www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jim Barnett" <j...@bea.com>
Subject RE: Corporate Contributions
Date Tue, 22 Mar 2005 18:51:50 GMT
Good points.  I agree that Apache could be made safer from submarine IP
by making the validation process for ICLA-only signators stricter.  The
question becomes "How strict is too strict?"  

Many truly freelance, self-employed developers contribute to OSS
projects.  My fear is that the more cumbersome an OSS organization makes
the qualification process for individuals, the greater the deterrent for
those freelancers to choose to participate in projects sponsored by that

Taken to extremes, you could end up with projects mostly populated by
employee-contributors from a handful of commercial software companies.
Commercial firms tend to have their own strategic agendas for
participating in OSS projects.  Those agendas may or may not be in the
best interest of the particular projects they participate in or of the
OSS community at large.  Individual contributors play an important part
in protecting the independence of OSS projects from corporate interests.

Out of curiosity, what sort of formal or informal validation does ASF
currently do, if any, to determine whether an ICLA-only signator is
self-employed?  E-mail addresses are suggestive, but obviously not
foolproof.  Also I'm curious about other OSS organizations and their
methods of reviewing individual contributors prior to accepting

Bear in mind that the fact a contributor is confirmed via some vetting
process to be self-employed does not necessarily eliminate the risk of
submarine IP introduction.  Most freelancers are required to sign fairly
lop-sided consulting services and invention assignment agreements with
corporate principals for whom they develop code.  Such agreements are
another source of adverse ownership claims similar to the claims of an
undisclosed employer.


-----Original Message-----
From: Joel West [mailto:svosrp@gmail.com] 
Sent: Monday, March 21, 2005 10:56 PM
To: Jim Barnett; Greg Stein; Lawrence Rosen
Cc: legal-discuss@apache.org
Subject: RE: Corporate Contributions

On 10:55 AM -0800 3/21/05, Jim Barnett doth scribe:
>The CCLA-ICLA structure is certainly not foolproof.  Individuals
>(intentionally or, more likely, unintentionally) may not disclose their
>employment status at the time of contribution.  In some cases
>employee-contributors may sign ICLAs when their employers have not
>executed corresponding CCLAs.  In that case, the only assurance ASF
>its downstream licensees) have is the representation made in the ICLA
>the contributor that he or she has the right to make the contribution.

It seems to me that the CCLA is fine. In fact, it is a model for other
OSS communities, including one I'm working on now. Instead, it's the
option of the ICLA that creates the huge loophole and potential for

Intentionally omitting one's employer is a problem. I don't know if the
ASF has ever identified (or enforced) sanctions for misrepresentation of
intellectual property or the right to make such a contribution.

Even if we identify the employer, it gets sticky.

If one is an employee of a company, and that company declines to sign a
CCLA (either because the counsel hates it or is too busy to be
bothered), then I find it hard to imagine a case where the
employer/counsel would authorize the signing of the ICLA for IP
generated by the employee.

Suppose the employee is generating the IP on his own time, and it seems
clear cut -- say the employer makes disk drives and the project is a
Java interpreter. Still, (from my own experience as both an engineer and
manager) interpretation of "own time" is a question of fact and law that
would depend on things like an employment agreement and the relevant
restrictions of state law.

ASF has only limited resources and (like a firm) cannot possibly
eliminate every legal risk. At the same time, the SCO suit is only the
first example of other legal disputes that will arise over open source.

One possibility to reduce the risk would be to create a questionnaire
for ICLA signees. It would ask about occupation, employment, consulting
arrangements, and maybe a few yes/no questions. The idea would be that
if there are any factors that suggest a risk, perhaps it would be
worthwhile to do a follow up to get further information.

Another option is to take advantage of the skewed nature of
contributions. For an ICLA contributor who passes a certain threshold
(5? 10? 20?), do a due diligence to make sure everything is copasetic.
That would cut down the amount a spadework to the cases with the most

ASF seems less vulnerable a submarine IP or other hostile attack because
of the nature of its market segment and competitors (as opposed to Linux
that competes with lots of things). But given how many projects are
being added and how broad a net they encompass, it seems like the risk
would go up every month.

Finally, ASF has been a pioneer for IP, for organizational structure,
for incubating new projects. ASF's best practice will become the OSS's
community's best practice, so the benefits of addressing this would go
beyond the Apache projects.


DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message