Contributor License Agreements Ruin Most FOSS Projects

00:00

Say what you will about the differences in ideologies behind open source and free software

00:05

They are very very different movements

00:08

But I can completely respect supporters of both of these movements because

00:15

Even though they are very different movements with very different goals. They do have some overlap, but still fundamentally different

00:24

Licenses under both of these banners apply equally to all parties involved

00:30

Yes, a permissive license allows a company to come along, yoink the project, make it proprietary and make it theirs

00:39

But that applies to everybody. You can do the exact same thing. And yes

00:45

A copy left license stops people adding additional restrictions to the code

00:50

But that applies to everyone the developers and also you

00:55

However, sometimes the terms of the license are not good enough for certain projects

01:00

So in comes would refer to as a contributor license agreement

01:05

Often just referred to as its acronym

01:08

C-L-A

01:10

Now oftentimes when the term CLA is used it is used in a very negative light and I understand why

01:18

Because oftentimes you hear about them. They are a very negative document that are trying to destroy developer rights

01:24

They're trying to supersede the license and do other things which

01:28

Frankly should not be there in a free software or an open-source project

01:33

But like many things out there a CLA is

01:38

Only as bad as the terms of the document

01:41

There are cases where CLA are not as bad. There are cases where CLA are good

01:48

And then there are cases where they absolutely suck and you should run the other way

01:52

But in short a CLA is an additional document that often you're required to sign not always

01:58

There are some very key exceptions before you're allowed to contribute to the project

02:02

So here are a couple of examples prior to 2011 all Fedora contributors were required to sign the Fedora project

02:12

Individual contributor license agreement

02:14

This was then superseded by the Fedora project contributor agreement with the earlier document being based on Apache's

02:22

Individual contributor license agreement. As of 2008 the KDE project makes use of the fiduciary licensing agreement made by the FSFE

02:32

Now this is one of those cases where it is optional

02:36

Most people have not signed it. There are a lot of people that have

02:40

But you do not have to sign this document now

02:45

Arguably things like the FSF's copyright assignment are a form of CLA and most was made as kind of a

02:53

anti-cLA

02:55

Depending on who you ask the developer certificate of origin from the Linux foundation used in the Linux kernel is

03:02

Also a kind of CLA but when people use the term

03:06

Contributor license agreement CLA what they are often referring to are things like what discourse has

03:14

Where you are basically signing away all of your developer rights

03:19

Now all of these documents are very very very different. There is no one set thing

03:26

This is a CLA. Let's take for example the Fedora project contributor agreement

03:32

This document does not assign your copyright to the Fedora project

03:36

What it does is provides them with a license to make use of your code

03:41

It does not allow them to re-license the code outside of the terms of the license you already have so if you have code

03:48

that is licensed under a

03:51

GPL license it can be licensed under the terms of the GPL license if it's MIT

03:57

That is a more permissive license and it can be re-licensed in a more permissive way

04:02

But it doesn't give them any additional rights unless we are talking about unlicensed code in the case of code

04:09

That does not have a license

04:11

They can provide a default license and this license can be changed in short

04:16

You're saying I wrote this code you're allowed to use the code and you have to follow the terms of my license

04:23

And if I don't provide a license then you can license the code in a way you see fit

04:28

Let's go and look at the KDE fiduciary license agreement now

04:33

This one might seem intimidating because it is four pages long

04:37

one of those pages is just your information and

04:40

The first page and most the second page is just definitions

04:43

So the FSFE made this document to deal with the issues with full copyright assignment

04:49

So with the FSF for example, you assign your copyright to the FSF

04:55

Basically, they own your code now and this in the case the FSF is done for a good reason

05:01

If they need to go and protect that code in court if they own the code

05:05

This is much easier to do and generally you're going to trust the FSF is going to try to keep that code as free

05:12

software and isn't going to re-license it in a way that is now

05:17

Completely against the terms

05:19

Many other organizations you probably wouldn't trust with that

05:23

But this comes with an issue if the FSF is ever taken over and they decide, okay

05:29

We're just gonna go proprietary now. We don't actually care about free software anymore

05:34

They own all of the code and they can do whatever they want with it

05:39

They can re-license it they can do anything because they own the copyright

05:44

This document is made to deal with that

05:46

So instead of doing a full copyright assignment

05:50

What you are doing is assigning the economic rights over that code to the KDE project

05:55

Whilst retaining the moral rights of the code the rights to be identified as the author

06:02

So they can go and operate legally on your behalf if they ever need to go to court to go and fight some

06:09

Copyright troll or something like that. They can easily go and do so but you still own the code

06:15

This also means because you are still the author

06:18

They can't go evil down the line and then re-license all of the code

06:24

Also, it is an optional document

06:27

So if for whatever reason you don't like the terms of it you don't have to sign this one now as for the developer

