Anti-CLA action: what to do when you encounter a CLA

dcz · March 27, 2024, 12:00pm

Products of the Qt Company, notably Qt and QtCreator.

The “Direct action” advice falls apart here: those are big projects relative to the number of people interested in maintaining them. When Qt Company started lagging releases, KDE still didn’t decide to fork.

I’m still kinda interested in forking QtCreator and adding Rust debugging support, but I don’t have enough time to maintain a fork on my own. Any collaborators?

I could contribute patches to downstream distros, but even if they take it, what happens next - what’s the mechanism of change? Will they be interested in maintaining the patches forever? If patches keep appearing, how likely is it that the distro stops accepting them versus convinces the upstream to drop CLA?

ddevault · March 27, 2024, 12:01pm

I think you could bring up a fork with KDE, they have the labor pool to maintain it. Did they ever discuss this?

Depends on the size of your change. A small patch is more likely to be carried downstream than a bigger change. But if you’re in a position to make bigger changes you might also be in a position to maintain a bigger fork.

dcz · March 27, 2024, 12:06pm

I have a vague recollection that this was considered. A quick search gives me very little info:

Maybe I should ask at the source.

ddevault · March 27, 2024, 12:06pm

I think a serious discussion about a Qt fork could go well with KDE. This is actually a case where I think there does exist a sizable labor pool ready to take on a fork, without having to build it from scratch.

noelle · March 27, 2024, 12:24pm

Signal Messenger is another large project that requires a CLA, featuring this clause:

Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Open Whisper Systems and to recipients of software distributed by Signal Messenger a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute Your Contributions and such derivative works, as well as the right to sublicense and have sublicensed all of the foregoing rights, through multiple tiers of sublicensees, provided that in all cases, Signal Messenger will make Your Contributions available under an OSI-approved open source license.

hexaheximal · March 27, 2024, 12:52pm

Some projects to add to the list:

Audacity
Synapse (the Matrix server implementation)

(also Aseprite, which used to be GPLv2, but they eventually used the CLA power to become proprietary)

ddevault · March 27, 2024, 12:59pm

Audacity was forked: https://tenacityaudio.org/

hexaheximal · March 27, 2024, 1:00pm

That’s true, although Audacity still exists and is GPL afaik.

smlavine · March 27, 2024, 1:08pm

Aesprite was also forked: GitHub - LibreSprite/LibreSprite: Animated sprite editor & pixel art tool -- Fork of the last GPLv2 commit of Aseprite

hexaheximal · March 27, 2024, 1:09pm

I know, that’s where I got the commit link from. Libresprite is very based

iyzana · March 27, 2024, 1:31pm

The Unicode Consortium also requires a CLA for contributing to their libraries:

github.com

unicode-org/.github/blob/main/.github/CONTRIBUTING.md

# Contributing to this project

## Contributor License Agreement

In order to contribute to this project, the Unicode Consortium must have on file a Contributor License Agreement (CLA) covering your contributions, either an individual or a corporate CLA. Pull Requests, issues, and other contributions will not be merged/accepted until the correct CLA is signed. Which version needs to be signed depends on who owns the contribution being made: you as the individual making the contribution or your employer. **It is your responsibility to determine whether your contribution is owned by your employer.** Please review the [Unicode Intellectual Property, Licensing, & Technical Contribution Policy][policies] for further guidance on which CLA to sign, as well as other information and guidelines regarding the Consortium’s licensing and technical contribution policies and procedures.

To sign the CLA in Github, open a Pull Request (a comment will be automatically added with a link to the CLA Form), or go directly to [the CLA Form][sign-cla]. You may need to sign in to Github to see the entire CLA Form.

- **Individual CLA**: If you have determined that the Individual CLA is appropriate, then when you access the CLA Form, click the Individual CLA and complete the Form.

- **Corporate CLA**: If you have determined that a Corporate CLA is appropriate, please first check the [public list of Corporate CLAs][unicode-corporate-clas] that the Consortium has on file. If your employer is listed, then when you access the CLA Form, you can click the box indicating that you are covered by your employer’s corporate CLA. If your employer is not on the list, then it has not already signed a CLA and you will need to arrange for your employer to do so before you contribute, as described in [How to Sign a Unicode CLA][signing].

