www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Vesse <rve...@dotnetrdf.org>
Subject Re: When is a CCLA/ICLA required for a contributor?
Date Thu, 23 Mar 2017 10:10:06 GMT
If you want a simple answer then it is No a contributor agreement is not required. This is
thanks to clause 5 of the Apache license:


Which states the following:

“Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion
in the Work by You to the Licensor shall be under the terms and conditions of this License,
without any additional terms or conditions. Notwithstanding the above, nothing herein shall
supersede or modify the terms of any separate license agreement you may have executed with
Licensor regarding such Contributions.”

Generally, any submission via a bug report, email or pull request is considered to be an intentional

 The more nuanced answer is as you have pointed out by the various threads on this topic that
projects often prefer to have agreements on file even when they are not strictly necessary.
 This is about covering ourselves as projects and as a foundation from a legal perspective,
having an agreement submitted gives us formal paperwork indicating that the contributor has
declared that they are legally allowed to submit their contributions. If we have an agreement
on file then if someone were to challenge the legality of the contribution we can point to
the agreement to say that we had a good-faith belief that the contribution was legal. If we
don’t have an agreement on file our argument becomes one of hearsay - “we assumed the
contribution was okay because of the license”. In the unlikely event that it came down to
lawyers the first argument is much easier to make legally.

 On rare occasions projects have had to remove contributions that were later challenged. For
a large contribution this could cause a project significant work hence the desire to have
agreements on file for large contributions. The few cases of this I am aware of have mostly
involved small contributions around test data where someone has submitted a data file that
triggers the bug they are reporting.  The project then incorporates it as a test case and
the original author of the data file, who may not have been the person who submitted the bug
report, later discovers that their data was included without their consent and asked for it
to be removed.

There is often also an element of exposure involved. Larger projects which are high-profile
and have large contributor bases are more likely to want to have agreements on file because
it can become hard to keep track of where all the contributions originated from.   Additionally
these projects often have a lot of involvement from vendors who redistribute the software
and want to ensure everything is above board and legal from an IP perspective.

Finally, there is also the question of what we consider a contribution. A bug report, feature
request, email questions and answers are all kinds of contribution but nobody is suggesting
that we need contributor agreements for those.

Hope this helps,


On 22/03/2017 21:06, "Rezaei, Mohammad A." <Mohammad.Rezaei@gs.com> wrote:

    Apologies if the answer to the question is obvious. After reading the
    documentation on apache.org and searching through this mailing list, I
    could not reach a definitive conclusion. I also apologize for the 
    length of this inquiry. I had a hard time making it shorter.
    Definitions: I'm only interested in a contributor, not a committer. 
    In my understanding, a committer is someone who has commit rights to an
    Apache hosted/owned repo. Everyone else who would like to affect a 
    change in an Apache hosted/owned repo is a contributor.
    I realize there are two questions here: 
    For a contributor, when is an ICLA required? 
    If an ICLA is required, when is a CCLA required?
    For the sake of brevity, I'm going to assume that if a contributor is 
    required to sign an ICLA, a CCLA would be required if they are employed 
    under plain US law and the work is in any way relatable to their 
    employer's business. I'd like to concentrate on the first question 
    (ICLA) from this point on.
    I'm basing my analysis on the following:
    (A) on this page: http://www.apache.org/licenses/
    the statement "The ASF desires that all contributors of ideas, code, 
    or documentation to any Apache projects complete, sign, and submit 
    (via fax or email) an Individual Contributor License Agreement (ICLA)"
    (B) In the thread "code without an iCLA ..."
    The consensus appears to be "ICLAs are required for everything 
    that is non-trivial." (as explained by Sam Ruby). 
    (C) On this page: http://www.apache.org/dev/contributors.html
    there is no mention of any ICLA requirement. 
    (D) In the thread "Re: Requiring CLAs for all contributions"
    Mark Thomas (mar...@apache.org) said:
    "I see lots of downsides to that policy and no upsides. 
    The issues that concern me: 
    - Unnecessary barriers to entry for new contributors 
    - Legally unnecessary 
    - Creates additional work for the secretary (not much now but if every
        TLP and podling did this it might) 
    - Re-enforces the meme an iCLA is required to contribute at Apache 
    I'm also don't believe that an iCLA is even desired for all 
    contributions. The ALv2 provides all the legal cover we need and desire."
    (E) In the thread "Re: FAQ: CCLA Optional?"
    Henri Yandell (bay...@apache.org) said:
    "Committers sign ICLAs, contributors don't (typically - maybe a project
    has a reason for requiring contributors to sign ICLAs but I don't recall
    it being done)."
    (F) on this page: http://apache.org/foundation/how-it-works/legal.html
    5 possible paths for incoming code is outlined.
            1) "An existing third party project joining Apache"
                  is about projects joining ASF, so not relevant
            2) "A large one off code contribution ... One off code donations
                  can come in through a software grant". 
                  appears to open the door for not requiring an ICLA, 
                  but a software grant.
            3) "Repeated contributions applied directly to the source": for 
                  committers, so not relevant.
            4) "Patches contributed via the issue trackers"
                  seems to have no ICLA requirement. No size limit 
                  is discussed.
            5) "Patches contributed via mailing lists are expected 
                  to be simple." 
                  No ICLA requirement, but an unspecified size limit.
    (G) It also appears that different Apache projects interpret this 
          requires an ICLA -- always.
          "We require you to have an ICLA on file with the Apache Secretary 
          for larger contributions only."
    The 3 possible answers for the question of ICLA requirement are analyzed
    1) It's always required.
       (A) is strong evidence that ICLA is always required. There is no 
       procedure outlined for a contributor to opt-out of ASF's "desire", 
       rendering it a requirement.
       in (B), the distinction between trivial and non-trivial requires
       advanced degrees in law, philosophy, and information theory; therefore,
       any mere mortal should just sign the ICLA.
    2) It depends...
       In (A) the word "desire" is not the same as "require". "Desire" signals
       a possibility to opt-out on the part of the contributor.
       (B), the determining factor being "non-trivial". Parts of (F-5) support this.
       (G) It may also depend on the particular project.
    3) It's not required.
       (C), assuming such an important matter would not simply be left off.
       (F-4), so long as all the work is contributed via JIRA
    Can a clear, simple answer be given to this question? I don't consider
    "It depends" to be clear or simple, unless the rules could be enforced 
    by a small piece of computer code with no room for interpretation.
    Moh Rezaei
    To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
    For additional commands, e-mail: legal-discuss-help@apache.org

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message