“Why Do I need To Sign This?”

There has been much discussion in the various Dojo fora of late regarding the need (and hassle) of requiring that all contributors send in signed Contributor License Agreements. These agreements state that:

  • Those contributing to Dojo Foundation projects actually own what they contribute and therefore have the right to license it to someone else
  • All of the rights needed to preserve the freedom of the code over the long haul have been contributed

Aside from some legal jargon, that’s all that’s in the agreement. So why have it? Why create the barrier to entry for newcomers who just want to pitch in? I have great sympathy for the impatient potential contributor huffing “why do I need to sign this, anyway?”, so this blog post is an effort to boil it down. The reasons start with meritocracy.

Open Source projects often pride themselves on creating a more level playing field; when it works right those whose contributions are good are recognized while those whose contributions are bad are left with bit-rotting patches and hopefully some friendly direction on how to improve. In this way, it’s the essential function of OSS projects to separate good contributions from bad. Oddly, the CLA process is a simple quality filtering function for weeding out the unserious, or simply another way to weed out potentially good contributions from bad.

CLAs are an annoyance to be sure, but consider what they attest to. I’ve heard the argument from time to time that “CLA’s violate the spirit of Open Source” by limiting who can contribute, but that is indeed the point! Mature projects like Dojo don’t accept patches without documentation, unit tests, and good code style…why should clean IP be any different? Indeed, CLAs allow us to be open yet rigorous at the same time. The CLAs process stands in stark contrast to many “open source”-in-name-only products which are produced by single companies or individuals but which don’t provide any way to materially contribute back or become part of the project directly. The CLA process is both a sign that the project is open enough to allow you to “get your itches scratched” if you really want to contribute but also mature enough to manage the risks that come along with allowing everyone to potentially participate.

More to the point, do you really want to be taking code from a group of people who won’t put in writing what everyone assumes about their contributions? And how seriously should you take an organization that hasn’t thought hard enough about their own product to ensure that they actually have all the rights to the work they distribute? Remember, there’s no requirement that anything be Open Source or that OSS products be developed as open projects, but the CLA process is in many ways a seal of quality: projects which require it are built to last (at least on an IP basis) and are also open enough to ensure that their community can grow.

One of the best aspects of the CLA process is that it gets people who are contributing to think about what it means to contribute. The CLA process means that they’ve printed out, signed, and hopefully read and understood that they are doing something serious and that they are joining a community of people who likewise take their work seriously. I really only want to work with people who are committed enough to making Dojo better that they’ll take the time to think about how their work is licensed. Far from being just a task you need to do before you can contribute, the CLA process ensures that the people building Dojo are intellectually tall enough to ride.

Tall enough? Join us!

5 Comments

  1. Alan Shutko
    Posted June 11, 2008 at 11:14 am | Permalink

    The Free Software Foundation has been doing this for many years. I have copyright assignments on file at the FSF for work on Emacs.

    The reason they do this is best illustrated by the SCO lawsuit, and there’s a great writup on the details at http://www.fsf.org/licensing/sco/subpoena.html

  2. Anonymous
    Posted June 11, 2008 at 11:15 am | Permalink

    Congratulations, you have convinced me to dismiss Dojo alltogether.

    Reason? Most, if not all, people “intellectually tall enough to ride” are propably too busy with other things to jump through the hoops of downloading the CLA.pdf, printing it out, sign it and mail it. However the trolls (for want of a better word in this context) have plenty of time to waste to do exactly that.

    (see Penny Arcades general Internet fuckwad theory)

    And by the way, IP stands for Internet Protocol not imaginary property. There are just trademarks, copyrights and patents. And the latter two are only for limited time.

  3. Posted June 11, 2008 at 1:48 pm | Permalink

    Alan:

    Most large, reputable OSS projects do this. In particular, we stole…er…borrowed our CLA process and text from Apache (with their generous permission, of course). The FSF has done something slightly different, though: they’ve asked people to assign copyrights directly to them and used licenses which ensure that patent rights aren’t an issue. It’s an alternate way of doing things, but the substantive difference is that Apache, Dojo, etc. don’t require that you assign copyright, only that you license the rights to the Foundation.