Unless otherwise noted in the `LICENSE` file, this project is released under the [OSI-approved][osi-Unicode-License-3.0] free and open-source [Unicode License v3][unicode-license].


[policies]: https://www.unicode.org/policies/licensing_policy.html
[unicode-corporate-clas]: https://www.unicode.org/policies/corporate-cla-list/
[signing]: https://www.unicode.org/policies/licensing_policy.html#signing
[unicode-license]: https://www.unicode.org/license.txt
[sign-cla]: https://cla-assistant.io/unicode-org/.github

This file has been truncated. show original

dan · March 27, 2024, 2:00pm

Canonical recently added a CLA to LXD. I imagine there’s other canonical projects with the same.

I find their wording a bit sneaky:

All contributors must sign the Canonical contributor license agreement, which gives Canonical permission to use the contributions. The author of a change remains the copyright holder of their code (no copyright assignment).

and then similar on their legal/contributors page:

It’s the easiest way for you to give us permission to use your contributions. In effect, you’re giving us a licence, but you still own the copyright — so you retain the right to modify your code and use it in other projects.

They make it sound like this is simply required for use, but the actual CLA text is a few pages and far more widespread, including:

(2.1,b) To the maximum extent permitted by the relevant law, You grant to Us a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license under the Copyright covering the Contribution, with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and
distribute the Contribution as part of the Material; […]

and

(2.3) Based on the grant of rights in Sections 2.1 and 2.2, if We include Your Contribution in a Material, We may license the Contribution under any license, including copyleft, permissive, commercial, or proprietary licenses. […]

Their CLA FAQ makes not mention of possible re-licensing.
Some additional context and license info by Stéphane Graber here.

ddevault · March 27, 2024, 2:01pm

Wow, that’s fucking disgusting. That’s one of the most misleading ones I’ve seen.

lnl · March 27, 2024, 5:37pm

their enforcement of that is unclear to me, btw. the signal-desktop repository has a CI-like check for your commiter e-mail address, but i’ve contributed to their fork of the boring-sys crate (MIT), and tried contributing to libsignal (AGPL-3.0-only!) and their fork of webrtc (BSD-3-Clause) - these PRs were closed, but for completely different reasons, and the CLA wasn’t checked at all in that process. i haven’t signed that CLA as an especially abusive one, since they require providing a physical address and a phone number

WhyNotHugo · March 27, 2024, 7:28pm

Incus is worth mentioning here: Linux Containers - Incus - Introduction

algernon · March 27, 2024, 8:01pm

There’s Gitea, who require listing “The Gitea Authors” as copyright holder, effectively requiring copyright assignment. (Forgejo does not require such a thing, and is a hard fork of Gitea.)

jacksonchen666 · March 27, 2024, 10:40pm

WriteFreely, AGPL-3.0 (only? later?) with CLA.

copyleftie · March 27, 2024, 11:37pm

Deno (MIT), a JS runtime, has one:

You hereby grant, and agree to grant, to Deno Land a non-exclusive, perpetual, irrevocable, worldwide, fully-paid, royalty-free, transferable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute your Contributions and such derivative works, with the right to sublicense the foregoing rights through multiple tiers of sublicensees.

humm · March 28, 2024, 1:58am

There’s Gitea, who require listing “The Gitea Authors” as copyright holder, effectively requiring copyright assignment.

But that’s not a copyright assignment—it’s just a copyright notice written in a way not to have to deal with (marginally) more useful copyright notices. And it is, btw, the same thing Hare does.

A copyright notice “Copyright $year $name” isn’t entirely meaningless, but does not by itself affect who has copyright.

Personally, I think they’re pretty useless. Using a generalized one, such as “The $name Authors,” admits that.

thavelick · March 28, 2024, 2:05am

There’s CyberChef. But I wasn’t about to contribute to a tool by a state signals agency anyway.

Can someone explain why these organizations have CLA’s when they don’t have a dual license option? Does it just leave the door open to a sketchy dual license (or just switching to full proprietary) down the road?