My new rule is to never contribute and do my best to avoid using any free software that requires a CLA. Shared copyright ownership is very important to maintaining software freedoms. It makes it impossible for a single party to change the license in ways counter to the communities desires. There have been many recent examples of this sort of bad behavior that have driven this point home for me.
But then following this philosophy, shouldn't you favour copyleft licenses, too? Because if it's permissive, they can suddenly go proprietary without caring "much" about copyrights, right?
I have come to these rules:
- Never sign a CLA.
- In my projects, the "most permissive" licence I use is MPLv2 (which is weak copyleft). When I release OSS software, there is absolutely no point in using a permissive license: MPLv2 should be fine for everybody. Of course sometimes I like the GPL family, and recently I've come to like the EUPL.
Would you sign a CLA if it specified the License your code would be able to the project under? (I.e. the project can only use your code if it says MIT or BSD or GPL licensed).
CLAs can have a legitimate purpose in clarifying copyright ownerships.
> Would you sign a CLA if it specified the License your code would be able to the project under?
I don't understand.
> CLAs can have a legitimate purpose in clarifying copyright ownerships.
Isn't that the whole point of a CLA? The CLA is usually a way for the contributor to renounce their copyright. In other words, the project asks me to make a contribution for free, and on top of that they want to own the copyright for it.
If they want to own the copyright for my work, how about they pay me?
> If they want to own the copyright for my work, how about they pay me?
If you want to merge your code into someone else's repository, thereby benefiting from their continued maintenance efforts, how about you give them the copyright? You don't have to if you don't want to. You can keep your copyright by merging your improvements into your own fork and maintaining it yourself. It is within your power.
Seems like a fair deal to me. Everyone gets a nice AGPLv3 project to hack on. That's freedom and it is assured. If you want someone else to maintain that project for you the least you can do is give them control over it by assigning copyright. It's still AGPLv3 for everyone else, and it gives the maintainers the leverage needed to negotiate deals with corporations.
Companies paying for exceptions to the GPL is something even Stallman promotes.
This is a good thing and strengthens free software. Being against this is a position so extreme that even Stallman rejects it. And it can't be done if you need the consent of every single contributor.
I even emailed Stallman directly to confirm the ethics of this. He says it's better this way because only the copyright owner can do it. Permissive licenses give everyone that power. Copyleft keeps it contained.
> It is my understanding that as the copyright holders
> they have the right to do it without any problems.
> They leverage the AGPLv3 to make it harder for their
> competitors to use the code to compete against them.
I see what you mean. The original developer can engage
in a practice that blocks coopertation.
By contrast, using some other license, such as the ordinary GPL,
would permitt ANY user of the program to engage in that practice.
In a perverse sense that could seem more fair,
but I think it is also more harmful.
On balance, using the AGPL is better.
I told him about corporations using AGPLv3 as leverage in order to build SaaS products around the software. As copyright holders, they can do whatever they want while everyone else must comply with license terms. The CLA is a necessary component of that strategy.
I asked him what he thought of the practice. That's what he replied. He didn't go into much detail about SaaS. He said it was too broad a term to judge.
Here's the full email exchange:
Hello, Dr. Stallman. I would like to know your views
on the ethics of certain uses of the AGPLv3.
There are apparently some corporations that
are releasing free software under the AGPLv3
while building software-as-a-service platforms
using the same software. It is my understanding
that as the copyright holders they have the right
to do it without any problems. They leverage the
AGPLv3 to make it harder for their competitors
to use the code to compete against them.
In online discussions on this matter, I pointed
to an article that you wrote regarding the ethics
of selling exceptions to the GPL. You argued
that that if selling this exception was unethical
then so was releasing software under permissive
licenses, and rejected the idea that it was unethical.
The conclusion was that this enabled proprietary
software to be freed, an ideal outcome.
I'd like to ask if you think the same logic applies
to the SaaS situation I mentioned. I think it does,
but others did not agree.
People are using the AGPLv3 to maximize leverage.
Corporations seem to be incapable of tolerating the
license's terms, a situation that leads to copyright
holders providing a business solution: paying for it.