06:34

Certificate of origin as I said, this is so light. This is so simple. This is the entire document

06:41

It hasn't half loaded. There isn't a longer version of it. This is everything. It is so basic

06:47

It is often described as the anti-CLA because it doesn't provide any additional rights

06:54

basically all it is saying is

06:56

You own the code and it has a suitable open source license and to the best of your knowledge

07:03

It is based upon works that you have the right to see you have the right to use

07:08

So it's a fork of some open-source project under a compatible license

07:13

It's not based on leaked code from a code base

07:16

You shouldn't be seeing you're allowed to use the code and the contribution is being provided by you or on

07:22

behalf of somebody else who wants the code to be contributed that's all

07:27

No additional rights. It is basically just saying we have the right to use the code

07:32

You have the right to use the code

07:34

We agree on this. It's pretty much to say if somebody does contribute code that

07:40

Maybe wasn't allowed to be in there. Maybe they intentionally did so. It is a very easy way to say

07:47

Okay, you agree to these terms don't do this again

07:50

And if it is malicious get out of here now in the past few years

07:54

whilst there has been some disagreement about the Fedora projects contributor agreement about whether it's doing too much whether the

08:01

Automatic licensing of unlicensed code should really be done whether that really makes sense

08:08

for the most part all of these documents are

08:11

considered at least

08:14

neutral if not positive even the case of the FSF's copyright assignment

08:19

specifically because it's being done with the FSF if you're doing a copyright assignment to say

08:26

Microsoft you might have a very different opinion and

08:30

That's where things like the discourse CLA come in because the discourse CLA is

08:37

Why people have an instant negative reaction to when they hear the term CLA?

08:44

If you ever see this phrasing right here you grant to the company this being a discourse in this case a non-exclusive

08:53

Irrevocable worldwide royalty-free

08:57

Sublicensible

08:59

Re-licensible, that's the big one transferable license under all of your relevant

09:04

intellectual property rights to use copy prepared derivative works of

09:09

Distribute and publicly perform and display the contributions on any licensing terms including without limitation a

09:16

open-source licenses like the GNU GPL v2 and be

09:20

Proprietary or commercial licenses except for the license is granted here in you reserve all right title and interest in and to the contributions

09:30

This right here is the big problem

09:34

Re-licensible because what you are saying here is I

09:38

Don't actually care about the terms of the license

09:41

If the company does not like the license and they want to go and change it to something that's more suitable

09:47

Maybe they want to go from GPL v2 to MIT maybe a proprietary license

09:53

You have given them the right to do so the problem with a CLA in this case is the unbalanced rights

10:01

You can't go and re-license

10:03

But they can when you see cases as extreme as this I think it is fair to argue that the project you're looking at

10:12

Might not even be an open-source project anymore. I definitely don't think it's a free software project, but

10:19

There's at least an argument to be had about whether or not something like this

10:23

Really still qualifies as either of those categories

10:26

And I think as a general rule because there are documents like the discourse CLA

10:32

It makes sense to immediately have a negative reaction when you hear the term

10:37

But as we saw from things like the fedora project the KDE project even in some cases the FSF or the Linux kernel

10:47

CLA isn't always an inherently bad concept

10:52

They just often get very very misused when you see something like discourse. I would honestly recommend

11:00

Running the other way. I don't consider this a free software or open-source project

11:06

If you have the ability to re-license my code now some people might disagree

11:12

Some people might be fine with it

11:14

But what is very important is if you see a document like this

11:19

Read the document and try to understand it if you don't understand it

11:24

Try to find someone else who knows what is being said someone who's hopefully broken it down if it's a good project

11:31

They're gonna provide an FAQ for example fedora does exactly that if they don't provide an FAQ

11:38

If they don't explain what all this means

11:41

Honestly, I would trust them even less. I am not here to defend CLA

11:46

Most of them suck. This is just a fact

11:50

But sometimes you might run across something like the developer's certificate of origin and it just doesn't really matter

11:57

It's completely okay. It's gonna be pretty rare, but maybe it happens. Anyway, if you

12:04

Learn something today

12:06

Let me know

12:07

Down below. Have you signed a CLA?

12:10

Would you ever sign a CLA and would you be okay with some of the ones we've seen here where they don't really provide any

12:17

Additional rights is just more like filling in some of the gaps

12:20

I would love to know so if you liked the video go like the video

12:24

And if you really liked the video and you want to become one of these amazing people over here

12:28

Check out the Patreon, SubscribeStar and LiberaPay linked in the description down below

12:33

That's gonna be it for me and

12:37

CL away

12:39

I don't know what to do with the outro sometimes