[Idpy-discuss] reviewing the need for CLAs

Hi all, One of the individuals I contacted when I was reaching out about the possibility of a [C]CLA pointed out the following from the GitHub Terms of Service: --- 6. Contributions Under Repository License Whenever you make a contribution to a repository containing notice of a license, you license your contribution under the same terms, and you agree that you have the right to license your contribution under those terms. If you have a separate agreement to license your contributions under different terms, such as a contributor license agreement, that agreement will supersede. Isn't this just how it works already? Yep. This is widely accepted as the norm in the open-source community; it's commonly referred to by the shorthand "inbound=outbound". We're just making it explicit. (https://help.github.com/articles/github-terms-of-service/) --- I've also reviewed the licenses listed under each of the Identity Python projects: * pySAML2 = Apache 2.0 * SaToSa = Apache 2.0 * pyXMLSecurity = NORDUnet (2 clause BSD) * pyFF = SUNET (2 clause BSD) * pyeleven = SUNET (2 clause BSD) My reading of this suggests that a CLA doesn't actually offer us any assurances we don't already have by a) using GitHub (and therefore agreeing to the ToS) and b) posting the licenses in the repos (which must be inherited by anyone posting in those repos, again thanks to the GitHub ToS). Thoughts or concerns?