[Idpy-discuss] CLA/CCLA message sent

Benn Oshrin benno at sphericalcowgroup.com
Tue Apr 10 01:54:10 UTC 2018

On 4/9/18 6:51 PM, Heather Flanagan wrote:

> 1. For people contributing in a mix of work on their own time and work
> done to the benefit of their employer, especially in the small
> departments that are part of a much larger institution, getting the
> employer to sign a CCLA is going to be very hard and almost certainly
> limit who contributes to the project.

Enough R&E institutions have signed CLAs that I think we can start to
use the peer pressure model here. Yes it's work, but it's a known path.

> There is no reasonable way for the employer to know whether the coder
> has violated any copyright or patents.

This is a bit of a red herring. It's up to the employee to behave within
the code of the conduct of the employer, and that presumably says "don't
violate copyright etc". So there's a reasonable default presumption that
the employee is behaving correctly, unless otherwise demonstrated.

> 2. Inbound=outbound agreements should suffice (see Bradley M. Kuhn's
> explanation here:
> https://sfconservancy.org/blog/2014/jun/09/do-not-need-cla/ ) and GitHub
> already accepts that (see
> https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)

Inbound=outbound (and the license assent mechanism) presumes you will
never need to change the license of the code. While it's unlikely
projects will need to re-license, it does happen from time to time, and
if you don't have the CLAs in place you're screwed.

There's another red herring in the SFC blog post: "CLAs simply shift
legal blame for any patent infringement, copyright infringement, or
other bad acts from the project (or its legal entity) back onto its
contributors." That's true only if the contributor was not authorized to
make the contribution in the first place. A good IPR home exists to
defend the IPR in place of the contributor.

CLAs are also a formal way of the institution consenting to the code
contribution. A lot of the counterargument seems to be "CLAs are too
hard to get through legal", but without a CLA your contributions may or
may not have been authorized by your employer... I don't know, did you
ask them? Did they say yes you can contribute? How do we know that? What
if you didn't ask them, and _now_ they want the code withdrawn because
it's proprietary IPR or something?

Check out Q5 (and the rest) here: https://www.apereo.org/licensing



More information about the Idpy-discuss mailing list