Audacity gets a CLA

Ready to give LWN a try?
With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription, no credit card required, so that you can see for yourself. Please, join us!

By Jake Edge
June 16, 2021

The Audacity multi-track audio editor and recorder got its start in the previous century; it is a popular application that is available for multiple platforms, and it is licensed under the GPLv2 or later. But Audacity has been acquired by a newly formed organization called Muse Group; that event has caused something of an uproar in its community. The problem, at least in part, is the new Contributor License Agreement (CLA) required to contribute to Audacity.

The acquisition of the project was announced in an early-May YouTube video posted by Martin Keary ("Tantacrul"); that news was subsequently confirmed on the Audacity web site. In the video, Keary talks about what is planned for Audacity:

Audacity has just joined Muse Group, a collection of brands that includes another popular open source music app called MuseScore, which I’m currently in charge of. And since things are going rather well at MuseScore, I was asked to step up and also manage Audacity in partnership with its open source community. And just like we’re doing at MuseScore, we’re now planning on significantly improving the feature set and ease of use of Audacity – providing dedicated designers and developers to give it the attention it deserves – while keeping it free and open source.

In general, the reaction to the announcement (e.g. at Hacker News and again the next day) was fairly positive; there is a belief that Audacity could use some work on its user interface and that Keary has done good work on the MuseScore interface and elsewhere. But it did not take all that long for a clash between the community and the project to arise. A pull request by Dmitry Vedenko to add a telemetry feature was met with a large amount of dissent.

The feature, which was meant to be opt-in at install time, would report anonymous information to Google and Yandex; telemetry could be also be configured out at build time, though it would be present in the builds made by the project. Hundreds of comments on the pull request were made—nearly all unhappy with it due to privacy concerns—which led to the feature, as originally proposed, being dropped. In that message, Keary said that there is a need for opt-in crash and error reporting in Audacity, but that any data sent will be hosted by the project (or Muse Group), not Google and Yandex. Meanwhile, though, there is still interest in more-intrusive application-usage data if an acceptable mechanism is found for it:

Telemetry is a practical tool that tells us a lot about how an app is performing or underperforming (is this new feature being used a lot? Is this button being discovered? etc.) We assumed that making it opt-in would allay privacy concerns but since this isn't the case, we are dropping it. In the future, we may want to determine if there are any acceptable alternative solutions that could achieve the same goal. Feedback would be appreciated on this point. In the meantime, I will continue user testing, interviewing, reading feedback and conducting surveys to learn more about what our users want.

What was acquired?

Something that became clear from various discussions on GitHub and other forums is that people in the community were confused by what was actually acquired when Audacity "joined Muse Group". While the rest of the software industry is notoriously acquisition-happy, the free-software world has generally avoided those kinds of changes, in part because the code is often "owned" by the contributors—and the community. A request for clarification that was linked in various places raised a number of questions about the acquisition, such as:

Is it even possible for a company to acquire a free and open source project licensed under the GPL?
How exactly did Muse Group acquire Audacity?
What rights and power does Muse Group legally have over the Audacity project?
Can Muse Group even legally claim ownership over the project or do they simply own the trademarks to the name and logo?

It took a bit, but Daniel Ray ("workedintheory"), Muse Group's head of strategy, answered on May 25. In a nutshell: "Muse Group acquired the Audacity trademark and project infrastructure in addition to a license to the source code from contributors to the Audacity project in the form [of a] CLA." In a follow-up message, he confirmed that Muse Group had gotten signed CLAs from all of the relevant Audacity developers; that means that the company has control of the licensing of the code moving forward as well. Ray also pointed to a press release about the acquisition from April 30 that seemingly flew under the radar; for one thing, it filled in the strongly positive reaction from the project's founders, which was something that had been asked about.

But, in an unsurprising development, that same day Ray posted information about the CLA that would be required for contributions going forward. In it, he said that Muse Group intended to update the Audacity license to GPLv3 in order to make Audacity compatible with Virtual Studio Technology 3 (VST3) plugins, and with MuseScore, which recently switched to GPLv3. It is not entirely clear why the GPLv2+ license that Audacity has would be a problem for sharing code with either VST3 or MuseScore, however. He did try to reassure the community, though: "Naturally, Audacity will remain free and open source with no artificial limitations or paid tiers."

But there are platforms like iOS where the GPL can be an impediment, he said, so Muse Group wants the flexibility to be able to further relicense if need be. In addition, it may offer additional services:

We will likely offer separate cloud services that Audacity users can take advantage of if they choose. These services will fund the future development of Audacity, in much the same way that MuseScore.com funds the development of MuseScore composition software.

