Contributor License Agreement corner cases

[mjg59]

If you don't have any interest in tedious licensing discussion then I recommend not reading this. It's not going to be a great deal of fun.

Having said that:

I'm looking at the Canonical Individual Contributor License Agreement (pdf here). In contrast to the previous copyright assignment, it merely grants a broad set of rights to Canonical, including the right to relicense the work under any license they choose. Notably, it does not transfer copyright to Canonical. The contributor retains copyright.

So here's a thought experiment. Canonical release a project under the GPLv3. I produce a significant modification to it. It's now clearly a derived work of Canonical's project, so I have to distribute it under the GPLv3. I have no right to distribute it under a proprietary license. I sign the CLA and provide my modification to Canonical. The grant I give them includes giving them permission to relicense my work under any license they choose. As copyright holders to the original work, they may also change the license of that work. But, notably, I have not granted them copyright to my work. I continue to hold that.

Now someone else decides to extend the functionality that I added. By doing so they are creating a work that's both a derivative work of Canonical's code and also a derivative work of my code. How can they sign the CLA? I granted Canonical the right to grant extra permissions on my work. I didn't grant anyone else that right.

This wasn't a problem with the copyright assignment case, because as copyright holders Canonical could simply grant that permission to all downstream recipients. But Canonical aren't the copyright holder, and unless they explicitly relicense my work I don't see any way that they can accept derivatives of it. The only way I can see this working is if all Canonical code is actually distributed under an implicit license that's slightly more permissive than the GPLv3. But there's nothing saying that it is at present.

Now, I'm obviously not a lawyer. I may be entirely wrong about the above. But asymmetric CLAs introduce an additional level of complexity into the entire process of contributing that make it even more difficult for a potential contributor to become involved. I've spent far more time than most worrying about licenses and even I don't understand exactly what I'm giving up, which is ironic given that a stated aim is usually that they increase certainty about licensing. Is the opportunity to relicense really worth alienating people who would otherwise be doing free work for you?

Comments

[reddragdiva]

I think you answered this one already:

At any level above the one-liner fix, or unless it's clearly in your personal or corporate interest to have your fixes in the release, it is not worth dealing with organisations so blatantly behaving badly, and is in fact worth not dealing with them so as not to reward bad behaviour.

FSF assignment is slightly different, in that they are a highly predictable actor (they've said and done the same things for 25 years) and their deal is not so that they can defect on the deal, as the Harmony agreements are.

The Harmony agreements and everything derived from them should be treated as odious bollocks, and any organisation using them should be shunned for blithering stupidity if not actual malice.

[reddragdiva]

Oh, and the existence proof for the worthlessness of contributor licence agreements is the Linux kernel. Everyone owning little slices of everything has not hampered Harald Welte and his successors from laying the copyright smackdown in a terminal and conclusive (not to mention beautiful) manner in the slightest.

[(Anonymous)]

Hmm,

I haven't thought of that.

So in this scenario, what would happen if the 3rd party developer who patched your code signed the CLA and Canonical took the patch? What would your recourse be as the copyright holder in that situation? Would you be able to restrain Canonical from accepting that patch? Would you be able to somehow get the 3rd party's CLA agreement revoked via a court proceeding?


-jef

[mjg59]

If that interpretation's correct (and again I strongly emphasise that I'm not qualified to determine that) then I suspect that the signing of the CLA would be invalid and Canonical would be obliged to either remove the code or accept it without the CLA terms.

[(Anonymous)]

Yes... assuming you have correctly identified an issue.

basically this means legal overhead of the entity requiring the CLA. If they do try to relicense, they could potentially end up in a legal quagmire because their CLA didn't provide them the protections they thought it was providing.

I can live with that as a 3rd party contributor making derived works of your contribution who is fine with a symmetric licensing situation. I'm most concerned about legal jeopardy I might be in by modifying your code (for functional improvement to benefit all users) and trying to submit it back under the CLA.

-jef

[https://www.google.com/accounts/o8/id?id=AItOawmE-31WRu_EpZ3xRydwafw9flv49AlO5Ss]

Since the CLA grants Canonical the right to relicense the GPLv3'd code, couldn't Canonical simply grant the new contributor the right to grant Canonical further licenses under the CLA? That is, since Canonical has the right to relicense the software, they can simply grant other contributors a specific additional license that allows for compliance with the CLA, but without giving any other real rights.

IANAL, but could the CLA be further interpreted as implicitly granting such a license?

[mjg59]

They could, and I don't know. My point was really that introducing CLAs makes things more difficult than you expect them to be.

