On 04/08/15 15:54, Blumenthal, Uri - 0553 - MITLL wrote: >> On 04/08/15 00:37, Quanah Gibson-Mount wrote: >>> I also don't get why a CLA is required, overall. >> >> It's not something I'm thrilled about either. However we have been >> receiving legal advice. That advice tells us that we should be putting >> in place a CLA. > > Also, did the advice you got explicitly state "'the' CLA as opposed to other > possible licenses such as MIT, BSD, LGPL, etc."? Were any reasons provided > that you may be able to share?
A CLA and the license that code has been put under are actually pretty orthogonal. > (I've dealt with lawyers in the past, and this seems weird.) The FSF requires copyright assignments for their projects, and a CLA could be considered just a milder equivalent of that, with the obvious exception of the legal title to the IP in the changes/additions doesn't change in a CLA. There _is_ a rationale, and a legally well-founded one: a lot of programmers have made contributions to projects, and did so during their work time or using employer's resources. Many (most?) software development companies, at least in the US and UK in my experience, have clauses in employment contracts which says that anything developed in company time and/or using company resources belongs to the company. In other words the company holds the copyright, and it should be up to an officer of the company (not necessarily an employee) to decide what gets released and under what terms. An employee is simply not entitled to release code they don't own. You could say the employee should be getting into trouble for that, but more importantly for OpenSSL, it means the company is entitled to require OpenSSL to remove it as it wasn't the employee's to give. I suspect OpenSSL doesn't want to have a massive body of code where some company, at some point, could come out of the woodwork and say you don't own large chunks of it, and are no longer allowed to use it; or could even say that users would have to pay a license fee! It would be bad enough for the OpenSSL project itself, but even worse for already shipped products using an OpenSSL library incorporating that code, especially embedded devices. There might even be issues with patents, as well as copyright. A CLA is a way of getting the employee to consider and affirm that they do in fact own the copyright to a contribution. Alternatively, the employer can do the CLA. Another important justification to have a CLA is so that in future, if the license needs to change again for whatever reason, e.g. a new version or because a legal flaw was found in the current license, then it doesn't require another round of finding every contributor to the OpenSSL project and obtaining their permission to change the license. I've already stated elsewhere that to be honest I'm doubtful it will be possible to do it once, but having to do it twice or more with a gap of further years is even less likely. You can't change the license of intellectual property you don't own. I've just stumbled on http://oss-watch.ac.uk/resources/cla which also covers these points but with rather more detail. Jifl -- ------["Si fractum non sit, noli id reficere"]------ Opinions==mine _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
