Copyright License Agreements

Story

One can imagine the new rules of Open Source Initiative, in nascent or established open source communities.

Lets say Jane is a software developer coming back to open source. She makes a pull request to a project, lets call it Albatross. Paul contacts her.

Paul: I see you made a pull request to our repository, that's great! But we need to know whether we can incorporate and distribute your code. Therefore you must sign a Copyright License Agreement (CLA).

Jane: Err, ok... But what do you mean you need to know? I licensed my code with BSD, I added a line in every commit message. Check...

Paul: Sorry, we can't accept BSD. Our lawyers told us that it wouldn't be prudent to incorporate BSD code.

Jane: .. all your project is BSD licensed. If it's not prudent for you, then why is it prudent for others?

Paul: Ah, you'd think it's the same thing? It's not, because ours is licensed outbound, that is, to third parties. In order to be sure we can license it to third parties as BSD, we need a CLA from you.

Jane: I'm not sure I follow you. My code is licensed BSD too, isn't it? It's licensed to everyone, it's licensed to you, as it is to whatever third parties or others getting a copy of my code.

Paul: Nope. It's a bit tricky I know, but your code is not BSD. It doesn't allow these permissions to everyone. Heck, we don't even know what permissions it gives, so we need a CLA to find out.

Jane: ..It is BSD. Look at this "licensed under BSD" line in this commit... I can make it more verbose? I also had my modifications on my site, and available for download, and people got them under BSD of course.

Paul: Well, it depends. Did you press that button to make a pull request?

Jane: Yes...?

Paul: Then you're a contributor now. We don't know if we can legally distribute code from contributors, unless you grant us permissions to do so.

Jane: I did? It's BSD licensed, of course you can!

Paul: Nope, it's not BSD licensed, because if a license is coming from a Contributor, then we are going to call it inbound license. Inbound licenses were not approved by OSI, they're not open source at all. What if you sue us later to stop distributing it? That's why we are asking you to sign this CLA. It's modeled after Apache CLA, and was written by lawyers. Look, it says here: "in order to clarify the intellectual property matters between you, the Contributor, and Albatross Foundation, us, we need a signed document on file".

Jane: Wait a minute. I heard about these CLAs, but what I heard was that some projects wanted them to relicense code, because they contain a maximally broad copyright license to let you copy and distribute and all, under any other license. But this is BSD, okay? It gives you almost the same license as those CLAs anyway, what do you need to relicense to?

Paul: No, no, you don't understand. We don't need to relicense, we will license as BSD. This is just a matter of legalities. We need to know whether we can incorporate and distribute your code in our open source BSD-licensed project, safely, in legal terms.

Jane: BSD are legal terms... it's a copyright license? It's so popular, everyone knows BSD and knows they can distribute. It says that. It does that. Why can't you? I don't want to be difficult, just to understand what and why...

Paul: Okay, no problem, look, I understand this must be news to you. You used to work on the old version on usenet, didn't you? Heh, those were the days! People giving each other a license and to everyone else in the same time! No one needed permissions to add code, to modify code, to distribute, because Open Source licenses assured that you could do all these things. Well, those times have changed. We now found out that inbound licenses are not safe to use, they're not Open Source, they don't give the rights we need. Even OSI didn't review them, and didn't approve them. The OSI counsel said that clearly.

Jane: Said what?

Paul: That inbound licenses are not Open Source. Licenses weren't reviewed in inbound use, they might not give the rights to everyone obtaining a copy of this software.

Jane: But BSD is an OSI approved license!

Paul: Yes, BSD is an OSI approved license, but only from us.

Jane: ...?

Paul: Yes, that's how it is now. Look, you can understand if you inform yourself looking around on the internet. There is this site, harmonyagreements.org, which contains CLAs drafted by the OSI counsel himself, and people who are now directors at OSI. There's also this other site, contributoragreements.com, an off-shot site I think, sponsored by the same entity, with some interested corporations. And they define things this way: "inbound licenses are the licenses you grant to a project entity, e.g., a foundation, company, publisher, or any other entity that manages the rights for your content", and "outbound licenses are the licenses provided to third parties, that regulate permissions granted to third party users". Now, OSI counsel said OSI reviews and approves only outbound licenses.

Jane: That... distinction, okay, sounds very wrong somehow. I mean, from my perspective, my license is outbound, because I wrote this code, I am the copyright holder, right? I am giving a license, by which "redistribution and use in source and binary forms, with or without modification, are permitted provided...". BSD was approved by OSI, as clearly open source, and doing exactly that: permitting distribution provided only that those conditions...

