LWN: Comments on "Why CLAs aren't good for open source (Opensource.com)"

Why CLAs aren't good for open source (Opensource.com)

gps — Sat, 16 Mar 2019 21:51:52 +0000

It may well be impossible to contact all of the stakeholders let alone even know who they are when a project never enforced a CLA before accepting submissions. Thus lack of a CLA becomes a virus preventing all future change. Exactly what copyleft zealots love. :/

Why CLAs aren't good for open source (Opensource.com)

azumanga — Sat, 09 Mar 2019 14:52:51 +0000

Their estates are usually children, or their now elderly spouses. First I would have to track them down, then try to explain what I wanted. Just finding them is likely to be a major undertaking, and not something I really want to do.

Why CLAs aren't good for open source (Opensource.com)

mpr22 — Sat, 09 Mar 2019 11:07:49 +0000

I wouldn't be too surprised if their estates are more willing to relicence from GPLv2 to GPLv2+ or GPLv3+ than they would have been in life.

Why CLAs aren't good for open source (Opensource.com)

azumanga — Sat, 09 Mar 2019 10:52:39 +0000

The problem with older projects is some of the most significant coders might be dead. When you have a gpl v2 project that can't link against gpl v3 code, this can create serious problems.

Why CLAs aren't good for open source (Opensource.com)

kpfleming — Thu, 07 Mar 2019 14:10:00 +0000

Indeed, I've been trying (with no success) to convince projects which use CLAs that their 'special' privileges should not exist until they merge the contribution and publish it under the project's standard license; otherwise the operators of the project can just decide not to merge the contribution into the public project but instead merge into their non-public project. This would be abusive but is fully permitted by all the CLAs in use today.

Why CLAs aren't good for open source (Opensource.com)

xtifr — Thu, 07 Mar 2019 05:30:17 +0000

Ok, ok, we don't have a relicensed OpenSSL *release* yet.

(But it does sound like we're very close, which is excellent news.)

Why CLAs aren't good for open source (Opensource.com)

Conan_Kudo — Wed, 06 Mar 2019 02:31:25 +0000

> (And we *still* don't have a relicensed OpenSSL, despite years of effort by the project, and *worldwide* agreement that their existing license is terrible.)

We actually do. OpenSSL git master is licensed ASL 2.0 now: https://github.com/openssl/openssl/commit/151333164ece49f...

The next OpenSSL release will include the license change. We just don't yet have OpenSSL 3.0.0, which is the next release, apparently: https://www.openssl.org/docs/OpenSSLStrategicArchitecture...

Why CLAs aren't good for open source (Opensource.com)

k8to — Mon, 04 Mar 2019 18:29:38 +0000

Given Oracle's resources, and the amount of external contribution, thy could have closed it I think in a realtively straightforward way. It would have been more expensive to replace bits, but not particularly hard.

Maybe you could argue a more open project might have attracted more participation which would have raised the cost higher, but I think not enough in this case.

An OpenSolaris which was opened earlier and got more critical mass outside the company? Maybe.

Why CLAs aren't good for open source (Opensource.com)

ewen — Mon, 04 Mar 2019 02:16:19 +0000

The other remedy is to fork the last Open Source licensed version and maintain that separately, as a community. OpenSSH was created like that, when the ssh.com license changed. Illumos was created like that when the OpenSolaris license situation changed. It's a lot more work than just distributed copyright preventing that license change. But for a project sufficiently important to the wider community it is possible.

More generally I think distributed copyright license grants that are "license FOO or other similar licenses" would be a more useful distributed copyright approach than strict licensing under the exact original project license, especially if (like OpenSSL) the original project is "home grown" rather than one of the handful of very widely accepted community derived licenses (BSD / MIT / GPL / MPL / maybe one or two others). The FSF recommended "GPL v2 or later" style approach is basically that, for the same reason, but "similar license" or something like it both constrains the next license to a similar spirit (preventing complete changes of direction) and also allows more flexibility, assuming broad community consensus (but maybe not *everyone* having to formally agree) that the replacement license is an acceptable substitute that is "similar" enough.

Ewen

Why CLAs aren't good for open source (Opensource.com)

xtifr — Sun, 03 Mar 2019 22:01:01 +0000

> I would argue that the difficulty of relicensing is actually a *good* thing.

In general, yes. Which is why my previous post started out saying "In general, yes." :)

(Although technically, it *doesn't* insure that *all* the stakeholders are involved in the decision. "Mere" users have a stake in the decision, but they get zero say in the matter.)

I'm just pointing out that there *can be* downsides. And I should note that there are *other* options between only-one-entity-gets-a-say (standard CLA) and any-change-requires-100%-unanimity. I don't think anyone has ever explored any of those options, but they do exist.

(And we *still* don't have a relicensed OpenSSL, despite years of effort by the project, and *worldwide* agreement that their existing license is terrible.)

Why CLAs aren't good for open source (Opensource.com)

jejb — Sat, 02 Mar 2019 18:18:58 +0000

> The rare exceptions, like OpenSSL, can be quite a hassle, though

That's actually the point: relicensing should be a hassle and it should involve your entire community. Fine OpenSSL might have picked a silly licence initially and now they need to change it, but the community is motivated to do that, so change is happening it's actually a show of distributed copyright working.

