logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Dont-sign-a-CLA-2.md (6922B)

    

  1. ---
  2. title: Seriously, don't sign a CLA
  3. date: 2023-07-04
  4. ---
  6. [SourceGraph][0] is making their product closed source, abandoning the Apache
  7. 2.0 license it was originally distributed under, so once again we convene in the
  8. ritual condemnation we offer to commercial products that piss in the pool of
  9. open source. Invoking Bryan Cantrill once more:
  11. [0]: https://about.sourcegraph.com/
  13. <iframe
  14.   width="560"
  15.   height="315"
  16.   src="https://www.youtube-nocookie.com/embed/-zRN7XLCRhc?start=2483"
  17.   frameborder="0"
  18.   allow="accelerometer; autoplay; gyroscope; picture-in-picture"
  19.   allowfullscreen></iframe>
  21. <p>
  22. <a
  23.   style="display: block; text-align: center"
  24.   href="https://youtu.be/-zRN7XLCRhc?t=2483"
  25. ><small>Bryan Cantrill on OpenSolaris &mdash; YouTube</small></a>
  27. A contributor license agreement, or CLA, usually (but not always) includes an
  28. important clause: a copyright assignment. These agreements are provided by
  29. upstream maintainers to contributors to open source software projects, and they
  30. demand a signature before the contributor's work is incorporated into the
  31. upstream project. The copyright assignment clause that is usually included
  32. serves to offer the upstream maintainers more rights over the contributor's work
  33. than the contributor was offered by upstream, generally in the form of ownership
  34. or effective ownership over the contributor's copyright and the right to license
  35. it in any manner they choose in the future, including proprietary distributions.
  37. This is a strategy employed by commercial companies with one purpose only: to
  38. place a rug under the project, so that they can pull at the first sign of a bad
  39. quarter. This strategy exists to subvert the open source social contract. These
  40. companies wish to enjoy the market appeal of open source and the free labor of
  41. their community to improve their product, but do *not* want to secure these
  42. contributors any rights over their work.
  44. This is particularly pathetic in cases like that of SourceGraph, which used a
  45. permissive Apache 2.0 license. Such licenses already allow their software to be
  46. incorporated into non-free commercial works, such is the defining nature of a
  47. permissive license, with relatively few obligations: in this case, a simple
  48. attribution will suffice. SourceGraph could have been made non-free without a
  49. CLA at all if this one obligation was met. The owners of SourceGraph find the
  50. simple task of crediting their contributors too onerous. This is disgusting.
  52. SourceGraph once approached SourceHut asking about building an integration
  53. between our platforms. They wanted us to do most of the work, which is a bit
  54. tacky but reasonable under the reciprocal social contract of open source. We
  55. did not prioritize it and I'm glad that we didn't: our work would have been made
  56. non-free.
  58. Make no mistake: a CLA is a promise that a open source software project will one
  59. day become non-free. Don't sign them.
  61. **What are my rights as a contributor?**
  63. If you sign away your rights by agreeing to a CLA, you retain all of the rights
  64. associated with your work.
  66. By default, you own the copyright over your contribution and the contribution is
  67. licensed under the same software license the original project uses, thus, your
  68. contribution is offered to the upstream project on the same terms that their
  69. contribution was offered to you. The copyright for such projects is held
  70. collectively by all contributors.
  72. You also always have the right to fork an open source project and distribute
  73. your improvements on your own terms, without signing a CLA -- the only power
  74. upstream holds is authority over the "canonical" distribution. If the rug is
  75. pulled from under you, you may also continue to use, and improve, versions of
  76. the software from prior to the change in license.
  78. **How do I prevent this from happening to my project?**
  80. A CLA is a promise that software will one day become non-free; you can also
  81. promise the opposite. Leave copyright in the collective hands of all
  82. contributors and use a copyleft license.
  84. Without the written consent of all contributors, or performing their labor
  85. yourself by re-writing their contributions, you cannot change the license of a
  86. project. Skipping the CLA leaves their rights intact.
  88. In the case of a permissive software license, a new license (including
  89. proprietary licenses) can be applied to the project and it can be redistributed
  90. under those terms. In this way, all future changes can be written with a new
  91. license. The analogy is similar to that of a new project with a proprietary
  92. license taking a permissively licensed project and incorporating all of the code
  93. into itself before making further changes.
  95. You can prevent this as well with a copyleft license: such a license requires
  96. the original maintainers to distribute future changes to the work under a free
  97. software license. Unless they can get all copyright holders -- all of the
  98. contributors -- to agree to a change in license, they are obligated to
  99. distribute their improvements on the same terms.
  101. Thus, the absence of a CLA combined with the use of a copyleft license serves as
  102. a strong promise about the future of the project.
  104. Learn more at [writefreesoftware.org](https://writefreesoftware.org):
  106. * [Managing copyright ownership](https://writefreesoftware.org/learn/participate/copyright-ownership/)
  107. * [Re-using free software](https://writefreesoftware.org/learn/participate/derived-works/)
  108. * [What is copyleft?](https://writefreesoftware.org/learn/participate/derived-works/)
  110. **What should I do as a business instead of a CLA?**
  112. It is not ethical to demand copyright assignment in addition to the free labor
  113. of the open source community. However, there are some less questionable aspects
  114. of a contributor license agreement which you may uphold without any ethical
  115. qualms, notably to establish provenance.
  117. Many CLAs include clauses which establish the provenance of the contribution and
  118. transfer liability to the contributor, such that the contributor agrees that
  119. their contribution is either their own work or they are authorized to use the
  120. copyright (for example, with permission from their employer). This is a
  121. reasonable thing to ask for from contributors, and manages your exposure to
  122. legal risks.
  124. The best way to ask for this is to require contributions to be "signed-off" with
  125. the [Developer Certificate of
  126. Origin](https://drewdevault.com/2021/04/12/DCO.html).
  128. ---
  130. Previously:
  132. * [Breaking down Apollo Federation's anti-FOSS corporate gaslighting](https://drewdevault.com/2021/11/05/Apollo-federation-2-gaslighting.html)
  133. * [The Developer Certificate of Origin is a great alternative to a CLA](https://drewdevault.com/2021/04/12/DCO.html)
  134. * [Open source means surrendering your monopoly over commercial exploitation](https://drewdevault.com/2021/01/20/FOSS-is-to-surrender-your-monopoly.html)
  135. * [Elasticsearch does not belong to Elastic](https://drewdevault.com/2021/01/19/Elasticsearch-does-not-belong-to-Elastic.html)