    Anonymous:

    You make it somewhat more difficult to take your critique seriously as you are posting anonymously, but that said, we don’t accept patches from “trolls”…folks who take the time to improve the world by contributing to OSS by definition don’t qualify, Indeed, the general structure of the process of patch contribution, review, and application of community norms helps to ensure that people aren’t just doing something to get a rise out of us. If we were not applying fair, even-handed rules to all contributions, we’d be eminently more troll-able as things would be much more discretionary. As for “limited time”, please consult the Berne convention (and addendum’s) and US copyright law to understand how lengthy and broad the rights embodied really are. Arguments about “limited time” have nearly zero effect in our lifetimes and certainly no effect in the competitive lifecycle of productive software. Even if I agreed with your radical view of copyright and how IP laws should be reformed in general, that would in no way impact the way that we currently manage and organize the project for the benefit of users. Tarring Dojo with that brush simply doesn’t work.

    Regards

  4. anony mouse
    Posted June 11, 2008 at 4:16 pm | Permalink

    What about wiki edits, or mailing list contributions? Do you have people sign agreements to use your software? I guess that makes dojo ‘ip’ unclean?

    Did you have international lawyers draft your agreements? Different agreements for each set of countries? Are they being updated as the laws change?

    Do you have lawyers ready to enforce the agreement in different countries? Do you have the money to run a case against large corporations – or even small businesses?

    If not, you’ve wasted your time, and money.

    I think that contributor agreements are just benefiting lawyers trying to make some more money out of the open source/free software ‘markets’.

    Many successful FOSS projects have run for a long time (many over a decade) without needing contributor agreements. However, of course some major projects also use contributor agreements.

    But sure, if it makes you feel safer get those agreements signed! Other projects will just keep the barrier to entry low, and get more contributors.

    - anony mouse

  5. Posted June 11, 2008 at 5:16 pm | Permalink

    hey anony:

    I should note that I’ll take your comments with the usual AC discount, but let me clarify some points that you’re making assumptions about.

    First, for edits to the canonical documentation, we absolutely do require CLA’s. Users can’t edit the dojo book without being assigned to the right Drupal group, and access to that group requires having sent in a CLA. Forums and mailing lists are discussion locations, but any patches that come from those discussions must ALSO be covered by CLAs. The point here isn’t to shut down discussion or be absolutist, it’s to reduce end-user risk. Our process (and the process of Apache and Eclipse, etc) does exactly that. Risk isn’t something you eliminate, it’s something you mitigate.

    As for “signing agreements to use our software”, why would we do such a thing? Our goal is to effectively and permanently give away our work without caveats or serious restrictions. What users do with Dojo has no effect on the provenance of Dojo’s IP, and should those users wish to contribute back, they’d be asked to sign CLAs like anyone else.

    International law is hard. We do have retained lawyers and rely on the goodwill of the community to help us enforce the rights embodied in the software, in part because it’s those people who are most likely to get sued (or to start legal action in the first place). Remember: we’re about mitigating risk, not eliminating it.

    Regarding projects which operate without CLA processes, if they’ve got a GPL-ish license, there’s no need. Their licenses impose restrictions on users and modifiers which address the same issues as the Apache/Dojo/Eclipse/Zend CLA process. Projects which are BSD or Apache style but which don’t have a CLA process…well, they’re just gambling. I’ve written before on this topic, but the short story is that the gamble looks good because the projects themselves rarely bare the costs of their decisions. Classic negative externality territory.

    You’re right that lower barriers are indeed somewhat attractive and we do worry about them dissuading contributions. It’s a real tension and one we struggle with, but so far the CLA process hasn’t kept Dojo from becoming excellent (nor Apache nor Eclipse nor Zend). The evidence regarding success doesn’t seem to correlate with your assertion that CLAs will hurt a project. I’m not then suggesting that CLAs ensure the success of a project, but I am saying that ceteris paribus, CLAs signal an increase in quality that potential users should look for. And the market for JavaScript libraries is quickly reaching an equilibrium and feature/size/speed parity where such differentiators really matter.

    Today, Dojo and GWT are the only toolkits that have really open communities and BSD-ish licensing. All the rest either have GPL-ish terms or are gambling with their user’s trust in some way.

    Regards

One Trackback

  1. [...] Anyone who runs a significant open source project should read this, especially if you don’t currently require your contributors to send in any kind of agreement: So why have it? Why create the barrier to entry for newcomers who just want to pitch in? I have great sympathy for the impatient potential contributor huffing “why do I need to sign this, anyway?”, so this blog post is an effort to boil it down. [From “Why Do I need To Sign This?”] [...]