Good points. I agree that Apache could be made safer from submarine IP by making the validation process for ICLA-only signators stricter. The question becomes "How strict is too strict?"
Many truly freelance, self-employed developers contribute to OSS projects. My fear is that the more cumbersome an OSS organization makes the qualification process for individuals, the greater the deterrent for those freelancers to choose to participate in projects sponsored by that organization. Taken to extremes, you could end up with projects mostly populated by employee-contributors from a handful of commercial software companies. Commercial firms tend to have their own strategic agendas for participating in OSS projects. Those agendas may or may not be in the best interest of the particular projects they participate in or of the OSS community at large. Individual contributors play an important part in protecting the independence of OSS projects from corporate interests. Out of curiosity, what sort of formal or informal validation does ASF currently do, if any, to determine whether an ICLA-only signator is self-employed? E-mail addresses are suggestive, but obviously not foolproof. Also I'm curious about other OSS organizations and their methods of reviewing individual contributors prior to accepting contrbutions. Bear in mind that the fact a contributor is confirmed via some vetting process to be self-employed does not necessarily eliminate the risk of submarine IP introduction. Most freelancers are required to sign fairly lop-sided consulting services and invention assignment agreements with corporate principals for whom they develop code. Such agreements are another source of adverse ownership claims similar to the claims of an undisclosed employer. Jim -----Original Message----- From: Joel West [mailto:[EMAIL PROTECTED] Sent: Monday, March 21, 2005 10:56 PM To: Jim Barnett; Greg Stein; Lawrence Rosen Cc: [EMAIL PROTECTED] Subject: RE: Corporate Contributions On 10:55 AM -0800 3/21/05, Jim Barnett doth scribe: >The CCLA-ICLA structure is certainly not foolproof. Individuals >(intentionally or, more likely, unintentionally) may not disclose their >employment status at the time of contribution. In some cases >employee-contributors may sign ICLAs when their employers have not >executed corresponding CCLAs. In that case, the only assurance ASF (and >its downstream licensees) have is the representation made in the ICLA by >the contributor that he or she has the right to make the contribution. It seems to me that the CCLA is fine. In fact, it is a model for other OSS communities, including one I'm working on now. Instead, it's the option of the ICLA that creates the huge loophole and potential for exposure. Intentionally omitting one's employer is a problem. I don't know if the ASF has ever identified (or enforced) sanctions for misrepresentation of intellectual property or the right to make such a contribution. Even if we identify the employer, it gets sticky. If one is an employee of a company, and that company declines to sign a CCLA (either because the counsel hates it or is too busy to be bothered), then I find it hard to imagine a case where the employer/counsel would authorize the signing of the ICLA for IP generated by the employee. Suppose the employee is generating the IP on his own time, and it seems clear cut -- say the employer makes disk drives and the project is a Java interpreter. Still, (from my own experience as both an engineer and manager) interpretation of "own time" is a question of fact and law that would depend on things like an employment agreement and the relevant restrictions of state law. ASF has only limited resources and (like a firm) cannot possibly eliminate every legal risk. At the same time, the SCO suit is only the first example of other legal disputes that will arise over open source. One possibility to reduce the risk would be to create a questionnaire for ICLA signees. It would ask about occupation, employment, consulting arrangements, and maybe a few yes/no questions. The idea would be that if there are any factors that suggest a risk, perhaps it would be worthwhile to do a follow up to get further information. Another option is to take advantage of the skewed nature of contributions. For an ICLA contributor who passes a certain threshold (5? 10? 20?), do a due diligence to make sure everything is copasetic. That would cut down the amount a spadework to the cases with the most exposure. ASF seems less vulnerable a submarine IP or other hostile attack because of the nature of its market segment and competitors (as opposed to Linux that competes with lots of things). But given how many projects are being added and how broad a net they encompass, it seems like the risk would go up every month. Finally, ASF has been a pioneer for IP, for organizational structure, for incubating new projects. ASF's best practice will become the OSS's community's best practice, so the benefits of addressing this would go beyond the Apache projects. Joel --------------------------------------------------------------------- DISCLAIMER: Discussions on this list are informational and educational only, are not privileged and do not constitute legal advice. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
