|
|
Subscribe / Log in / New account

Why CLAs aren't good for open source (Opensource.com)

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 1, 2019 12:38 UTC (Fri) by laf0rge (subscriber, #6469)
Parent article: Why CLAs aren't good for open source (Opensource.com)

"Distributed copyright" in absence of a CLA is a *strength* of any FOSS project. I'm really surprised this isn't more widely recognized.

No single entity can ever control it. No single entity can ever re-license it (intentionally or after going into insolvency, after an evil takeover, ...). Not having CLAs is the best guarantee that the original wishes of the authors are respected indefinitely in the future.

to post comments

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 1, 2019 18:47 UTC (Fri) by jejb (subscriber, #6654) [Link] (2 responses)

Distributed copyright is a core strength for the community, yes. Whether it's a core strength for the company depends whether the business model of the company is aligned with the community: pressure for CLAs often isn't legal. Lawyers tend to like CLAs because it keeps them in the relevance loop, but the bias is usually minor; pressure for CLAs is often business related. For instance an open source startup often begins with an open core business model, for which they require a CLA because they don't know which component will be the profitable one and they need to own it to relicence it. This CLA dependence gets stronger as VCs decide the problem isn't a broken business model, it's a broken licence ...

I think we (as in those of us who read articles on lwn.net) can all agree that this community and business misalignment is a sign of a broken business model, but getting a business (or even a VC) to see this is a much harder problem.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 2, 2019 8:51 UTC (Sat) by ThinkRob (guest, #64513) [Link] (1 responses)

> Distributed copyright is a core strength for the community, yes.

Would distributed copyright have helped prevent OpenSolaris's fate?

As it stands, it seems like it was easy, even trivial for Oracle to close off Solaris. Thanks to the CLA they owned all the copyrights, so come Solaris 11... blammo! Closed it went.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 4, 2019 18:29 UTC (Mon) by k8to (guest, #15413) [Link]

Given Oracle's resources, and the amount of external contribution, thy could have closed it I think in a realtively straightforward way. It would have been more expensive to replace bits, but not particularly hard.

Maybe you could argue a more open project might have attracted more participation which would have raised the cost higher, but I think not enough in this case.

An OpenSolaris which was opened earlier and got more critical mass outside the company? Maybe.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 1, 2019 20:19 UTC (Fri) by xtifr (guest, #143) [Link] (10 responses)

> "Distributed copyright" in absence of a CLA is a *strength* of any FOSS project.

In general, yes. The rare exceptions, like OpenSSL, can be quite a hassle, though. Fortunately, they are *very* rare.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 2, 2019 17:23 UTC (Sat) by Conan_Kudo (subscriber, #103240) [Link] (7 responses)

I would argue that the difficulty of relicensing is actually a *good* thing. It forces a conversation when there otherwise wouldn't be any, and ensures all the stakeholders are involved in the decision to change the terms that the software is available under.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 3, 2019 22:01 UTC (Sun) by xtifr (guest, #143) [Link] (2 responses)

> I would argue that the difficulty of relicensing is actually a *good* thing.

In general, yes. Which is why my previous post started out saying "In general, yes." :)

(Although technically, it *doesn't* insure that *all* the stakeholders are involved in the decision. "Mere" users have a stake in the decision, but they get zero say in the matter.)

I'm just pointing out that there *can be* downsides. And I should note that there are *other* options between only-one-entity-gets-a-say (standard CLA) and any-change-requires-100%-unanimity. I don't think anyone has ever explored any of those options, but they do exist.

(And we *still* don't have a relicensed OpenSSL, despite years of effort by the project, and *worldwide* agreement that their existing license is terrible.)

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 6, 2019 2:31 UTC (Wed) by Conan_Kudo (subscriber, #103240) [Link] (1 responses)

> (And we *still* don't have a relicensed OpenSSL, despite years of effort by the project, and *worldwide* agreement that their existing license is terrible.)

We actually do. OpenSSL git master is licensed ASL 2.0 now: https://github.com/openssl/openssl/commit/151333164ece49f...

The next OpenSSL release will include the license change. We just don't yet have OpenSSL 3.0.0, which is the next release, apparently: https://www.openssl.org/docs/OpenSSLStrategicArchitecture...

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 7, 2019 5:30 UTC (Thu) by xtifr (guest, #143) [Link]

Ok, ok, we don't have a relicensed OpenSSL *release* yet.

(But it does sound like we're very close, which is excellent news.)

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 9, 2019 10:52 UTC (Sat) by azumanga (subscriber, #90158) [Link] (2 responses)

The problem with older projects is some of the most significant coders might be dead. When you have a gpl v2 project that can't link against gpl v3 code, this can create serious problems.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 9, 2019 11:07 UTC (Sat) by mpr22 (subscriber, #60784) [Link] (1 responses)

I wouldn't be too surprised if their estates are more willing to relicence from GPLv2 to GPLv2+ or GPLv3+ than they would have been in life.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 9, 2019 14:52 UTC (Sat) by azumanga (subscriber, #90158) [Link]

Their estates are usually children, or their now elderly spouses. First I would have to track them down, then try to explain what I wanted. Just finding them is likely to be a major undertaking, and not something I really want to do.

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 16, 2019 21:51 UTC (Sat) by gps (subscriber, #45638) [Link]

It may well be impossible to contact all of the stakeholders let alone even know who they are when a project never enforced a CLA before accepting submissions. Thus lack of a CLA becomes a virus preventing all future change. Exactly what copyleft zealots love. :/

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 2, 2019 18:18 UTC (Sat) by jejb (subscriber, #6654) [Link] (1 responses)

> The rare exceptions, like OpenSSL, can be quite a hassle, though

That's actually the point: relicensing should be a hassle and it should involve your entire community. Fine OpenSSL might have picked a silly licence initially and now they need to change it, but the community is motivated to do that, so change is happening it's actually a show of distributed copyright working.

When you agree with the licence being changed to, the change looks fine, particularly if the old licence was a bad one; however, supposing for the sake of argument (and this is a pure hypothetical to illustrate the argument) OpenSSL had a CLA allowing their board to change the licence at will and their board later decided that the CII funding wasn't enough and the rest of the internet should also help fund them so they would switch to a variant of SSPL to enable that. Now what remedy do you have without the distributed copyright franchise?

Why CLAs aren't good for open source (Opensource.com)

Posted Mar 4, 2019 2:16 UTC (Mon) by ewen (subscriber, #4772) [Link]

The other remedy is to fork the last Open Source licensed version and maintain that separately, as a community. OpenSSH was created like that, when the ssh.com license changed. Illumos was created like that when the OpenSolaris license situation changed. It's a lot more work than just distributed copyright preventing that license change. But for a project sufficiently important to the wider community it is possible.

More generally I think distributed copyright license grants that are "license FOO or other similar licenses" would be a more useful distributed copyright approach than strict licensing under the exact original project license, especially if (like OpenSSL) the original project is "home grown" rather than one of the handful of very widely accepted community derived licenses (BSD / MIT / GPL / MPL / maybe one or two others). The FSF recommended "GPL v2 or later" style approach is basically that, for the same reason, but "similar license" or something like it both constrains the next license to a similar spirit (preventing complete changes of direction) and also allows more flexibility, assuming broad community consensus (but maybe not *everyone* having to formally agree) that the replacement license is an acceptable substitute that is "similar" enough.

Ewen


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds