That was a refreshing perspective, Richard -- thanks for taking the time to write that for us. This one's a keeper.
d On 05 Jan 2012 - 14:11, Richard Fontana wrote: > On Wed, Jan 04, 2012 at 09:49:29PM +0000, Mark McLoughlin wrote: > > Hi Rick, > > > > On Tue, 2012-01-03 at 09:02 -0600, Rick Clark wrote: > > > Hey Mark, > > > > > > First of all, orthogonally, we are very lucky to not have Copyright > > > Assignment crushing this project. That is what the management at > > > Rackspace wanted, only NASA's inability to sign such a document > > > prevented it. > > > > Copyright assignment would certainly be worse than an Apache-style CLA. > > I currently regard Apache-style CLAs are "worse" (scare quotes > intentional) than copyright assignment, since (1) they are essentially > equivalent to copyright assignment in the legal effect that seems like > it ought to matter to developers the most -- that is, under both > copyright assignment and an Apache-style CLA, the inbound party gets > to do whatever they want with the code contributed, yet (2) for > strange sociological reasons many developers tend to see copyright > assignment as bad but Apache CLAs as inherently benign. To put it more > simply, my concern is that Apache-style CLAs are deceptive in a way > that copyright assignment is not, given the well-established antipathy > to copyright assignment in open source development culture. > > For an Apache-licensed project like OpenStack this is not too > significant, however. Just kind of perplexing. > > > > IANAL, but I was told by lawyers when we were in the planning stages of > > > starting Openstack, that while in the US submitting code under the > > > Apache License 2.0 was enough to bind the submitter to it, that is not > > > the case in all countries. Some countries require explicit acceptance > > > to be bound by it. > > > > I've cc-ed Richard Fontana who I'm sure can comment on that. > > Thank you, Mark, for the opportunity for a bit of a rant. I can't > resist talking about this topic. :) > > I've heard many arguments in favor of formal CLAs and copyright > assignment and the like, but this may be a new one. It is not > necessary to consider the underlying legal issue, because the argument > collapses on its own logic. > > If it's important to have explicit acceptance to bind a contributor to > OpenStack to the license granted on the inbound contribution to the > OpenStack project (or whatever entity is acting as the alter ego of > it), it ought to be equally important to bind such project/entity > (Rackspace, OpenStack Foundation, the non-corporate collective of > individual OpenStack committers, whatever) in their offering of the > Apache License 2.0 outbound to any given member of the public > downstream from OpenStack. Yet when I download OpenStack code, I don't > get any such formal indication of binding assent from upstream. I > don't get any signed statement with a wax seal affixed committing the > upstream contractually to giving me the rights I'm supposed to be > getting under the Apache License 2.0. All I get is some software with > a text file containing a copy of the Apache License 2.0. > > Now, I think that's perfectly fine, because that's how free > software/open source has always worked. Indeed it is a key part of why > it works. It would be strange if OpenStack did things any > differently. But if *that's* okay, why is it not okay for contributors > to OpenStack to have the same freedom to indicate their licensing in > of contributions in a traditional manner -- namely, by merely > providing notice of the license (which might as well be the Apache > License 2.0)? It doesn't make sense. > > Moreover, anyone who thinks that open source is unsafe or unreliable > without a system of explicit acceptance by the licensor of inbound > contributions should immediately cease using it altogether, since 99% > or so of it was produced without any such system in place. Any > suggestion otherwise is dismissable, but I think it does some damage > to suggest that there's something unsafe about using an > alternate-universe version of OpenStack where the project did not make > use of a CLA, as it unnecessarily casts doubt on that 99 or so % of > open source software that is developed without such cumbersome > mechanisms, and indeed it casts doubt on the reliability of open > source licensing itself. Thus, by using an Apache-style CLA, OpenStack > is shooting itself in the foot. > > There are other things one might mention, such as the fact that the > Apache License 2.0 ingeniously contains a built-in contributor > agreement of sorts already. > > > > We have a bigger hole in the Corporate CLA, IMHO. I have been told that > > > since it is necessary for a corporate signer to explicitly name their > > > individual contributers, and we have no way of updating the document, > > > openstack is potentially left open to a lawsuit, if an employee > > > unspecified in the CLA, contributes something they consider IP. I > > > seriously hate all this legal stuff. > > I sympathize... > > > I'll leave that one for Richard too :-) > > On this one, I'd just say that this degree of risk aversion is out of > place in open source. When has it happened that some company or > project was sued because of failure to add a name to a Corporate CLA? > Where are all these lawsuits brought by contributors to open source > projects? > > I hope it is of some value for OpenStack developers to at least hear a > gratuitous alternative legal viewpoint from whatever they have > previously heard on this topic. > > Thanks, > > Richard Fontana > Open Source Licensing & Patent Counsel > Red Hat, Inc. > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