They can buy special permission to use the software.
These days, it appears the choice being offered is to
buy into the company's SaaS platform instead of
purchasing a special permission or license.
The exact mechanism employed by the business
seems like a minor detail to me but perhaps there
are some ethical considerations that I'm not seeing.
So I decided to send you this email and ask what
your opinion on the matter is.
Thank you for your time,
Matheus
---
> There are apparently some corporations [...]
"Software as a service" covers such a broad range of computing
practices that I generally don't use it. It is too broad, and gives
too little information, to judge whether a practice is good or bad.
> It is my understanding [...]
I see what you mean. The original developer can engage
in a practice that blocks coopertation.
By contrast, using some other license, such as the ordinary GPL,
would permitt ANY user of the program to engage in that practice.
In a perverse sense that could seem more fair, but I think it
is also more harmful.
On balance, using the AGPL is better.
under US law, this is an impossibility. Under a CLA, you retain your copyright, and you (typically) give someone else a perpetual, irrevocable license to use your copyrighted material in their own product.
to clarify, it's an impossibility to give it to them irrevocably as under US law you can reclaim a copyright that's been transferred to another party after a statutorily defined period of time
I just looked it up and you're right. Apparently there's no way to sell or give away the copyrights. Ever. You can "transfer" it, license it, whatever... Then suddenly show up and demand it back 35 years later.
This is probably designed for book authors and delinquent publishers that stop selling author's books, then the authors can take back the copyright and go to another publisher.
> The CLA is usually a way for the contributor to renounce their copyright
I don't know about other countries, but you actually cannot renounce your copyright under American law. It is an impossibility.
The only way your own code can belong irrevocably to someone else is if you are contracted under a work-for-hire arrangement or if you are an employee of the other entity when you produce the work. (Or if you die and your heirs become the new owners)
If you were to write code and then later submit it to a project (say, via PR), they cannot retroactively implement a work-for-hire arrangement.
In all other cases, the creator is the copyright owner forever. That status cannot be assigned to anyone else. (Except to one's heirs upon death.)
A CLA is a licensing agreement (that's the "LA" part!), where you license your own copyrighted material to another entity, and it's often in perpetuity.
But here's the trick: under US law, an author or author's heirs (i.e., copyright holders in non-WFH situations) can revoke a license in certain situations. The provisions allowing this exist specifically so that non-remunerative licenses (i.e., ones the copyright owner didn't get paid to license) can be revoked.
You can read about some of these termination provisions in 17 USC 203, 304(c), and 304(d).
As for reclaiming a transferred copyright, it's possible, but complicated. It also takes at least 35 years, which is likely too long to be of practical use to most folks.
Does that mean that all those projects using CLAs may end up at some point with someone saying "I want you to remove the part of your codebase for which I have a copyright"?
I mean in practice nobody will ever be able to do that, just like most licences are just completely ignored. But I mean in theory?
i'm fine with my company owning copyright on code I write. Sometimes they let me keep copyright on things I contribute to open source on their time but I get permission before I do that. (they are considering changing the rules such that they retain the copyright and then I would contribute back in their name not my own)
> i'm fine with my company owning copyright on code I write
Sure, but that's not a CLA. You have a contract, and your company buys your work. If you contribute for free to a random project and they ask you to sign a CLA, they are not paying you for your work. They just want your work + your copyright for free.
A CLA doesn't give them your copyright; you still own it, and you're licensing it (hence the "L" in "CLA") to them. And, at least under US law, non-remunerative license agreements can be revoked under certain situations (usually having to do with that free work being turned into profit for the licensor IIRC although I admittedly haven't thought about this aspect of copyright law in twenty years)
That is dangerious. While unlikely there are a few possible attachs. If the law changes such that the license is invalid you need to change to an up dated versian. if you allow them to change the license for that case they can change the license to anything. Consult with a lawyer to see if there is legal language that allows them to change the license as needed only so long as it meets the intent... note that intent is tricky. GPL 2 and 3 do not have the same intent according to Linus Torvalds but Richard Stallmen will say they do. good luck getting you contract to allow license changes if the intent is the same and having it really be your intent.
the above all seems unlikely but you cannot discount it. which is another reason to not sign a CLA - you have no idea what future changes you might agree with.
