In a thread on Twitter, the CTO at Chef Software defended the company against the accusation from an open source contributor that it demands copyright assignment from contributors. Chef’s CTO Adam Jacob explained that the company does copy Apache rules and thus requires a copyright license agreement (CLA) in addition to Apache’s open source license – not copyright assignment. He said:
we have never asked for copyright assignment. We do ask for a license, as Apache license requires.
That’s not actually correct, even if it’s a sufficiently common misunderstanding that Jacob really shouldn’t be called out for asserting it (especially as he was probably just suffering from Twitter’s 140 character limit!). Copying Apache’s license does not imply you should copy the rest of Apache’s CLA practice. The Apache License v2 (ALv2) is the best choice among non-reciprocal licenses for new projects, mostly because it includes explicit patent licensing. It is a perfectly effective license to use for any open source project where the community has no expectation of contribution on the part of users of the code, as it conveys all the rights you need to work with the code independently of others.
That’s not to say you should withhold improvements – indeed, the Apache Software Foundation (ASF) anticipates you will choose to put “community over code” out of self interest if for no other reason. But ALv2 gives you full permission in advance to do anything you choose with the code, almost as if you owned it. Those “rights equivalent to ownership” even include the freedom to include the code in larger works under different copyright licenses, as long as they don’t impose terms that conflict with the terms of ALv2.
Out of an abundance of caution, the ASF also expects contributors to its projects sign Contributor License Agreements, specifically an individual license (ICLA) granting the ASF itself explicitly the same rights as ALv2 except without restrictions. If those contributors work for a company, rather than are acting individually, Apache usually expects their employer to sign a corporate license (CCLA) although clarified in response to this posting that it’s at the contributor’s discretion. Note that these documents are both copyright and patent license agreements.
Neither of them is a copyright assignment; they are just broad copyright licenses with no limits on use or relicensing. All the same, they convey rights as broad as a copyright assignment would do, except without the exclusivity that one would create. So while Jacob is technically correct that Chef is not requiring “assignment” the rights transfer they demand before they will accept a community contribution is so close it makes little difference to the average developer.
The “abundance of caution” mentioned above relates to the inclusion of explicit representations in these CLAs that the contributor has the rights needed to contribute. Pretty much every other open source community is happy to treat the act of contribution as sufficient representation of a right to contribute, but early in the life of ASF discussion involving certain corporate participants led to the application of these CLAs to contributions. Many people regard them as redundant, but since the beneficiary is a very stable and safe US public charity there are rarely complaints about them getting these direct grants of rights.
That’s not to say collecting them is a harmless act. Plenty of developers refuse to sign individual contributor agreements of any kind and plenty of corporations have legal processes that make signing corporate contributor agreements at best burdensome and at worst impossible. So having any form of contributor agreement comes with a significant social cost. The obligation to seek permission in advance to contribute is sufficiently burdensome that the Linux kernel community devised a process to avoid it while still satisfying conservative corporate participants.
Corporate vs Charity
The ALv2 in no way “requires” use of a CLA as was asserted. Still, we mostly tolerate the ASF’s CLAs, both for historical reasons and because the recipient of the aggregated rights is a charity. But a company is not. In particular, Apache says of the unlimited rights they are receiving in the ICLA:
the Foundation shall not use Your Contributions in a way that is contrary to the public benefit or inconsistent with its nonprofit status and bylaws in effect at the time of the Contribution.
You, however, will not be committing to protect the public benefit or the Apache bylaws. What’s more, Apache are often flexible and pragmatic about how and when their CLAs are used (see “desires”); it’s unlikely you will be. So if you decide you are going to adopt “the Apache model” for your open source project, please don’t for a second think you’re getting a free pass to apply a CLA to contributions. You will at best chill contribution, even if you get away with for a while.
If you are really worried about certification of origin, use the signed-off-by process using a Developer Certificate of Origin. At all costs avoid signed contributor agreements of any kind if you want broad participation. Certainly don’t demand copyright assignments – they are the ultimate community-chilling act, signalling that you need exclusive proprietary rights that are denied your contributors. But also don’t copy Apache’s ICLA/CCLA as that was not their intent when they devised them. In fact, even Jacob tells me he’d probably emulate the signed-off-by process if he was starting afresh today. You are not the same special case as Apache and neither deserve nor will be granted the same grace.
They are “Contributor License Agreements”, not “Copyright License Agreements”, and their purpose is to provide an independent archive of the contributor’s intentions so that the contributor won’t later be badgered by lawyers (as can happen when downstream corporations sue each other over provenance) or betrayed by employer forgetfulness (as can happen when the boss who said you could contribute that code leaves their job).
You are right that the (C)CLA is not necessary when contributions are made under the Apache license itself, but they might be useful for record keeping and as a quick way to answer questions of legal process.
However, there is a HUGE difference between an assignment and a license. Why on earth do you suggest they are almost the same? That’s like saying inviting a friend to stay over at your house is almost the same as giving them your house. An assignment assigns the legal power to control distribution of the work to some other entity, such that you no longer have that power yourself (even if the assignment includes an irrevocable license in return).
They actually are copyright and patent license agreements as they grant expansive licenses to copyrights and patents, even though you are correct that they describe themselves as Contributor Agreements. I’ll make a clarification so that’s not confusing, thanks Roy.
As a way of keeping records I think they are overkill, but I know you and others at Apache don’t see things that way. For me, the level of bureaucracy in DCO/signed-off-by combined with commit logs and mailing list evidence is as much as ought to be necessary, especially in a license in = license out world like Apache.
As for assignment vs unlimited licensing; I disagree. An unlimited license unlocks distribution rights like those the owner has, on a non-exclusive basis. If you think that’s like having a guest to stay at your house then your and my expectations of hospitality to guests differ greatly!