Chris's Wiki :: blog/tech/CLAsImpedeContributionsII

CLAs create different issues than making (small) open source contributions

August 19, 2023

I've seen a view expressed that Contributor License Agreements are only a small extra piece of formality over contributing bugfixes and other open source changes. I think this is wrong. Often, the decisions that are made over whether or not to contribute changes to open source projects are significantly different than the decisions that must be made over CLAs, such that my university and similar institutions have little to lose from the former and a great deal to lose from the latter.

When I make a bugfix or some other small change to an open source project's source code as part of my work, my university has only two real options for what to with it; we can either keep the change private or publish it under the original open source license used by the project. Since universities are nominally not in competition with each other in the way that companies are and are instead into sharing things with the world, this is an easy and uncontroversial call for everyone to make. There is pretty much no reason not to share such small things.

(In a company, sharing your bugfixes for an open source project may help your competitors who also use the project, so you have some reason to keep them private. For large changes, the code I write might in theory reveal intellectual property that the university would like to keep private in order to patent or otherwise license, and in general might give the university some leverage to negotiate license changes or other things with the project. We have no leverage for small bugfixes or changes.)

A Contributor License Agreement is a legal document and a legal agreement. No institution enters into legal agreements without care, and I am specifically not authorized to enter into such agreements on behalf of my institution; very few people are, and they are all busy and senior. As with any legal document, signing a CLA requires the institution's lawyers to scrutinize the terms to see if there's anything dangerous we're accepting in the process, because a CLA may contain all sorts of surprising clauses and grants that the institution specifically agrees that it's giving the other party. This makes CLAs not anywhere near as simple as 'do we publish this change under the project's open source license or keep it private'. Signing a CLA is not at all the same as publishing a change under the open source license its project requires, especially if the project uses a standard, widely known open source license or a very close variation of it.

(And releasing something under what is fundamentally a copyright grant is quite different from executing a signed agreement with a specific counterparty, who may acquire new legal rights or causes of action against you due to clauses in the agreement.)

It's not at all odd or unusual that it's much easier to do one than the other at my institution. Probably this is the case at any number of organizations. This is a big factor in why CLAs impede modest contributions, even if and when the organization is fully in favour of publishing and sharing such things. One corollary is that it's extremely unwise to assume that someone's failure be able to execute a CLA means that they can't actually publish or share their change.

Requiring a CLA is a strong move by the owner of the project. It says that they would rather have fewer legitimate, fully allowed changes because they wish that all of the changes they do accept to be fully covered by their chosen license agreement (whatever the terms of it are, and sometimes these will include 'we can later relicense your code on any terms we chose, including commercial licenses only').

PS: This doesn't make CLAs intrinsically bad. I accept that there are some organizations that are sufficiently large lawsuit targets that they feel they need to take strong defensive measures, and CLAs are one of those measures. I do feel unhappy when such organizations react to bug reports with 'please write the small patch for us, and by the way you need to sign a CLA'.

Comments on this page:

By Nolan at 2023-08-19 22:01:50:

CLAs are almost always a bad idea, but in your specific situation, why not post the diff to the project bug tracker tracking the specific bug, with a MIT or BSD or some other very permissive license, and let anyone else who is comfortable or able to sign their CLA submit it?

By cks at 2023-08-19 23:25:49:

If the project and the people involved are taking CLAs seriously, no third party can sign a CLA for my code and the project can't accept it if they try. The CLA is intended to get a legal agreement from the copyright owner of the code, regardless of the license that was put on the code.

By Anonymous at 2023-08-20 07:46:48:

A Contributor License Agreement is a legal document and a legal agreement.

An open source license is just as much a 'legal document and a legal agreement' as a CLA is. I guess the difference is not whether it's a legal document or not, but rather what it is that is 'typically' stated in an open source license versus a CLA.

By cks at 2023-08-20 08:11:20:

My view is that there are two significant differences between a CLA and an open source 'license' (which are really copyright grants, not contracts). First, how enforceable various open source licensing terms are is an area of litigation, while no one doubts that signed contracts are enforceable. Second and much more importantly, an open source license binds the original developer as much as it binds people distributing changes, which drastically reduces the scope for clauses that are dangerous to you since they would also be equally dangerous to the original developer (at least for any generally accepted open source license). A CLA doesn't bind the original developer this way; it can be completely asymmetric (and often is) and thus require dangerous terms from you that don't apply to the original developer and significantly favour them.

By Miksa at 2023-08-23 10:49:47:

I suspect companies are fully aware of this issue and that is the way they like it. Outside contributors would be too big of a risk and trap for them.

Hashicorp is a good example. In the past weeks they've switched the license of their products like Terraform and Vault from Mozilla Public License 2.0 to Business Source License 1.1. This would probably been impossible if the code was littered with outside contributions without an ironclad CLA. And seems that Hashicorp didn't trust on their CLA anyway. Someone checked their Github and didn't really find contributions from other than Hashicorp employees.

So the only option is to send a bugreport that the company can reverse engineer. Because this makes me wonder, if you include in your report the correct fix to the code does that leave you with copyright claim even without direct pull request? Does the company have to go through the IBM PC reverse engineering? One employee reads the bugreport, explains the required changes to an intermediary, and the intermediary specs the change to a coder who has never seen any bugreports.

A related case are all the community projects built on top of companies owned by random people. Good recent example if "ADS-B Exchange", a community alternative for FlightRadar24. Most of the volunteers contributing for ADSBe probably didn't even realize it could be sold to a private equity firm.

All community projects should be built on top a foundation or association that can't be easily bought. My email address service is provided by the Finnist association IKI ry. I am one of it's ~30000 members and I have my single vote for important matters. If a company wants to buy my vote it's available, I don't know, let's say for 5 grand.

Written on 19 August 2023.

«	Contributor License Agreements (CLAs) impede modest contributions

Unix is both a technology and an idea