Wow, that’s fucking disgusting. That’s one of the most misleading ones I’ve seen.
their enforcement of that is unclear to me, btw. the signal-desktop repository has a CI-like check for your commiter e-mail address, but i’ve contributed to their fork of the boring-sys crate (MIT), and tried contributing to libsignal (AGPL-3.0-only!) and their fork of webrtc (BSD-3-Clause) - these PRs were closed, but for completely different reasons, and the CLA wasn’t checked at all in that process. i haven’t signed that CLA as an especially abusive one, since they require providing a physical address and a phone number
There’s Gitea, who require listing “The Gitea Authors” as copyright holder, effectively requiring copyright assignment. (Forgejo does not require such a thing, and is a hard fork of Gitea.)
Deno (MIT), a JS runtime, has one:
You hereby grant, and agree to grant, to Deno Land a non-exclusive, perpetual, irrevocable, worldwide, fully-paid, royalty-free, transferable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute your Contributions and such derivative works, with the right to sublicense the foregoing rights through multiple tiers of sublicensees.
There’s Gitea, who require listing “The Gitea Authors” as copyright holder, effectively requiring copyright assignment.
But that’s not a copyright assignment—it’s just a copyright notice written in a way not to have to deal with (marginally) more useful copyright notices. And it is, btw, the same thing Hare does.
A copyright notice “Copyright $year $name” isn’t entirely meaningless, but does not by itself affect who has copyright.
Personally, I think they’re pretty useless. Using a generalized one, such as “The $name Authors,” admits that.
There’s CyberChef. But I wasn’t about to contribute to a tool by a state signals agency anyway.
Can someone explain why these organizations have CLA’s when they don’t have a dual license option? Does it just leave the door open to a sketchy dual license (or just switching to full proprietary) down the road?
Go requires a CLA; as do Google’s other Free software projects. They also require you to have a Google account.
Lumping copyright notices into a group of authors is one thing - and can be a desirable thing. Hare does that, Forgejo does that, lots of projects do that. That’s all fine. Requiring that exact line to be added, even when the contributed code’s author and copyright holder is a different entity, however, is wrong. It erases their right of attribution granted by the MIT license, and as such, is effectively copyright assignment.
It is perfectly fine to default to a group of authors in the copyright notices. But when one makes substantial contributions, they should be allowed to add their own notices, to make the copyright holder clearer, and so on. Gitea refuses to accept contributions that do not set “Gitea Authors” as the sole entity in the copyright notice. That isn’t what Hare, Forgejo, or the many other projects that default to a grouping do.
No? I can’t see any such requirement in that document. And the sources have copyright notices other than “Hare authors” too (example, example, example, etc)
It does blur the line pretty well, though, when one wants to treat the notice as an assignment.
The linked Gitea document also states:
Afterwards, copyright should only be modified when the copyright author changes.
…which reads like they treat the notice as indication that the copyright author (or holder) is the one in the notice.
I removed Gitea, on review I don’t think it counts as a copyright assignment per-se.
The Prisma ORM requires a CLA.
You hereby grant to Prisma Data, Inc. and to recipients of software distributed by Prisma Data, Inc. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
It seems plausible to me that forking when they try to do the rug-pull is a more powerful strategy than focusing on the CLA itself.
Their strategy is this: create the core of a good product, build up a community to support it, then use legal means to take control of the community’s work. But they can’t unlicense the GPL’d copy of the source.
I understand that there are problems when people focus too much on optics over substance. But optics do matter to some degree. If we fork after the rug-pull, it’s a good story: we worked with them in good faith, they betrayed us. Would you (the user) rather rely on the company that just stabbed its partners in the back or with the community that has consistently worked with people in good faith? It takes advantage of the community-building and open source work facilitated by the company, whereas simply refusing to contribute means that they have more political capital when they perform the rug-pull.
We can use the threat of forking to make it impractical for them to rug-pull even if they have the legal right to do so. Maybe there are reasons why this is not the best strategy, but it seems worth considering.
1 Like
but there’s still quite a lot in between “it’s free” and “they’re pulling the rug!”. Gitea is still open source, but are its maintainers gonna merge features that their proprietary fork has as a selling point? VS Code is supposedly MIT-licensed (and, btw, requires a CLA), but any extensions to it come from a Microsoft “marketplace” that only Microsoft’s VS Code can download from (it is, in fact, a slight, proprietary fork). Eclipse has to run Open VSX for Theia and other derivatives. this of course puts all of them at a disadvantage - makes it non-trivial to switch away from VS Code. OpenTofu also had to write their own registry from scratch when forking from Terraform, increasing the complexity (and that’s one of just 2 successfully ex-Hashicorp projects).
or maybe putting it another way: a CLA is just one of the possible bad signs, maybe we should look at it more broadly?
2 Likes
Just wondered across wing while looking into some potential shady self-promotion on Reddit. Ignoring the mixed-licensing of the project, most of it is under MIT for which they point to a Contributor License as part of their PR template, which is opt-in via open of PR.
They also have a bonus “Contributors Terms of Service” which assigns rights (5.2) while additionally having this fun mechanism of acceptance (1.2):
BY CLICKING THE BOX INDICATING YOUR ACCEPTANCE OF THIS CTS, BY CONTRIBUTING ANY CONTENT TO THE PROJECTS OR BY OTHERWISE PARTICIPATING IN A PROJECT, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THE FOLLOWING TERMS AND YOU AGREE TO BE BOUND BY THEM AND TO COMPLY WITH ALL APPLICABLE LAWS AND REGULATIONS REGARDING YOUR PARTICIPATION IN OR ENGAGEMENT WITH THE PROJECT […]
Overall it’s about 4.5k words to read before contributing.
MobilityData projects including their CC0 transit software list require contributors to sign a CLA which includes giving away your mailing address and telephone number. Which is bizarre to me as this is literally just a list but they wanted me to even sign a CLA for that?
Before I even read your post I already made a fork of the list with my changes.
(and removed anything I thought was not “FOSS”)
Anyone can take a look at it here: Pi-Cla/delightful-transit: A curated list of delightful FOSS transit APIs, apps, datasets, research, and software - Codeberg.org
1 Like
What the actual fuck? They want your mailing address and phone number with the CLA? To contribute to yet another silly “awesome $x” list? That’s ridiculous.
1 Like
In this case it is unclear what “The Authors” means. But on FOSS project landing pages you see things like “Copyright [The Project] and contributors”, which I think adheres to the license that says contributors retain the copyright of their contributions.
So… this is likely an unpopular opinion here, but I don’t think the focus should be on CLAs. I also find them a little dodgy at times, to be sure.
But history (/me gestures vaguely) has shown that it’s hard to defend copyright claims when IP owners are not reachable. So assigning copyright in the way the FSF asks for is not a bad idea per se, and a CLA is a mechanism for doing this kind of thing. That is, as long as that entity is reachable and reasonably funded.
Where I do agree with the “CLA = bad” take is when it comes from a commercial entity. And I can see that it almost always does come from one of those.
I would prefer a better mechanism that can also guarantee the defensibility – and no, the DCO isn’t; it serves different purposes.
I mean, in practice I don’t tend to sign CLAs, either, but that’s for mostly unrelated reasons.
an addition to the list i honestly did not expect: Khronos Group.
Grant of Copyright License. Subject to the terms and conditions of this Grant, You hereby grant to Khronos and to recipients of software distributed by Khronos a perpetual, worldwide, non- exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.