www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Yandell <he...@yandell.org>
Subject Re: Podling CLA/Grant advice
Date Tue, 03 Oct 2017 18:57:52 GMT
Because you're saying that an ICLA does not cover past commits?

On Tue, Oct 3, 2017 at 11:45 AM, Chris Mattmann <mattmann@apache.org> wrote:

> Gotcha.
>
>
>
> OK this email came out of order for me.
>
> So if an SGA was obtained, it would likely be important for the people who
> incepted the IP to
> file the SGA, aka the original academic authors of the project. I don’t
> know how many, or if
> they are even willing to sign it, but worth asking.
>
>
>
> If there is no SGA on file, of course it’s not a requirement, but follow
> my advice in the previous
> reply I just sent. Keep the headers intact, identify what NOTICE updates
> if any are required, and
> ICLAs on file cover contributions of the Apache variety going forward.
>
>
>
> Thanks
>
> Chris
>
>
>
>
>
>
>
>
>
> *From: *<hyandell@gmail.com> on behalf of Henri Yandell <henri@yandell.org
> >
> *Reply-To: *"legal-discuss@apache.org" <legal-discuss@apache.org>
> *Date: *Tuesday, October 3, 2017 at 11:37 AM
>
> *To: *ASF Legal Discuss <legal-discuss@apache.org>
> *Subject: *Re: Podling CLA/Grant advice
>
>
>
>
> Amazon are not the creators of MXNet, Alex. They are a contributor to the
> project. The project predates Amazon's involvement by 1-2 years and was
> written by academics at various universities iiuc. Amazon got involved when
> it came to Apache (or a month or two before).
>
> Getting an SGA signed would be easy, but an SGA from Amazon is pointless,
> it doesn't cover the contributions in question.
>
> Hen
>
>
>
>
>
> On Tue, Oct 3, 2017 at 11:33 AM, Alex Harui <aharui@adobe.com.invalid>
> wrote:
>
> Are you saying that Amazon employees own copyright individually and don't
> have an employee agreement that assigns copyright to Amazon?  At Adobe,
> anything I write is owned by Adobe.  I signed something to that effect
> which is why an Adobe VP signed the Flex SGA.
>
>
>
> If Amazon employees assign copyright to Amazon, then an Amazon VP probably
> needs to sign an SGA and you don't have to chase down any other Amazon
> employees.  And then, if only Amazon employees were making changes before
> before Jan 2017, hopefully the remaining crew is much more manageable.
>
>
>
> I'd be amazed if Amazon employees didn't assign copyright.
>
>
>
> Unless you are enjoying figuring out which committers did "trivial" work,
> it seems simpler for the ASF to not care about making it perfect and err on
> the side of not changing the header until someone has the time to figure
> out that a file can have its header changed.  Meanwhile, the project should
> just keep on going.  What harm could come to the foundation if there is a
> file who could have its header changed to the ASF header but didn't?
>
>
>
> Thanks,
>
> -Alex
>
>
>
> *From: *Chris Mattmann <mattmann@apache.org>
> *Reply-To: *"legal-discuss@apache.org" <legal-discuss@apache.org>
> *Date: *Tuesday, October 3, 2017 at 11:19 AM
> *To: *"legal-discuss@apache.org" <legal-discuss@apache.org>
>
>
> *Subject: *Re: Podling CLA/Grant advice
>
>
>
> Haha, cool, Hen.
>
>
>
> If Amazon would be amenable having the original author who created the
> repo (is that an Amazon
> employee) submit an SGA would be useful in my mind. Let us know if that
> can be arranged.
>
>
>
> Yes repo & contribution analysis should be ongoing, but not a blocker on
> proceeding obviously since
> MXNet has already made a release (though I know there were some concerns
> with the release perhaps
> procedurally from what I’ve read on the threads).
>
>
>
> Feel free to use my numbers ☺
>
>
>
> Cheers,
>
> Chris
>
>
>
>
>
>
>
>
>
> *From: *<hyandell@gmail.com> on behalf of Henri Yandell <henri@yandell.org
> >
> *Reply-To: *"legal-discuss@apache.org" <legal-discuss@apache.org>
> *Date: *Tuesday, October 3, 2017 at 11:14 AM
> *To: *ASF Legal Discuss <legal-discuss@apache.org>
> *Subject: *Re: Podling CLA/Grant advice
>
>
>
> No, there's no SGA and no one to sign an SFA. Who would the SGA be with?
> Perhaps the original author who created the repository 2 years ago? He's
> already signed an ICLA.
>
> Note that getting all Amazon employees to sign ICLAs (for those who
> havne't) is an easy task and would have limited impact on the numbers here.
> Amazon contributions from non-ICLA signers would have started ~Jan 2017,
> and it's arguable that contributions then were well aware they were a part
> of Apache as the project was reporting itself as having moved to Apache in
> Jan 2017 (though the GitHub change didn't happen until July). Basically
> there's unlikely to be much here unless Amazon happened to hire a
> historical contributor.
>
> Opt-out would be one approach. Still lots of analysis to work out
> contribution triviality so I'd be tempted to simply contact everyone who
> has contributed pre-July, or pre-January.
>
> Having specific numbers of what is trivial, what is major would be useful
> (as always). Your numbers are higher than I would come up with, so I prefer
> yours obviously :)
>
>
>
> Hen
>
>
>
> On Tue, Oct 3, 2017 at 11:05 AM, Chris Mattmann <mattmann@apache.org>
> wrote:
>
> Hi Hen,
>
>
>
> While I understand the below, there is no need to make it more complicated
> then it has to be.