As might be guessed, that set off another lengthy thread. Numerous commenters pointed out that, in their opinion, the reasons specified by Ray were not sufficient to overcome the problems that stem from a CLA of that nature. The crux of the matter is that the CLA puts Muse Group in a position to use contributions from the community in other products, even if Audacity itself remains free. As Ray put it: "The CLA also allows us to use the code in other products that may not be open source, which we intend to do at some point to support the continued development of Audacity." It is worth noting that while Ray and Keary have both committed to keeping Audacity available as free and open-source software, nothing in the CLA binds the company to doing so.

Audacity's future

There has been talk about forking the project or starting over from scratch, but it is not at all clear how serious any of that is. The Audacity team was obviously involved in the transaction, at least to the point of agreeing to sign the CLA for their contributions, though financial terms have not been disclosed. The team has been largely silent throughout the uproar, perhaps because much of the unhappiness is being expressed by Audacity users or unconnected FOSS community members, not project contributors. In his follow-up linked above, Ray suggested that may explain the lack of engagement:

Mostly, I don't think they really have too much to say much because nearly all of these people who are commenting are not people they know or that have had anything to do with the project in the past. This sudden influx is not from the Audacity contributor community, not really sure if even from the user community, but seem to place demands on a project they were never a part of.
I can see why they would prefer not to say too much.

A lengthy message from Shane Mueller gives his reasons for signing the CLA for his 15-year-old contributions to Audacity. He is impressed with what the team of "3-4 volunteer programmers and handful of regular non-programmer contributors" has done with the application over the years, but worries about the future:

The volunteer team is small and not growing, not young and getting older, mostly not really pro-audio or usability experts, and probably won't be contributing at all in another 10-15 years. Audacity will literally end if a couple key contributors took a step back from the project or retire. It will have no chance of even doing a new release, let alone putting substantial effort into things that will make more than incremental improvements. When people call for a fork, I wonder where they have been for the last 20 years or so--if they were really passionate enough to contribute to a mature project (ugh) for amateur users (ugh) using c++ (ugh), wx (ugh), having an ugly UI (ugh) and relying on large mishmash of audio libraries to figure out (ugh), all to enable cross-platform capability (ugh), I think they would be doing it already.

Mueller said that he would have been happy to sign a CLA for a hypothetical Audacity non-profit foundation—and still would be. But it takes a lot of time and effort to set up that kind of organization, which still does not solve the lack-of-contributors problem. Effectively, he does not see a good future for Audacity without a new approach; he is not interested in working on that himself, but is "willing to support those who are involved and let them try this new model for how the project will be sustained into the future".

It would seem that Muse Group has the current Audacity team on-board with its plans, and has added some additional developer-power to the project. That would seem to bode well for improvements, probably at a much more rapid pace. But the CLA may deter community contributions to the project going forward. Muse Group would seem to have taken that into account in its planning—in the near term, it may be no real change from the status quo.

If there truly is a groundswell of interest in an independent Audacity, obviously a fork is possible at any point while the code is available under the GPL. Or an interested group could start over; Mueller's message and other comments seem to indicate that Audacity might not have the most pleasant code base to work with. But it seems fair to say that if all of the developers with any substantial copyright in Audacity are happy with the Muse Group and its plans, that is clearly the right path for the project, even if it does not mesh entirely cleanly with what the FOSS world has come to expect. It may well be the only plausible way forward for the project.

Audacity gets a CLA

Posted Jun 16, 2021 2:19 UTC (Wed) by bnewbold (subscriber, #72587) [Link] (4 responses)

Alt titles:
"CLA move controversial for Audacity"
"The Sheer Audacity? Transparency concerns raised by CLA decision"
"Audacious Licensing Agreement Alienates Libre Audiophiles"

Audacity gets a CLA

Posted Jun 16, 2021 2:54 UTC (Wed) by ccchips (subscriber, #3222) [Link]

Hey, that third one mentions "Audacious." I love that program.....

Audacity gets a CLA

Posted Jun 16, 2021 2:56 UTC (Wed) by rsidd (subscriber, #2582) [Link] (2 responses)

The article itself suggests there is no controversy among audacity developers and this is a good way forward. I have used audacity only casually, but know people who use it on windows too. If this keeps it alive and relevant, good.

Audacity gets a CLA

Posted Jun 16, 2021 7:01 UTC (Wed) by geert (subscriber, #98403) [Link] (1 responses)

I was pleasantly surprised to discover Medion bundles Audacity with a USB turntable.

Audacity gets a CLA

Posted Jun 16, 2021 7:37 UTC (Wed) by Wol (subscriber, #4433) [Link]

I think you'll find the standard software with ANY USB turntable is Audacity. I've bought two - one for my mum, one for me - from different brands (not Medion), and they've both come with Audacity.

