[openssl-dev] We're working on license changes
Brian Smith
brian at briansmith.org
Tue Aug 4 17:14:14 UTC 2015
On Tue, Aug 4, 2015 at 10:53 AM, Salz, Rich <rsalz at akamai.com> wrote:
> > How about getting a second opinion?
>
> You want to hire us legal counsel who understands the issues? Great.
Who is "us"?
It is natural for a lawyer to tell you to require lots of things to protect
whatever entity is paying them. That's defense-in-depth type advice from
them. However, lawyers do cost-benefit analysis based on the goals you give
them. If you tell them that avoiding CLAs is important then they'll help
you avoid CLAs, generally.
For an example of this, see Mozilla, in particular see [1], particularly
sections 2, 3, and 4. See also [2] where Mozilla recently gave up the
requirement to have the agreement signed. Please let me know if you want me
to put you in touch with the licensing people at Mozilla who can probably
help you do the same. I went through a similar process with them for the
mozilla::pkix license during the time I worked there, and after I worked
there.
Note that the proposed CLA is granting special privileges to a particular
**for-profit** US corporation. It isn't technically copyright assignment,
but is practically the same thing. If you read the agreement carefully, it
is asking every contributor to give a license to that for-profit
corporation to re-license contributions however it wants. It is unnecessary
to do things this way.
You could, instead, create a license agreement that asks prior contributors
to re-license their previous contributions under the new license (Apache
2.0 or hopefully something better). Only prior contributors would have to
sign it--not new contributors. Then you could just do what Mozilla does, so
that everybody has the same rights.
And, if for some reason it were necessary for new contributors to sign a
CLA, then that CLA doesn't need to grant any particular entity any rights
beyond what the new OpenSSL license already grants--i.e. it only needs to
assert that the contributor has the right to license the work under the
license that OpenSSL is using. (Again, see the Mozilla links.)
Then, everybody would be being treated fairly, because everybody would have
the exact same rights, instead of one corporation having more rights than
the rest of the contributors.
To be clear, I don't have any problem with the OpenSSL Foundation being a
for-profit corporation. But, it does make for a very different situation
than how the Apache Software Foundation[3] or even Mozilla operates, and I
think that distinction is very important when it comes to licensing.
Cheers,
Brian
[1]
https://www.mozilla.org/en-US/about/governance/policies/commit/requirements/
[2]
http://blog.gerv.net/2015/02/signed-committers-agreements-no-longer-required/
[3] http://apache.org/foundation/faq.html#is-ASF-a-corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150804/55852eb0/attachment.html>
More information about the openssl-dev
mailing list