Do not sign CLAs

moonglum · March 21, 2024, 7:38pm

Drew wrote on the Fediverse:

Many years ago, I was one of the first engineers working on ArangoDB (even before it was called that). At that point, it was an open source project, and I was paid to work on it. It was great. Later, I had some… disagreements with the directions of the project and company and left. Before I left, I was “asked” to sign a CLA. To this day, I wonder if I really had to sign that (most of the time I worked on the code, I was paid for it by the company—an outrageously low amount of money, but still… money).

If someone asks you to sign a CLA after you already contributed, do you need to sign that?

algernon · March 21, 2024, 7:46pm

IANAL, but my understanding is: “no”.

However, most contracts I came across in the past two decades, did contain a provision that code you write for the company while employed them, is the property of the company (some even attempted to lay claim to code I write outside of work - without much success). I would be surprised if your contract did not involve something of that sort - although, them asking for an explicit CLA might indicate that it did not, in which case you could have said no.

ddevault · March 21, 2024, 8:33pm

Definitely not. You can absolutely refuse.

But yes, like algernon mentions, you may have already signed your rights away in your employment contract. But you never need to sign something else, no one can coerce you into signing anything for any reason.

dcz · March 22, 2024, 1:38pm

IIRC, in many jurisdictions if you’re paid to create an artifact, the rights to that artifact belong to whoever paid you for it.

This depends a bit on the exact form of employment, but I think it’s safe to say that by default, you don’t need to sign any CLAs because they already own the code, even if it’s not explicitly written in the contract.

levitte · April 4, 2024, 4:43pm

To have that happen after the fact seems weird. Can a CLA even be applied retroactively? (well, I suppose it can if termed that way, but…)

moonglum · April 7, 2024, 3:02pm

If you ask a young and naive employee like I was, it is definitely possible But as pointed out above, it might very well be the case, that my work contract covered that already. It is of course not as simple as that, because I of course also worked on the project outside of work hours… But… yeah.

chris · April 7, 2024, 4:06pm

At my last job, I worked with legal on exactly that.

The conclusion we reached was that, for the standard contract we gave our employees, contributions of a person after they leave the employ of the org are not owned by the org.

The solution was to ask all employees to sign a CLA as part of their contract.

Those that had already left before that policy change, we had absolutely no means (or intention) of asking to sign. We didn’t need to, but even if we wanted to, we couldn’t.

So, IANAL, but after working with some lawyers, as Drew said above, no, you don’t have to sign anything.

(in Europe, at least).

jfinkhaeuser · April 11, 2024, 6:53am

Since you mention ArangoDB, and I happen to know they’re German: under German employment law you typically automatically sign over copyright (even though a lot of contracts contain extra clauses for this), but you cannot sign over Urheberrecht (which is a pretty unique thing to Germany).

Urheberrecht has whoever is named as the author, so it’s a good idea to add your name to commit messages. It doesn’t give you much if copyright is simultaneously assigned to your employer, but you can keep a copy of your code. You can’t put that code into new projects, but you can refer to it to see how you did things before, i.e. use it as a basis for a sufficiently different rewrite (with a brand new commit history, nothing shared, etc.).

This is a tad off-topic, I know, but the point is, the CLA isn’t necessarily a problem in Germany and in this situation, but it surely is weird.

coco · April 17, 2024, 10:27pm

Most of the discussion here around CLAs is from this point of view: a large organization develops a program, and uses a CLA to steal the work of many small external contributors to the code. The inevitable conclusion is that CLAs are bad and must be rejected. I agree with this conclusion.

However, this is not the only possible situation in which a CLA may be relevant. Sometimes, a corporation can gain a foothold on the software of an individual author just by submitting a trivial patch. In that case, a CLA may protect the individual coder from undue leverage by the corporation.

To have a concrete example, let me share my own experience.

In my research lab we developed a program of scientific interest and published it under the AGPL. A “very large” company was interested in this program, and paid us to continue developing the program (not directly to us: they financed salaries for post-docs and phd students associated to the project, as is common in academia). During the course of this work, people from the company found and fixed a couple of minor bugs in our program, and of course we accepted their patches. The code was still AGPL, but since we didn’t have a CLA, people from that large company became copyright holders of our program.

A couple of years later, another large company was interested in our program, and offered us a similar arrangement. However, they wanted to buy a private license for the current version of our code, and they wanted to pay us a lot of money (in the form of a postdoc salary for a couple of years). Now, we couldn’t sell this code under a different license because it contained a handful of lines by people from the first large company, and these people didn’t work there anymore. Thus, we had to fork our own code from just before the first external contribution, and painstakingly add all the new features and bug corrections (except of course the bugs corrected by those people, which fortunately were easy to contour in another way).

This was a considerable amount of work, mostly useless, that could have been avoided if we had just asked the people from the first company to sign a CLA. In some sense, I felt that by merely submitting a trivial contribution without a CLA, the large company gained a kind of foothold in our software, through which they could exert undue leverage, and this left a very bad taste in my mouth…

Before reading Drew’s arguments, I had a mostly positive attitude towards CLA, due to the experience described above. Also, due to the fact that the GNU project asks all contributors to waive their copyright to them, which makes sense to me (as the FSF is extremely unlikely to “pull the rug” due to its explicit mission). Now, I acknowledge the other point of view, but I’m not able still to form an opinion on whether CLA are universally good or bad.

ddevault · April 18, 2024, 9:03am

I feel like this being difficult is a by-design part of the pressure against CLAs. You should not have been able to relicense anyone else’s contributions to sell a weaker license to a business. I am sympathetic to academia and the difficulties of getting funding for postdocs etc, but nevertheless, this is not a case where I would feel that a CLA is appropriate.