When you agree with the licence being changed to, the change looks fine, particularly if the old licence was a bad one; however, supposing for the sake of argument (and this is a pure hypothetical to illustrate the argument) OpenSSL had a CLA allowing their board to change the licence at will and their board later decided that the CII funding wasn't enough and the rest of the internet should also help fund them so they would switch to a variant of SSPL to enable that. Now what remedy do you have without the distributed copyright franchise?

Why CLAs aren't good for open source (Opensource.com)

Conan_Kudo — Sat, 02 Mar 2019 17:23:52 +0000

I would argue that the difficulty of relicensing is actually a *good* thing. It forces a conversation when there otherwise wouldn't be any, and ensures all the stakeholders are involved in the decision to change the terms that the software is available under.

Why CLAs aren't good for open source (Opensource.com)

ThinkRob — Sat, 02 Mar 2019 08:51:51 +0000

> Distributed copyright is a core strength for the community, yes.

Would distributed copyright have helped prevent OpenSolaris's fate?

As it stands, it seems like it was easy, even trivial for Oracle to close off Solaris. Thanks to the CLA they owned all the copyrights, so come Solaris 11... blammo! Closed it went.

Why CLAs aren't good for open source (Opensource.com)

xtifr — Fri, 01 Mar 2019 20:19:15 +0000

> "Distributed copyright" in absence of a CLA is a *strength* of any FOSS project.

In general, yes. The rare exceptions, like OpenSSL, can be quite a hassle, though. Fortunately, they are *very* rare.

Why CLAs aren't good for open source (Opensource.com)

jejb — Fri, 01 Mar 2019 18:47:36 +0000

Distributed copyright is a core strength for the community, yes. Whether it's a core strength for the company depends whether the business model of the company is aligned with the community: pressure for CLAs often isn't legal. Lawyers tend to like CLAs because it keeps them in the relevance loop, but the bias is usually minor; pressure for CLAs is often business related. For instance an open source startup often begins with an open core business model, for which they require a CLA because they don't know which component will be the profitable one and they need to own it to relicence it. This CLA dependence gets stronger as VCs decide the problem isn't a broken business model, it's a broken licence ...

I think we (as in those of us who read articles on lwn.net) can all agree that this community and business misalignment is a sign of a broken business model, but getting a business (or even a VC) to see this is a much harder problem.

Why CLAs aren't good for open source (Opensource.com)

laf0rge — Fri, 01 Mar 2019 12:38:01 +0000

"Distributed copyright" in absence of a CLA is a *strength* of any FOSS project. I'm really surprised this isn't more widely recognized.

No single entity can ever control it. No single entity can ever re-license it (intentionally or after going into insolvency, after an evil takeover, ...). Not having CLAs is the best guarantee that the original wishes of the authors are respected indefinitely in the future.

Why CLAs aren't good for open source (Opensource.com)

gdt — Fri, 01 Mar 2019 06:14:10 +0000

Here's some issues raised by a conservative corporate lawyer:

the firm reserves for itself a right it does not grant to us -- the right to relicense.
"copyright owner": we indemnify the firm for losses if we are not the copyright holder, but copyright is a complex topic and we may not hold all of the rights even if we wrote all the code. (eg, firm sues others, our code is found to be scenes au faire, are we to indemnify firm as we held no copyright for the contributed code -- as no-one holds rights for that code?).
The license grant doesn't isolate us adequately for decisions we don't control. The code is provided "as-is", but the implication that means there is no indemnification of the firm for the use or licensing of our code is not explicit.
we grant copyrights and patent rights on all submitted work, not on work submitted and accepted for licensing. If not accepted our rights should be returned so the code is available for exploitation in other ways, such as sale of a sole license.
we grant copyright and patent licenses, but these can be sublicensed for revenue without a revenue flow to us. That's particular a concern with patents, as the firm brings no additional value to those assets.
we must inform the firm of all related claims and litigation, but the firm is not limited in its disposal of that information. That makes it difficult to reach a negotiated position as the firm may make public approaches at an early stage, perhaps denying us easy measures such as educating the complainant. It's also iniquitous: there is no reverse obligation.
we have something the firm wants, so why is the jurisdiction of the license of their chosing? Especially since that jurisdiction isn't the jurisdiction of the copyright of the contributed code.

Why CLAs aren't good for open source (Opensource.com)

mangix — Fri, 01 Mar 2019 03:33:13 +0000

As a contributor, I've avoided posting patches in places where there are CLAs. Only because I don't want to create some account somewhere.

Why CLAs aren't good for open source (Opensource.com)

sml — Thu, 28 Feb 2019 22:48:00 +0000

Richard's been talking about this for a long while now.
Here's the FAIF episode including his OSCON 2011 talk on the subject:

http://faif.us/cast/2011/aug/30/0x17/

Why CLAs aren't good for open source (Opensource.com)

iabervon — Thu, 28 Feb 2019 20:39:16 +0000

I don't think a corporate lawyer should not want a CLA; they should just not care enormously, and executives should decide that the benefit they see isn't worth the trouble. It's not a corporate lawyer's job to look at the costs of a CLA or to weigh them against the benefits. I mean, a corporate lawyer shouldn't want the company to have customers, employees, products, or services, all of which incur liabilities, and it's a business decision whether they're worth the risks (and which customers, employees, products, and services are worth having).

Why CLAs aren't good for open source (Opensource.com)

mageta — Thu, 28 Feb 2019 19:47:29 +0000

May be just me, but I didn't find a single argument where I think It could convince a conservative company lawyer to not want a CLA. Mostly its anecdotal evidence about the past, which probably counts for nothing if you ask assumed lawyer.