2009/12/9 Behdad Esfahbod <beh...@behdad.org>: > On 12/09/2009 11:30 AM, Ross Gardler wrote: > >> Without CLAs the student themselves are exposed as well as the >> receiving organisation. It's not just about risk to the project, but >> also to valuable volunteers. > > Ok, you are losing me here. Maybe you should explain what kind of CLA you > have in mind, and what are the implications of using it in your mind?
Before I responde let me repeat, just in case my message is getting lost in the detail, I'm not insisting that all contributions must carry a CLA. I'm merely saying we need to understand the risks, all the risks, so that we can evaluate them on a case by case basis. In your reply (which I've snipped for brevity) you only consider cases where a contributor contributes code they have no right to (either with or without CLA). You failed to consider the case where a contributor inadvertently infringes a patent or contributes code that looks like a copyright infringement to a third party. Furthermore, there is the case where a bug in a piece of software causes damage to a third party. Now, understand that there are more possible causes for a dispute lets consider the CLA itself, using the ASF CLA as an example (but this is not at all an unusual kind of CLA): The Indivdiaul Contributor License Agreement (http://www.apache.org/licenses/icla.txt) says: 6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. Without a CLA, there is no such agreement between the original contributor and the project. The project itself could sue the contributor for a bug that resulted in damages. Having a CLA between the contributor and the ASF makes it clear that the contributor offers no warranty for his code. Thus the contributor has more protection by using a CLA than by not using a CLA. Of course, *your* project will never sue a contributor, right? How do you guarantee that without an explicit agreement? How do you guarantee that this will always be the case? I realise that the alternative view of "code is contributed under license XYZ and XYZ has such a disclaimer" is arguably sufficient. However, any lawyer will tell you that an explicit agreement is far more likely to stand up against scrutiny than an implicit agreement. A further protection for contributors is that the CLA is an explicit agreement which essentially says "I will not sue you for using my code". If every contributor needs to sign a CLA then no contributor can sue the project or any other contributor. But, as above, if there is no explicit agreement of this sort we are exposing contributors to risk, it's even worse when some people have signed and others have not since there is unequal risk across the project (and those who worry about these things would claim the drive by contributor is more likely to abuse this). Ross _______________________________________________ tos mailing list tos@teachingopensource.org http://teachingopensource.org/mailman/listinfo/tos