Paul: No, it wasn't approved by OSI when it is from you. So we can't be sure it permits us to do those things. That's why we need...

Jane: Wait, this confuses me. OSI approves copyright licenses, irrevocable grants of permissions on the exclusive rights under copyright. How wasn't it approved when it is from me? I am the copyright holder, from who else could they have approved licenses, you can't say from a licensee?

Paul: Actually, that's spot on, Jane. Yes, OSI approves now only licenses from licensees that got their rights from copyright license agreements, like our CLAs. It doesn't approve licenses from individual copyright holders, at least not since you pressed that pull request button. That gesture makes you now a Contributor, and licenses from Contributors weren't approved by OSI.

Jane: Are you saying that before I pressed that button, my license for my modifications was good enough, and OSI-approved, but after I pressed it, it isn't? It's just a button...

Paul: Yes, exactly! Well yeah, it might seem to not make much sense, not if you think at how copyright works, and not if you think how open licensing has always worked, since it was born and grew to what is it today. But now things have changed, open source software is no longer made by hobbyists pooling together their work in a free environment, people tinkering away at something damned good they loved to work on. OSI president said in an article that now open source has won, it is on millions of computers and powers world servers. It's in its Golden Age!

Jane: And... did he say that our licenses are no longer safe?

Paul: No, no, he didn't, of course he didn't. But the OSI counsel did, a bit after that. You see, in the Golden Age of Open Source, we now have corporations and their lawyers getting involved more and more, and they have legal requirements to set for the legal ground of Open Source licenses. They didn't think Open Source licenses are good enough if they come from developers writing the code. So they needed agreements to make sure first that they have permission to distribute and incorporate the code. Agreements like our CLAs. But don't you say licenses are not safe, BSD is safe, is fine, it's a good license. It's just that it's safe only from us.

Jane: From you... I'm the copyright holder of this code, Paul. That's why I licensed it. I am giving these permissions, who else? First and foremost, I have to give them. BSD is MY license.

Paul: You'd think so? But the OSI board didn't think so. You see... maybe you were right: in open licensing as we knew it, it was your license. But look beyond these thirty-something years of software freedom, open licensing and Creative Commons licensing. You're a writer, Jane. When, historically, in hundreds of years of copyright, did authors license their own work directly to readers?

Jane: Umm, usually, they didn't. They licensed or sold to publishers, and publishers license to readers.

Paul: See? Open Source licensing changed that for a while, but things are now coming back at their place. That's how it's supposed to be: you license to us, and then we license to end users. Now you can understand our distinction between inbound licenses and outbound licenses: from the perspective of the publisher. And from now on, it is only from us that end users will receive a good license.

Jane: I thought my license was good... it does give permissions to you too. I mean, read it, it's BSD damn it, it's even in English!

Paul: Nope, it doesn't. We can't know if it does, it wasn't reviewed by OSI. Our Foundation is dedicated to Open Source, and uses only OSI-approved licenses.

Jane: ...My license is BSD.

Paul: No, only our license to third parties is BSD, as far as OSI is concerned. So we need first from you a license, and please don't say again that your license is Open Source, because as OSI counsel clearly said, it's not.

Jane: Right. Okay. I have another question. I'm looking at this CLA, it says it's "for our legal protection and yours as a contributor", and, I'm not sure I understand all it says, what is in there for my legal protection? It says I am giving you a license, I have to guarantee that it's my own copyright, I have to notify you, but what is for my protection?..

Paul: Err, for you? Well, the Foundation promises that it will not use your code "in a way that is inconsistent with its nonprofit status and bylaws".

Jane: Doesn't the foundation have, by law, to do that anyway?

Paul: Yes, it has to.

Jane: So the foundation asks all these things, and gives nothing in return it wouldn't do anyway?

Paul: That is a way to look at it. However, you can look at the bright side: today, in the Golden Age of Open Source, we are the ones who can make your software into Open Source software.

Jane: My software is Open Source!... At least, it was... Wait, if I continue to distribute my modified version from my site, it is Open Source, right? The BSD license I give was still good if I didn't press that button to request a pull to your repository...

Paul: Ah, I guess so. I'm not sure actually, I think you should ask a lawyer about that.