Cheers,
Wol

Audacity gets a CLA

Posted Jun 16, 2021 9:25 UTC (Wed) by Karellen (subscriber, #67644) [Link] (1 responses)

The [telemetry] feature, which was meant to be opt-in at install time...

I realise that the feature was dropped so this is all hypothetical now, but it seems odd to me to make that a per-installation setting, and not a per-user setting. I'd have thought that you should give each user of the product the ability to decide if they want their usage of the app tracked or not.

Audacity gets a CLA

Posted Jun 16, 2021 15:39 UTC (Wed) by mbunkus (subscriber, #87248) [Link]

My guess that Audacity, like a lot of other desktop Open Source programs such as my MKVToolNix, has a user base whose vast majority works on Windows. On Windows it's rather common to let the user make important decisions on installation time. And due to the nature of the topic Audacity deals with, it is highly likely that the type of Windows installations Audacity is run on are single-user PCs and not multi-user systems (such as terminal servers), making the distinction between "per installation" and "per user" mostly moot.

Audacity gets a CLA

Posted Jun 16, 2021 17:18 UTC (Wed) by atnot (subscriber, #124910) [Link] (1 responses)

My "Naturally, Audacity will remain free and open source" t-shirt has people asking a lot of questions already answered by my shirt.

Audacity gets a CLA

Posted Jun 17, 2021 1:43 UTC (Thu) by IanKelling (subscriber, #89418) [Link]

Lol. Well put. Everything points to the CLA being there for proprietary versions and then they confirmed they plan to do it.

Audacity gets a CLA

Posted Jun 16, 2021 18:35 UTC (Wed) by BirAdam (guest, #132170) [Link] (2 responses)

This sadly is true of many open source projects. There are plenty of users and FOSS enthusiasts willing to talk about FOSS, but very few who contribute time or money to the projects they so vociferously “defend”. It is likewise true that guys like Poettering get a lot heat for the things they do, and yet no one else is successfully doing anything (even I have given Poettering undue opprobrium in the past, and that for hearsay, I regret it, but at least I grew up). So here again, the developers of a project are doing something in the best interest of the project and its users, and they get nothing but scorn for it. The most anyone else does is talk. This is, perhaps, a natural outcome. No one owns these projects individually so everyone feels that they get a say. If Microsoft makes Windows worse, we all just laugh. If someone touches an open source project a very sizable minority of FOSS people scream very very loudly. I feel bad for all of the folks who take this unjust castigation, and I hope that people just move on and either fork or get over it.

Audacity gets a CLA

Posted Jun 16, 2021 21:39 UTC (Wed) by iabervon (subscriber, #722) [Link]

I think part of it is that there's a gradual shift in the overall FOSS community on what developers in general are comfortable with and want. But even people who are major developers and do a large part of the work on something don't do any work on 99% of the projects they use, and don't even use 99% of the projects that exist. Furthermore, each project has aspects that mean that global trends aren't necessarily the biggest factor in determining the best course for the project, and the developers of a particular project aren't necessarily the same as the average developer from the community overall. Lastly, a lot of developers in the broader community have had bad experiences with particular policies in the past, and get upset when those policies are introduced to other projects, not least because they're worried about those policies being seen as common best practices. So there's a big population of people who have good reasons to care, outside of the people directly affected.

Audacity gets a CLA

Posted Jun 17, 2021 21:16 UTC (Thu) by jafd (subscriber, #129642) [Link]

I would say a lot of heat Poettering was getting back a decade ago had been quite deserved, but he grew since then, too. At the very least, he is a lot less cavalier about breaking other people's workflows or dismissing use cases as "invalid" today than he had been years ago.

Otherwise yes, funny how almost all people that won't shut up about how a CLA is going to stifle contributions have exactly zero contributions themselves.

Audacity gets a CLA

Posted Jun 17, 2021 2:29 UTC (Thu) by jwoithe (subscriber, #10521) [Link] (1 responses)

One aspect of all this which appears to have been overlooked is the personal information requested when signing the CLA. A careful comparison between the Musescore and Audacity CLAs is instructive. For Audacity, signing requests a full name, github username, email, mailing address and phone numbers. However, all except the first three appear to be optional at present. However, in the Musescore case these additional fields are not optional. Given that both Musescore and Audacity are now controlled by the same organisation, one suspects that the Audacity CLA may be made consistent with Musescore's CLA at some point in the future (although I hope that it goes the other way, with Musescore making the mailing address and phone number fields optional). This is a concern, since the disclosure of so much personal information will be an impediment to many developers who might otherwise wish to get involved - especially since there's no obvious reason why details such as mailing address and phone number are needed.