Can you please share why it is dangerous? If I release some code that I wrote myself, I own this code so I can always re release it in another strongly copy left license if there is a defect in AGPL v3 or whatever.
If you sign a CLA you no longer own that code. Thus you trust who ever now owns the code to make decisions you agree with but have no way to assure that.
depending on the terms you may own the code but it isn't a useful right as without everyone else including them you can't use your right to get a good license in place (one they disagree with so of course they won't)
> You hereby grant to Decathlon and to recipients of software distributed by Decathlon a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute your Contributions and such derivative works.
Observe you are licensing the code, not transferring copyright.
I see you've repeated this in a few comments. Do you have a link?
By the way, I'm not disagreeing. I'm Australian and curious about the US situation. My understanding was that whilst you can't assign copyright — insofar as you ought to always be able refer to yourself as the original author — you can provide an irrevocable license giving someone else the rights to reproduce, license and sublicense as they see fit.
The person you're responding to is wrong. CLAs are not transfers of copyright ownership or code ownership. They're only licenses (that's the "L" in "CLA") that grant the recipient a set of rights for how they are allowed to use your code that you retain ownership over.
... GPLv3, or any later version with a similar spirit published by the Free Software Foundation or its successor.
Remember that without a license most people don't have any right to copy the software at all, so it's in a corporation's best interest to make sure the GPL continues to be valid. And the law always does what's in a corporation's best interest.
What is the spirit - is gpl 2 and 3 the same spirit? Some will argue no.
Right now gpl assumes things fall back to copyright but companies have an interest inencoding open soure into law in a way that would benefit them. Some trickery could make something in gpl illegal and then by law it falls back to the new open source license not no license.
This is usually a misunderstanding of permissive licenses.
You can't change the license of the code, even if that license is permissive enough for the code to be incorporated in proprietary works.
I mean, often this doesn't really matter because, unlike with GPL, publishers are not required to give you the source-code. But it matters when that source-code gets republished, say, under a source-available license, after having been under MIT/BSD/APL2, in which case, that's illegal, unless the company owns the copyright to do so.
As an example — if you have a file with a copyright header saying the code is licensed under a permissive license, you can't just change that header to a different license. There's even a famous case about it: https://undeadly.org/cgi?action=article&sid=20070913014315
It all comes down to copyright. If you copy a piece of code that's not trivial, even if the license allows you to copy and reuse that piece of code, you're not suddenly the copyright owner of that code. Permissive licenses are permissive, but they do have restrictions, and most importantly, with copyrighted works, excluding the fair use cases that depend on legislation, you can only do what the license allows you to.
So, no, code licensed under permissive licenses can't be re-licensed as proprietary, even if it can be incorporated in proprietary works. And this is often a useful distinction to make, as I can think of several re-licensed projects under source-available licenses that couldn't have been re-licensed without copyright assignments.
I didn't mean "re-licenced". I meant that it can become closed-source. Bad wording on my end.
Now I guess they can modify permissively-licenced files without licencing their modifications permissively, in which case the file is a mix between both, and good luck making the difference?
You should consider signing one anyway depending on whether you like the creator. This gives the maintainer of the project a way to make money from his work: sublicensing it to companies under a different license. This promotes the use of extreme copyleft licenses like the AGPLv3.
I actually emailed Stallman to ask about the ethics of this. He replied that it's better for everyone when only the creator has this power. Permissive licenses give everyone else that power too. Copyleft licenses don't. Only the copyright owner can sublicense. Others must comply or pay for it.
> It is my understanding that as the copyright holders
> they have the right to do it without any problems.
> They leverage the AGPLv3 to make it harder for their
> competitors to use the code to compete against them.
I see what you mean. The original developer can engage
in a practice that blocks coopertation.
By contrast, using some other license, such as the ordinary GPL,
would permitt ANY user of the program to engage in that practice.
