On 22/10/13 16:22, Jeremy Stanley wrote:
(Disclaimers: I am not a lawyer, which likely explains my lack of
interest in perversely pointless paperwork. Also, these opinions are
my own and do not necessarily reflect those of my employer. Setting
MFT to legal-discuss as a more appropriate forum for these sorts of
discussions.)
On 2013-10-22 15:11:25 +0200 (+0200), Zane Bitter wrote:
[...]
Can't we just write "Copyright OpenStack Contributors"? (Where
'contributors' means individuals or organisations who have signed
the CLA.)
[...]
Actually, technically not. There are other avenues through which
patches come (posts on mailing lists, attachments to bugs) and I
know that from time to time contributors git-am other authors' bug
fixes without first asking them to go agree to an OpenStack CLA and
prove that they have done so. The actual copyright belongs with the
author (or their employer under a work-for-hire agreement), not the
contributor who uploaded that work--and they aren't necessarily
always the same people.
Fair point, although as you note below if the contributor does not
identify the actual copyright holder in the submission, that is their
responsibility not OpenStack's responsibility. Likely a few copyright
holders will fall through the cracks here (e.g. from legitimately
identified external code like https://review.openstack.org/#/c/40330/),
but many, many *more* will fall through the cracks in trying to compile
a list of them.
I'm not suggesting here that the CLA can provide an accurate list of
copyright holders (which is impossible anyway), I'm saying that it
provides a paper-trail back to somebody who warrants that they have the
right to licence the code under the ASL (however mistaken they may be
about that), and that this is precisely the paper trail that the Debian
FTP masters are looking for.
Gerrit ensures that only OpenStack Contributors (those that have
signed the CLA) can contribute to OpenStack
[...]
To echo Monty's sentiments earlier in the thread, and also as the
person who spear-headed the current CLA enforcement configuration in
our project's Gerrit instance, I don't see how our CLAs add anything
of value. It's patronizing, almost insulting, to ask developers to
pinky-swear that they're authorized to license the code they
contribute under the license included with the code they contribute.
It's exactly as silly as Debian requiring the copyright holders to be
identified alongside the licence. As an engineer, I'm inclined to agree
that it's pretty silly, because it doesn't actually change anything -
nobody is ever surprised when their contribution to open source ends up
as open source, and if it turns out that they were not entitled to so
licence it then it's still effectively everyone's problem, CLA or no.
Clearly there are lawyers who disagree though.
At best it may provide a warm fuzzy feeling for companies who are
unfamiliar with contributing to free software projects, since free
software licenses are all about waiving your rights rather than
enforcing them and that might sound scary to the uninitiated... but
better efforts toward educating them about free software may prove
more productive than relying on a legal security blanket.
Also as mentioned above, Gerrit does not enforce that the copyright
holder has agreed to this, it only enforces that the person
*uploading* the code into Gerrit has agreed to it... and section 7
of the ICLA has some interesting things to say about submitting
third-party contributions, which looks to me like a permitted
loophole for getting ASL code into the project without the author
directly agreeing to a CLA at all.
7. Should You wish to submit work that is not Your original
creation, You may submit it to the Project Manager separately
from any Contribution, identifying the complete details of its
source and of any license or other restriction (including, but
not limited to, related patents, trademarks, and license
agreements) of which you are personally aware, and conspicuously
marking the work as "Submitted on behalf of a third-party:
[named here]".
I wonder if the current de facto practice of allowing git's author
header to reflect the identity of the third-party counts as a
conspicuous mark for the purposes of ICLA section 7? And whether
submitting it to Gerrit where it can be openly inspected by the
entire project counts as a submission to the Project Manager (the
OpenStack Foundation) as well? At any rate, it seems that the
agreement boils down to "copyright holders promise that they're
contributing code under this license, or that they're submitting
someone else's work who probably is okay with it."
That's exactly what it boils down to, and coincidentally exactly what
the requirement to list copyright holders in Debian also boils down to
afaict. We should leverage the synergies, or something ;)
cheers,
Zane.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
