On Thu, 2005-03-24 at 19:54 -0500, Geir Magnusson Jr. wrote: > On Mar 24, 2005, at 5:51 PM, robert burrell donkin wrote: > > > > i also find it hard to understand how any contribution by a UK employee > > could put any downstream users at risk. if an employee takes existing > > code copyrighted by their employer and intentionally makes it available > > without permission then this is theft. a buyer acting in good faith who > > purchased stolen goods is not liable (though stands to lose the good in > > question which would mean that implementation would have to be > > rewritten > > around the stolen material, i suppose). this applies in a very > > straightforward fashion to open source contributions (from UK > > employees, > > at least): providing that the copyright has been assigned to the ASF > > and > > has no obvious signs that it has been stolen, then it can be safely > > accepted. > > > > I see at least two risks. > > First, is the SCO problem - that someone will be able to come and shake > them down after they have made a significant investment of > infrastructure and development around the software we create and > distribute. Think about it - what if there was something in httpd that > allowed someone to go to Amazon and "offer" them a license or require > they drop their web servers.... It's probably a fairly easy > calculation to figure out what you could squeeze out of them.
<IANAL> i'm not at all sure that this scenario is possible under UK law in particular or european law in general. in germany, SCO's attempts to extract license money on the basis of code that it may or may not own resulted in SCO being sued rather than the other way around. copyright is a criminal matter here and what matters is that the downstream users act in good faith. it doesn't matter whether you buy commercial software from a middleman who turns out to be fraudster or download an open source product which turns out to contain stolen code: providing that you acted in good faith, the worst that can happen is that a court can rule that the software was stolen and that you must return it to it's lawful owner. "offer"ing a promise not to report a crime in return for cash may be construed as blackmail which is a serious criminal matter in the UK (and most european jurisdictions, i think). IIRC this legal argument was the one that persuaded SCO to stop offering licenses in germany. for code contributed by european committers, i suspect that there really isn't any middle ground: either the original code contained copyright notices indicating that it was owned by the employer which were removed unlawfully by an employee in an attempt to steal the code or the code was never actually owned by the employer (the employee was moonlighting on company time). in either case, until a court order is obtained by the employer, downstream users should be safe provided that they act in good faith. i would hope that any such court case would necessarily involve the contributors who (it would be hoped) notify the ASF as soon as any writ was moved. this should provide time to isolate and remove any suspect IP. the ASF is right in demanding assurances from it's contributors since this will prove that it was acting in good faith. the jurisdiction shopping element is more interesting. i wonder whether ownership of copyright would have to be proved in a european court using european ownership laws for code created in europe or whether a multinational would be able to persuade a US court to apply US rules governing ownership. i'd be interested to hear speculation on this matter. </IANAL> > Second, I'm worried about how an OSS project could be disrupted or even > hijacked - let some employee commit employer code and/or do work a > project in a significant way, and then after enough of that work > becomes core and fundamental to the project, announce it wasn't > permitted by employer and that the ASF must remove said code, which in > the absence of some indication that the employee had the right, we > would do. That would have a significant adverse affect on a community, > and could allow in certain circumstances, that employer to fork the > project by licensing the employees work under a license we can't deal > with, and letting the project continue under their control.... <IANAL> there are two possibilities in this case: either the code in question was owned by the company (and so had copyright notices) or the code was owned by the employee when it was submitted. copyright theft is a serious criminal matter in europe. admitting that you removed copyright notices from code owned by your employer and peddling it on the open market seems very likely to end up with you spending a long time in gaol. providing that the ASF and downstream users could prove they acted in good faith, then they would simply have been the victims of an elaborate fraud and would have to rewrite the codebase or license it from the company. from fraud, a CCLA provides no protection. if an employer allowed a european contributor to create code on company time which was not copyrighted to the company, it would be difficult for the company to claim ownership of the code. UK law in particular is based on master-servant and there is a duty for the master to supervise the activities of the servant adequately. where there is no question of fraud, the usual sanction would be the sack. automatic assignment is limited under UK statue. IIRC in the past, long court cases have been required to reassign ownership from an employee to an employer and have not always succeeded. again, in this case a CCLA would provide no real protection: the relevant employment statue would be the question. again, the jurisdiction shopping element is interesting. </IANAL> > > if the ASF is serious in going down this route then maybe some > > consideration of the consequences on committers outside the US may be > > appropriate... > > Of course :) We may not get a perfect solution, but I believe that we > can improve on the situation. US employment law seems pretty clear and requiring CCLAs from contributors employed in the US sounds like a very good idea. in other jurisdictions, though, employment law is very different. an enhanced CLA for some jurisdictions may be a better idea. - rohert --------------------------------------------------------------------- DISCLAIMER: Discussions on this list are informational and educational only, are not privileged and do not constitute legal advice. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