In a perverse sense that could seem more fair,
but I think it is also more harmful.
On balance, using the AGPL is better.
If that were true, then the distribution of OSS would be illegal.
If I contribute to an open source project, I have licensed my code to that project. If someone downloads that project, the OSS project has sublicensed my code to them.
I doubt there's a CLA in the world that doesn't grant the right to sublicense.
I probably used the wrong word. I intended to say "release the software to someone else under a different license". If you own the copyrights, you can release code to the general public under AGPLv3 and simultaneously allow some specific third party to use the software under completely different terms. Other people can't do that, they are stuck with AGPLv3.
Not a lawyer so I could be terribly mistaken about all this. Hopefully someone will tell me if I'm talking nonsense.
GPLv3 says that you cannot sublicense. It says that it is not necessary because of section 10 of the license, which says that "Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License".
It also makes it impossible for a single (or multiple parties) to change the license in ways in line with the community's desire, including moving to more permissive licenses.
And I'm not really sure I get the risk here. Projects (Redis, Terraform) changed license, the community responded by forking, and the result is at worst more fragmentation. If a company doesn't think a project is worth maintaining without a more monetizable license having multiple code owners isn't going to force them to keep maintaining the software.
I'm not saying multiple owners doesn't have benefits, but it's far from clear enough to present a cut and dried policy like this I think.
> It also makes it impossible for a single (or multiple parties) to change the license in ways in line with the community's desire, including moving to more permissive licenses.
You contribute under the existing license because you approve of that license. Not allowing change is not allowing change... there is no way to make it to allow only change you like. So it is a compromise and, IMO, a good one. .. And, while not specifically relevant to my point, moving to a more permissive license isn't necessarily a good thing.
> If a company doesn't think a project is worth maintaining without a more monetizable license having multiple code owners isn't going to force them to keep maintaining the software.
My thought is that it would be better if companies didn't have this option. That releasing software under a free software license but then reserving the rights to change it later for business reasons is bad behavior. It is using free software as a marketing tool while you keep on hand on to yank it out from under your users at a whim. I think free software is better (best?) when developed to scratch an itch and released to reduce the long term maintenance and development burden (and hopefully some altruistic leanings).
To an extent I think that the outrage over redis new licence was excessive, this based on two (I think true) facts:
1. The new limitations had a temporal limitation of two years since release, that is every commit/release would automatically return to the old license after two years of the commit/release publication date
2. Using a two years old version is not that bad unless you are a cloud vendor reselling the software
3. A permissive license in this case was effectively a lot of free money given to Amazon
Surely there is a middle ground for contributions which you don't really care to retain ownership of? I don't sign CLAs for projects I want to form a long term contributor relationship with, but if I am just trying to fix a small bug that the (probably corporate) owners don't care to fix themselves, I'll sign that code away without hesitation.
FWIW CLAs do not sign away your ownership in code. It merely gives the project the right to use your code via a license
You know how you sign those end-user *license* agreements, which do not give you ownership in the code of those applications?
That's the same principle at work here. You are licensing certain rights in your work to another entity. Generally, the license is giving the right to, inter alia, reproduce and distribute your code in perpetuity.
Because 1) I work on an open source project as part of my employment, not for free on the side and 2) If there was no cla, most likely the source would not be open as the project wouldn't want external contributions. That's strictly worse. Also, the types of contributions that the project would ideally see are mostly from other companies, not people working in their free time, so the cla doesn't really discourage contribution.
Your rule is a common one, but somewhat misses the point of the argument. In the absence of a CLA who does own the copyright to the work you do?
The point of the article us that it may, or may not, be you.
I notice that you weren't clear on this part in your post, suggesting perhaps that it's not something that's front-of-mind like the CLA is.
On the CLA front I'm on the fence. Assign, don't assign, that's for each person to decide.
But the alternative to CLA is not necessarily "I keep the copyright". That's the point the article is asking you to consider.
Aside; unless you have a specific bit of paper assigning copyright to you, and assuming you have a day job, it's very unlikely that you hold the copyright even if you only do OSS work at home on weekends.