[holdthesky]

Nobody's ever really convinced me what's wrong with CC-0 or PD (or equivalent) if I'm contributing as an individual. Most people are happy to accept contributions on those terms.

All this moral right / 6-bis / attr type stuff increasingly strikes me as vain.

I mean, why is it that with the ubiquitous CC-BY the only thing people won't give up is their pride, and then they get tangled in all of these legal tussles?

The biggest counterargument I can see is for the GPL v2 which /has/ succeeded in making code more open through its FOSS virality (justifiable, I think, but not a path I choose to go down). But that doesn't seem to be the big thing any more for individual contributions: it's all about ownership, control, attribution, pride, etc, which is the start of everything that makes life shit.

Of course it might be a good idea for a company or someone acting as a businessperson in coding to do this stuff for the purposes of accumulating dosh, but I think our fiduciary duty as real people is to letting go.

Take it or Leave It

[(Anonymous)]

Well,

all this copyright assignment / contributors assignment stuff is not really worth it.

When I want to contribute a patch to a project, which canonical or someone else owns, take it or leave it.

You are even free to "rewrite" the patch and use under your own license.

Copyright Assignment: Doesn't work for germany...not even in commercial companies. You own the copyright of your work, ever.

Contributor Assignment: why should I care about paperwork?

I mean every package which has my tag in debian/control or rpm.spec, which I created and have copyright, do i need to sign that now?

If so, just remove the package and wait for the userbase to rebel yell.

It's a not worthy paperwork for people who just wants to fix some bugs.

Re: Take it or Leave It

[(Anonymous)]

"Copyright Assignment: Doesn't work for germany...not even in commercial companies. You own the copyright of your work, ever."

Yeah in most European countries copyright is *not* transfer able (to the point that you cannot even sell it), still some people are trying to apply US law worldwide which simply does not work.

When you work for a company you basically grant the company a lifetime license to use your code, but you are still the copyright holder.

Not sure I get it.

[(Anonymous)]

I'm not sure I see the problem you're identifying. Although you're right about the collective ownership details of the project, surely the CICLA is only really concerning itself with the contribution itself?

That ought to be pretty much the sole property of whoever the contributor is. So even if Joe Hacker modified the (C) Canonical & mjg59 codebase, the agreement is only governing the patch (or whatever) to the extent that Joe Hacker holds rights to it. Yes, the patch is basically useless without the extra set of rights to the collective work, but I don't see how modifying that work means the patch itself is automatically (C) Canonical & mjg59 also.

Re: Not sure I get it.

[mjg59]

If the contributor is the sole copyright holder of the patch then things start getting complicated. If someone else writes a significant patch against a GPLed work (and which is clearly a derived work of the GPLed work), and says "I release this patch under 2-clause BSD", can I then modify that patch to include it in my proprietary work? I don't think that's obvious.

Re: Not sure I get it.

[(Anonymous)]

I _think_ (ianal) the problem here is not that patch author can't grant the rights to use it under BSD, but rather that by using it, you are necessarily also using a GPLed work. However, in this case, the Harmony agreement recipient already has the rights to relicence the GPL'd work, so there is no problem.

Re: Not sure I get it.

[mjg59]

Contributing to a project under such a license is effectively relicensing. While Canonical have the right to relicense my work to a more liberal license, and I've given them my work under that more liberal license, downstream recipients did not receive the work under that more liberal license. They're only entitled to provide modifications under the terms of the GPL, not GPL+extra permissions.

Re: Not sure I get it.

[(Anonymous)]

I think the end result here is just some licensing bookkeeping for the CLA authority.

Contributor A signs X's CLA.

Contributor B signs X's CLA and wants to patch the code contributor A as submitted.

X uses its relicensing powers to give B a license which states you are allowed to modify the code for the express purpose of contributing back.

It's a tight specific purpose re-licensing scheme where X uses the extra permissions you have granted them so they can take in derived works.

Now whether or not they actually have to do the licensing paperwork to create that tight purpose specific permissive licensing is something the lawyers would need to debate. But I think even if you were able to force some sort of GPL violation, they could instantly remedy it by granting the necessary permissive license to contributor B for the express purpose of commiting the derived work.

-jef

second derivatives

[(Anonymous)]

Canonical would end up with CAs from everyone who chose to sign one, covering every line in their tree. Can the first contributor then object to other people contributing patches that build on their work? It's hard to see grounds on which they could.

If that case is possible it seems like a fairly serious bug in Harmony.

-- mbp