter to developers the most -- that is, under both copyright assignment and an Apache-style CLA, the inbound party gets to do whatever they want with the code contributed, yet (2) for strange sociological reasons many developers tend to see copyright assignment as bad but Apache CLAs as inherently benign. To put it more simply, my concern is that Apache-style CLAs are deceptive in a way that copyright assignment is not, given the well-established antipathy to copyright assignment in open source development culture. For an Apache-licensed project like OpenStack this is not too significant, however. Just kind of perplexing. > > IANAL, but I was told by lawyers when we were in the planning stages of > > starting Openstack, that while in the US submitting code under the > > Apache License 2.0 was enough to bind the submitter to it, that is not > > the case in all countries. Some countries require explicit acceptance > > to be bound by it. > > I've cc-ed Richard Fontana who I'm sure can comment on that. Thank you, Mark, for the opportunity for a bit of a rant. I can't resist talking about this topic. :) I've heard many arguments in favor of formal CLAs and copyright assignment and the like, but this may be a new one. It is not necessary to consider the underlying legal issue, because the argument collapses on its own logic. If it's important to have explicit acceptance to bind a contributor to OpenStack to the license granted on the inbound contribution to the OpenStack project (or whatever entity is acting as the alter ego of it), it ought to be equally important to bind such project/entity (Rackspace, OpenStack Foundation, the non-corporate collective of individual OpenStack committers, whatever) in their offering of the Apache License 2.0 outbound to any given member of the public downstream from OpenStack. Yet when I download OpenStack code, I don't get any such formal indication of binding assent from upstream. I don't get any signed statement with a wax seal affixed committing the upstream contractually to giving me the rights I'm supposed to be getting under the Apache License 2.0. All I get is some software with a text file containing a copy of the Apache License 2.0. Now, I think that's perfectly fine, because that's how free software/open source has always worked. Indeed it is a key part of why it works. It would be strange if OpenStack did things any differently. But if *that's* okay, why is it not okay for contributors to OpenStack to have the same freedom to indicate their licensing in of contributions in a traditional manner -- namely, by merely providing notice of the license (which might as well be the Apache License 2.0)? It doesn't make sense. Moreover, anyone who thinks that open source is unsafe or unreliable without a system of explicit acceptance by the licensor of inbound contributions should immediately cease using it altogether, since 99% or so of it was produced without any such system in place. Any suggestion otherwise is dismissable, but I think it does some damage to suggest that there's something unsafe about using an alternate-universe version of OpenStack where the project did not make use of a CLA, as it unnecessarily casts doubt on that 99 or so % of open source software that is developed without such cumbersome mechanisms, and indeed it casts doubt on the reliability of open source licensing itself. Thus, by using an Apache-style CLA, OpenStack is shooting itself in the foot. There are other things one might mention, such as the fact that the Apache License 2.0 ingeniously contains a built-in contributor agreement of sorts already. > > We have a bigger hole in the Corporate CLA, IMHO. I have been told that > > since it is necessary for a corporate signer to explicitly name their > > individual contributers, and we have no way of updating the document, > > openstack is potentially left open to a lawsuit, if an employee > > unspecified in the CLA, contributes something they consider IP. I > > seriously hate all this legal stuff. I sympathize... > I'll leave that one for Richard too :-) On this one, I'd just say that this degree of risk aversion is out of place in open source. When has it happened that some company or project was sued because of failure to add a name to a Corporate CLA? Where are all these lawsuits brought by contributors to open source projects? I hope it is of some value for OpenStack developers to at least hear a gratuitous alternative legal viewpoint from whatever they have previously heard on this topic. Thanks, Richard Fontana Open Source Licensing & Patent Counsel Red Hat, Inc. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