And lastly - have you ever enforced your copyright legally? If you have never enforced a copyright violation then your work is effectively public domain. Yes the threat that you could take action exists, but in practice your contributed-to-project can change their license and call your bluff.
> In the absence of a CLA who does own the copyright to the work you do
under US law, if you are not an employee of the company that owns the code you're contributing to, and you didn't sign a work-for-hire agreement with them, then you own the code you produce, full stop.
Unless you signed a work-for-hire agreement with somebody else! Yhis is where it gets tricky.
In the US (afaik / ianal) your employer gets to claim your copyright if you’ve contributed to a project on company time, or using company equipment, or something else I can’t remember. This actually sounds reasonable to me.
I am sorry but I don't understand what you're saying.
> Your rule is a common one, but somewhat misses the point of the argument. In the absence of a CLA who does own the copyright to the work you do?
If I don't own the copyright in the absence of a CLA, then I don't have the authority to sign a CLA and therefore the CLA should be void. I can't sell/gift/whatever you something I don't own.
Disclaimer: I anal. Even if I were a lawyer which I am not, I am definitely NOT your lawyer.
(Ianal, but I assume that means if you did sign a CLA and submit then you are breaking copyright.)
But that's not my point.
My point is that "not signing a CLA" is only half the job. The other part of the job is actively finding out your status with your company to understand their position. (And I recommend getting that answer in writing. )
The contributor owns the copyright. In Germany for example, there's no transfer of copyright, only non-exclusive license to use. The Developer Certificate of Origin can be used to be make it legal.
I used to think that copyright is always assigned to the creator, like in Germany, and it appears that I was wrong: according to Wikipedia, at least English law actually defaults (no contract clause needed!) to assigning your copyright to your employer if the contribution was done as part of work for hire. This was a surprise to me but it explained why some OSS projects, like ones by Adobe, require a CLA: many people use their libraries at work, and if someone like that contributes a fix Adobe’s lawyers justifiedly would not want part of their code to be owned by another company.
It is a sad side-effect that assigning away your rights with a CLA to some company also enables some shady behavior[0], but it seems that the possible intent to “to place a rug under the project, so that they can pull at the first sign of a bad quarter” co-exists with a more reasonable desire not to have parts of the codebase that you started and mostly maintain at your own cost owned by a potentially hostile entity.
That said, it’s sad that DCOs are not used instead[1]. IIUC, DCO basically makes it clear that the contributor is the one owning the copyright, eliminating the above issue without enabling the rug-pulling.
> I used to think that copyright is always assigned to the creator, like in Germany, and it appears that I was wrong: according to Wikipedia, at least English law actually defaults (no contract clause needed!) to assigning your copyright to your employer if the contribution was done as part of work for hire
It‘s basically the same in Germany. Urheberrecht is not the same as copyright, but comprises personal rights and exploitation rights. 99% of questions about Urheberrecht in commercial settings are about exploitation rights, so ~ about copyright in an American sense.
Personal rights (mostly the right to be named) stay with the author and can never be transferred, exploitation rights default to the employer in employment situations (and are usually explicitly transferred in work contracts, to be safe).
Copyright is not the same as licensing. There is a big difference between granting your employer a license to your work (or OSS contribution), vs. making them the copyright holder (meaning they actually created the work, and you are entirely out of the picture for all intents and purposes). I’d like a lawyer to chime in regarding this English law.
> This was a surprise to me but it explained why some OSS projects, like ones by Adobe, require a CLA: many people use their libraries at work, and if someone like that contributes a fix Adobe’s lawyers justifiedly would not want part of their code to be owned by another company.
A CLA does not affect who owns the code. It only grants the OSS project the right to use the code.
Generally speaking, a CLA will be a non-exclusive license, meaning you can give the OSS project the right to use your code while you also retain the ability to license that code to others as well (as well as continue to use it in your own projects)
The DCO does let someone who doesn't own a piece of code to contribute it to a project, they just have to be certain that it is licensed under the license it says it is licensed under.
