A couple of times I've noted people in this community indicate that there is a practice of committing on behalf of other people (most recently in a private mail that I have requested be discussed onlist), sometimes from different companies.
Before I go on I am not talking about contributions made through the normal contribution process (patch submission, or pull request) where the contribution does not contain significant IP. I am only referring to contributions that contain significant IP or are not made available through some public repository. If all cases referred to on this list have been of the former category then this is just informational. If any are of the latter category this is much more important (and at least one mail back in December indicated that significant IP would be involved). As a mentor I want to make it clear that the practice of committing third party code with significant IP but without an ICLA on file is not acceptable to the ASF. This is for two reasons, the first is legal, the second is social. All individuals contributing IP must sign an ICLA, it is the CCLA that is optional. Furthermore the CCLA is usually for named individuals, not for all employees. So having a CCLA on file from a company has little to no bearing on whether an individual has permission to contribute their code. Committing significant IP on behalf of someone else means you are committing code you do not have permission to contribute, or at least some argue that you do not have provable permission. Consequently, the foundation cannot provide the necessary legal protection for either the original author or the committer. [ASIDE many people in the ASF argue that the contribution under the Apache License is sufficient, this is not the forum for this discussion, current policy is that an ICLA is required - the forum to seek policy change is [email protected]] Since one of the foundations primary goals is to provide legal protection we cannot accept this practice. It not only puts the project at risk (code might have to be pulled out at a moments notice) but it puts our volunteers at risk. Secondly and arguably more importantly, the ASF is a meritocracy. We recognise people for their contributions. By contributing a third parties code you are robbing an individual of (at least some) of the merit they deserve and claiming it for yourself. This is not good for community development. Of course, if the contribution is coming through a pull request this is less of an issue, but will highlight the IP issues above. If nobody is contributing code that is not coming in through an active contribution process there is nothing to worry about and I'm just blowing hot air. If nobody is contributing code that contains significant IP but no ICLA is on file there is nothing to worry about and I'm just blowing hot air. If somebody finds them in either of these two positions we need to resolve it ASAP. It's usually just a question of educating the employer so let us know how we can help. Ross