I have not yet been able to locate a Privay Policy on the Audacity website which covers items such as the new CLA. The Musescore site does have one, which indicates that the "data controller" is an entity in Russia[1]. There is nothing else to indicate where the data might be stored, so naturally it seems that it will be on servers in Russia. Assuming that the Audacity project will at some point adopt a similar privacy policy[2], this too might become a barrier for some potential contributors.

To be clear, I am not suggesting there is anything untoward going on with either Audacity or Musescore, and retain an open mind as to what the acquisition means for Audacity into the future.

----
[1] From the "About this Notice" section of the Musescore Privacy Policy:
For the purposes of this Notice, WSM Group with registered office at Moskovsky pr-t,40-1301, Kaliningrad, Russia, 236004 ("MuseScore", "us", "we", or "our") acts as the data controller for the Personal Data that is collected via the Website and the App and through the Service. As a data controller, MuseScore is responsible for ensuring that the processing of Personal Data complies with applicable data protection law, and specifically with the General Data Protection Regulation.

[2] Which seems likely as the people running Musescore are now also running Audacity.

Audacity gets a CLA

Posted Jun 17, 2021 10:38 UTC (Thu) by Wol (subscriber, #4433) [Link]

> However, in the Musescore case these additional fields are not optional. Given that both Musescore and Audacity are now controlled by the same organisation, one suspects that the Audacity CLA may be made consistent with Musescore's CLA at some point in the future (although I hope that it goes the other way, with Musescore making the mailing address and phone number fields optional).

One would hope that someone would point out the GDPR places an obligation to collect the MINIMUM amount of data needed, and keep it for the SHORTEST possible time.

Given that, most CLA's really require only name, email, and public PGP key. Although I suspect they may want address and phone number for legal reasons (as in assorted laws say they need it), rather than they actually want it.

Most legal documents require this so you can be tracked down at a later date if necessary ...

Cheers,
Wol

Audacity gets a CLA

Posted Jun 17, 2021 4:29 UTC (Thu) by flussence (guest, #85566) [Link] (3 responses)

They couldn't have possibly chosen a more inept time to attempt the “shadowy group with money steals FOSS community from the commons” routine.

Not just because we've just had the most potent inoculation against creeps like those since SCO first surfaced, but also there's never been a better time to dump this crusty old software for Ardour - we have Pipewire now, and the days of faffing about with manually configured JACK or raw ALSA devices are over.

Audacity gets a CLA

Posted Jun 17, 2021 5:53 UTC (Thu) by rsidd (subscriber, #2582) [Link]

Not the same. If Ardour is like Gimp, Audacity is like MS Paint. Good enough for most people but not intended for professionals.

Audacity gets a CLA

Posted Jun 17, 2021 13:52 UTC (Thu) by joib (subscriber, #8541) [Link] (1 responses)

> Not just because we've just had the most potent inoculation against creeps like those since SCO first surfaced

What did I miss? What has happened here in this space?

Audacity gets a CLA

Posted Jun 17, 2021 14:27 UTC (Thu) by Wol (subscriber, #4433) [Link]

Could that be freenode?

Cheers,
Wol

Audacity gets a CLA

Posted Jun 17, 2021 21:31 UTC (Thu) by jafd (subscriber, #129642) [Link] (3 responses)

One problem I'm envisioning with the CLAs is that the way they usually are executed creates some unnecessary friction when all you want is a drive-by contribution without any obligations.

Like, I work with the program, it has an annoying bug, turns out that a one-line change fixes it, so I want to send this one-line change upstream and let them do what they will with it if they want to. No, I don't have any intent to become a part of your "vibrant community", thank you very much. Nor do I want to beg for the maintainers' attention for my PR, or persuade them to get their buy-in. And now sign documents and fill forms on top of it all.

I wonder if projects want to solve this problem in some way. I wouldn't have a problem with CLAs themselves, only with the amount of red tape around them.

Audacity gets a CLA

Posted Jun 17, 2021 21:58 UTC (Thu) by Wol (subscriber, #4433) [Link]

> I wonder if projects want to solve this problem in some way. I wouldn't have a problem with CLAs themselves, only with the amount of red tape around them.

The solution to me is obvious, just tracking it might be a problem ... accept drive-by patches under a MIT licence ...

Cheers,
Wol

Audacity gets a CLA

Posted Jun 17, 2021 22:06 UTC (Thu) by anselm (subscriber, #2796) [Link]

it has an annoying bug, turns out that a one-line change fixes it

One-line bug fixes may not actually be eligible for copyright in the first place, especially if they fix trivial oversights in a very obvious manner. Works are supposed to be creative to deserve copyright.

Audacity gets a CLA

Posted Jun 18, 2021 0:36 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

If it's your personal fix, you can typically sign CLAs online these days using something like Docusign. It gets attached to your Github profile, so future patches will automatically go through the CLA review.