[openssl-dev] We're working on license changes

Thu Aug 6 01:36:04 UTC 2015

On 04/08/15 15:54, Blumenthal, Uri - 0553 - MITLL wrote:
>> On 04/08/15 00:37, Quanah Gibson-Mount wrote:
>>> I also don't get why a CLA is required, overall.
>> 
>> It's not something I'm thrilled about either. However we have been
>> receiving legal advice. That advice tells us that we should be putting
>> in place a CLA.
> 
> Also, did the advice you got explicitly state "'the' CLA as opposed to other possible licenses such as MIT, BSD, LGPL, etc."?‎ Were any reasons provided that you may be able to share?

A CLA and the license that code has been put under are actually pretty orthogonal.

> (I've dealt with lawyers in the past, and this seems weird.)

The FSF requires copyright assignments for their projects, and a CLA could be
considered just a milder equivalent of that, with the obvious exception of the
legal title to the IP in the changes/additions doesn't change in a CLA.

There _is_ a rationale, and a legally well-founded one: a lot of programmers
have made contributions to projects, and did so during their work time or
using employer's resources. Many (most?) software development companies, at
least in the US and UK in my experience, have clauses in employment contracts
which says that anything developed in company time and/or using company
resources belongs to the company.

In other words the company holds the copyright, and it should be up to an
officer of the company (not necessarily an employee) to decide what gets
released and under what terms. An employee is simply not entitled to release
code they don't own. You could say the employee should be getting into trouble
for that, but more importantly for OpenSSL, it means the company is entitled
to require OpenSSL to remove it as it wasn't the employee's to give.

I suspect OpenSSL doesn't want to have a massive body of code where some
company, at some point, could come out of the woodwork and say you don't own
large chunks of it, and are no longer allowed to use it; or could even say
that users would have to pay a license fee! It would be bad enough for the
OpenSSL project itself, but even worse for already shipped products using an
OpenSSL library incorporating that code, especially embedded devices. There
might even be issues with patents, as well as copyright.

A CLA is a way of getting the employee to consider and affirm that they do in
fact own the copyright to a contribution. Alternatively, the employer can do
the CLA.

Another important justification to have a CLA is so that in future, if the
license needs to change again for whatever reason, e.g. a new version or
because a legal flaw was found in the current license, then it doesn't require
another round of finding every contributor to the OpenSSL project and
obtaining their permission to change the license. I've already stated
elsewhere that to be honest I'm doubtful it will be possible to do it once,
but having to do it twice or more with a gap of further years is even less likely.

You can't change the license of intellectual property you don't own.

I've just stumbled on http://oss-watch.ac.uk/resources/cla which also covers
these points but with rather more detail.

Jifl
-- 
------["Si fractum non sit, noli id reficere"]------       Opinions==mine