Audacity was forked: https://tenacityaudio.org/
That’s true, although Audacity still exists and is GPL afaik.
Aesprite was also forked: GitHub - LibreSprite/LibreSprite: Animated sprite editor & pixel art tool -- Fork of the last GPLv2 commit of Aseprite
I know, that’s where I got the commit link from. Libresprite is very based 
1 Like
The Unicode Consortium also requires a CLA for contributing to their libraries:
Canonical recently added a CLA to LXD. I imagine there’s other canonical projects with the same.
I find their wording a bit sneaky:
All contributors must sign the Canonical contributor license agreement, which gives Canonical permission to use the contributions. The author of a change remains the copyright holder of their code (no copyright assignment).
and then similar on their legal/contributors page:
It’s the easiest way for you to give us permission to use your contributions. In effect, you’re giving us a licence, but you still own the copyright — so you retain the right to modify your code and use it in other projects.
They make it sound like this is simply required for use, but the actual CLA text is a few pages and far more widespread, including:
(2.1,b) To the maximum extent permitted by the relevant law, You grant to Us a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license under the Copyright covering the Contribution, with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and
distribute the Contribution as part of the Material; […]
and
(2.3) Based on the grant of rights in Sections 2.1 and 2.2, if We include Your Contribution in a Material, We may license the Contribution under any license, including copyleft, permissive, commercial, or proprietary licenses. […]
Their CLA FAQ makes not mention of possible re-licensing.
Some additional context and license info by Stéphane Graber here.
Wow, that’s fucking disgusting. That’s one of the most misleading ones I’ve seen.
their enforcement of that is unclear to me, btw. the signal-desktop repository has a CI-like check for your commiter e-mail address, but i’ve contributed to their fork of the boring-sys crate (MIT), and tried contributing to libsignal (AGPL-3.0-only!) and their fork of webrtc (BSD-3-Clause) - these PRs were closed, but for completely different reasons, and the CLA wasn’t checked at all in that process. i haven’t signed that CLA as an especially abusive one, since they require providing a physical address and a phone number
There’s Gitea, who require listing “The Gitea Authors” as copyright holder, effectively requiring copyright assignment. (Forgejo does not require such a thing, and is a hard fork of Gitea.)
Deno (MIT), a JS runtime, has one:
You hereby grant, and agree to grant, to Deno Land a non-exclusive, perpetual, irrevocable, worldwide, fully-paid, royalty-free, transferable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute your Contributions and such derivative works, with the right to sublicense the foregoing rights through multiple tiers of sublicensees.
There’s Gitea, who require listing “The Gitea Authors” as copyright holder, effectively requiring copyright assignment.
But that’s not a copyright assignment—it’s just a copyright notice written in a way not to have to deal with (marginally) more useful copyright notices. And it is, btw, the same thing Hare does.
A copyright notice “Copyright $year $name” isn’t entirely meaningless, but does not by itself affect who has copyright.
Personally, I think they’re pretty useless. Using a generalized one, such as “The $name Authors,” admits that.
There’s CyberChef. But I wasn’t about to contribute to a tool by a state signals agency anyway.
Can someone explain why these organizations have CLA’s when they don’t have a dual license option? Does it just leave the door open to a sketchy dual license (or just switching to full proprietary) down the road?
Go requires a CLA; as do Google’s other Free software projects. They also require you to have a Google account.
Lumping copyright notices into a group of authors is one thing - and can be a desirable thing. Hare does that, Forgejo does that, lots of projects do that. That’s all fine. Requiring that exact line to be added, even when the contributed code’s author and copyright holder is a different entity, however, is wrong. It erases their right of attribution granted by the MIT license, and as such, is effectively copyright assignment.
It is perfectly fine to default to a group of authors in the copyright notices. But when one makes substantial contributions, they should be allowed to add their own notices, to make the copyright holder clearer, and so on. Gitea refuses to accept contributions that do not set “Gitea Authors” as the sole entity in the copyright notice. That isn’t what Hare, Forgejo, or the many other projects that default to a grouping do.
No? I can’t see any such requirement in that document. And the sources have copyright notices other than “Hare authors” too (example, example, example, etc)
It does blur the line pretty well, though, when one wants to treat the notice as an assignment.
The linked Gitea document also states:
Afterwards, copyright should only be modified when the copyright author changes.
…which reads like they treat the notice as indication that the copyright author (or holder) is the one in the notice.
I removed Gitea, on review I don’t think it counts as a copyright assignment per-se.
The Prisma ORM requires a CLA.
You hereby grant to Prisma Data, Inc. and to recipients of software distributed by Prisma Data, Inc. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
It seems plausible to me that forking when they try to do the rug-pull is a more powerful strategy than focusing on the CLA itself.
Their strategy is this: create the core of a good product, build up a community to support it, then use legal means to take control of the community’s work. But they can’t unlicense the GPL’d copy of the source.
I understand that there are problems when people focus too much on optics over substance. But optics do matter to some degree. If we fork after the rug-pull, it’s a good story: we worked with them in good faith, they betrayed us. Would you (the user) rather rely on the company that just stabbed its partners in the back or with the community that has consistently worked with people in good faith? It takes advantage of the community-building and open source work facilitated by the company, whereas simply refusing to contribute means that they have more political capital when they perform the rug-pull.
We can use the threat of forking to make it impractical for them to rug-pull even if they have the legal right to do so. Maybe there are reasons why this is not the best strategy, but it seems worth considering.
1 Like
but there’s still quite a lot in between “it’s free” and “they’re pulling the rug!”. Gitea is still open source, but are its maintainers gonna merge features that their proprietary fork has as a selling point? VS Code is supposedly MIT-licensed (and, btw, requires a CLA), but any extensions to it come from a Microsoft “marketplace” that only Microsoft’s VS Code can download from (it is, in fact, a slight, proprietary fork). Eclipse has to run Open VSX for Theia and other derivatives. this of course puts all of them at a disadvantage - makes it non-trivial to switch away from VS Code. OpenTofu also had to write their own registry from scratch when forking from Terraform, increasing the complexity (and that’s one of just 2 successfully ex-Hashicorp projects).
or maybe putting it another way: a CLA is just one of the possible bad signs, maybe we should look at it more broadly?
2 Likes