Jane: I don't have a lawyer. I just thought that I licensed it as BSD, so it's of course OSI approved. And what if someone else adds their own modifications to my version, is it still Open Source?

Paul: Then the other's license will be an inbound license, so nope. It's not Open Source. But you also have another option, if you want to be certain: you can affiliate yourself with a corporation or foundation that gathers copyrights by assignment agreements, sign over your code, and then they will make it Open Source.

Jane: I don't want to sign over my copyright! I license my work as BSD, why on earth would I do that for?

Paul: Sure, sure, you don't have to, if you don't want. We're not asking for assignments, for example, we only ask for a license agreement, the CLA, and then we can make your code Open Source too. We are maximally developer-friendly, we allow you to retain all rights in your Contributions, and we are only asking you a license.

Jane: Right. A license for you and not others. Well, BSD was giving you too permissions...

Paul: We don't know that.

Jane: And to others.

Paul: That, yes, and it still does.

Jane: If it's from you.

Paul. Yes, if it's from us. Do you see now? It's awesome to live in the Golden Age, it's not like our licenses are not good, they're good. They're better even, because they now have a proper legal ground: our ability to license as BSD is based on our CLAs with all contributors. CLAs are spreading out, and someday we won't see too many rebels, clueless on legal matters, who license their own code with what they think it's an Open Source license, adding code mindlessly in a commons with others. You see, they're imprudent, because the licenses those developers give to the commons are NOT OSI-approved licenses, when you look at them as inbound licenses. It's all a matter of perspective.

Jane: ... are there many rebels?

Paul: Yes, for now. As soon as they realize they don't have an Open Source license, though, they will probably add a CLA to their project. Then it will be Open Source.

Jane: Now it isn't.

Paul: It's unclear whether the project got the rights in the first place, so I don't know. Our lawyers have advised us to avoid code from such projects. In fact, I have a meeting in three hours, with some of our lawyers and will have to ask them about a parser that a Contributor committed in trunk, which is a copy from a project that doesn't use CLAs.

Jane: What license does it have?

Paul: BSD 3-clause.

Jane: And can't you copy, incorporate, BSD 3-clause licensed code in BSD 3-clause licensed code? Man, this... Yeah, I know, you already explained it's not Open Source if it comes directly from original copyright holders. Are there many who contributed to it?

Paul: Yes, that's part of the problem. Who knows if they ever granted any rights to the code. We can't afford to upset our sponsors, to whom we guarantee that the code is legally safe. Lawyers on both our technical board and legal board...

Jane: What, do you have lawyers on your technical board? What are they doing there, they have technical background and contributions?

Paul: Well, no, but they participate to major decisions. Don't get too many ideas about that though, they are quite diplomatic. There were serious issues when they first got involved, and the project took some time to recover, but now we got used to it and it's not too bad.

Jane: I thought open source projects are meritocracies, technical decisions must be made by technical merit, steering the project...

Paul: Yes, yes, they are. Albatross is too! They're just a few lawyers, representing three companies who manage projects we use, plus our lawyers. They're perfectly capable of steering the project, because they have CLAs.

Jane: How is that, CLAs give them ability to steer a project?

Paul: Ah, yes. This is a matter of legalities, and I'm not a lawyer, so I can't explain exactly why adding up copyrights gives them abilities. But I read that in a study published in the journal of intellectual property, JIPITEC, I think. Here, it says "multiple copyright-owners can make the steering of a project difficult, if not impossible [...]. This predicament can be remedied by centring the dispersed copyrights in a single authority via contributor agreements". So, you see, CLAs enable them to steer the project alongside us others. It's published in a legal journal, so it's probably true.

Jane: So, where these companies or their lawyers aren't able to steer the project by merit, CLAs fill the gaps and make them able to?

Paul: If you want to put it this way.

Jane: And what do you call that?

Paul: I told you. The Golden Age of Open Source. We're very proud of it.

Analysis

Reading list

Articles dealing with some of these issues, from the software freedom perspective

• Governance for the GitHub generation
• The Trouble with Harmony: Part 1
• The Trouble with Harmony: Part 2
• Project Harmony (and “Next Generation Contributor Agreements”) Considered Harmful
• Red Hat, Joyent, and others break down licensing barriers

Articles or pages dealing with some of these issues, from the perspective of copyright accumulation

• Harmony Agreements
• The Next Generation of Contributor Agreements

(credits: overall style of our imaginary conversation was inspired by Alex Kozinsky, no relation with the content)