>
>
>
> For MXNet, I assume there was an SGA filed, no? There only needs to be 1:1
> on the project level,
> and contributors don’t need to separately submit an SGA. I would assume
> you wouldn’t have to
> email 380 people and that the initial SGA and whomever were specified on
> it in the attachment,
> is sufficient to begin.
>
>
>
> Then we look that we have ICLAs on file for all **major** and non 5-10
> lines of code, or 30+ lines
> of code, or some number N lines of code **contributors**, for commits and
> contributions going
> forward. For those before hand, if there were 380 contributors, I’m
> assuming not all of them
> were Amazon employees. However, perhaps within the 380, many were the 5-10
> lines of code
> variety, a fix here or there variety, etc etc. I know you can adopt an **opt
> out** rather than **opt in**
> there. That is, leave the code in there. We assume good faith and that the
> person will want it there.
> If they **don’t** want it there, and they make that known, we take it out
> (we only want code that
> wants to be here).
>
>
>
> Taking the above into account, I do not think it has to be harder than
> that. And the PMC is responsible
> for IP management in relation to the code, so this is something the PPMC
> needs to decide. Consider the
> above (and below else-thread) advice helping you all to come to your
> decisions ☺
>
>
>
> Cheers,
>
> Chris
>
>
>
>
>
>
>
>
>
> *From: *<hyandell@gmail.com> on behalf of Henri Yandell <henri@yandell.org
> >
> *Reply-To: *"legal-discuss@apache.org" <legal-discuss@apache.org>
> *Date: *Tuesday, October 3, 2017 at 1:37 AM
> *To: *ASF Legal Discuss <legal-discuss@apache.org>
> *Subject: *Re: Podling CLA/Grant advice
>
>
>
>
>
> Here be dragons :)
>
>
>
> In #1, there are two sets:
>
> 1a) The entity are the copyright holder for 100% of the work (ignoring
> clearly decoupled dependencies).
>
> 1b) The entity are a partial copyright holder of the work (ignoring deps),
> have received a license to the rest of the work, and have the rights to
> assign that license to Apache. The latter is probably rare, yet this option
> (1b) is most likely for any codebase that has been public. That is, we rely
> on the entity contributing the project to Apache to have clean IP, we don't
> rely on them to be able to hand over their clean IP to us.
>
> I believe in #2 (below, not 1(b) above) that the git/github model has
> changed how we look at this. Historically we would have looked at the
> commits, but I don't believe we would have analysed the issue tracker. With
> pull requests on GitHub, folk who would have attached a patch to the issue
> tracker are now a part of the commit history and we see the authors
> increase by an order of magnitude.
>
>
>
> Note that MXNet did have a form of IP management. As a user of the Apache
> 2.0 license every contribution to the project (per clause 5) was licensed
> under the Apache 2.0 license ('in/out licensing'). That's the same IP
> management Apache uses for contributions on JIRA/pull requests, both
> trivial and anything up to 'major' (where the occasional major contribution
> requires an SGA, or lazily (in a good way) an ICLA).
>
> Going back to the original email; I'd like to know what to say to 380
> people to explain why we need them to sign something. With a relicence it's
> easy, relicensing needs the copyright owner's permission, they are a
> copyright owner, please can we have permission. With this, not so easy.
> "We don't trust your contribution, please sign this SGA so we can trust
> your contribution"?
>
>
>
> Hen
>
>
>
> On Mon, Oct 2, 2017 at 6:21 PM, Chris Mattmann <mattmann@apache.org>
> wrote:
>
> Craig, I share the below opinions.
>
> RE: SGA, let me clarify, I think there are a few situations:
>
>
> 1) SGA for a donation e.g., from a company or gov agency
> a. The person providing or “granting” the SGA may have
> the permission of the institution e.g., a signing authority, that
> represents the IP from the company or agency, fine.
> b. The person may be someone without signing authority but
> designated by the agency as someone who can provide the Grant,
> fine.
> 2) SGA for a donation e.g., from a set of contributors
> a. The person providing or “granting” the SGA would ideally point to
> some permanent URL or public URL with the decision by the binding
> set of members of the contributors (at a minimum, within reason e.g.,
> defined as all those active, or as all contributors ever, or all those
> that responded to my email with a deadline of 2 weeks, or a month etc.)
> b. If the community already uses some form of IP management besides
> having a version repository and headers, etc., then pointing to those
> on file would be useful and welcomed.
>
> I’m sure there are variations on 1ab or 2ab but those are the ones fresh
> in my mind
> with what I was talking about.
>
> Thoughts, Craig? Roman?
>
> Cheers,
> Chris
>
>
>
>
>
> On 10/2/17, 5:51 PM, "Craig Russell" <apache.clr@gmail.com> wrote:
>
>
>     > On Oct 2, 2017, at 5:23 PM, Roman Shaposhnik <roman@shaposhnik.org>
> wrote:
>     >
>     > On Mon, Oct 2, 2017 at 3:23 PM, Craig Russell <apache.clr@gmail.com>
> wrote:
>     >> Not to contradict our VP, Legal, just to clarify.
>     >>
>     >>> On Oct 2, 2017, at 1:17 PM, Chris Mattmann <mattmann@apache.org>
> wrote:
>     >>>
>     >>> Clearly, an SGA is intended for the copyright holder. If that’s an
> individual who as an
>     >>> individual represents those copyright holders, OK, but it’s gotta
> be pretty clear.
>     >>
>     >> That is a pretty high bar, and I've not seen it in practice. In
> order for an individual to own
>     >> the rights and grant those rights via an SGA, there would need to
> be some grant document
>     >> from the contributor to the individual(s) signing the SGA.
>     >
>     > +1 to what Craig is saying -- I've also seen a much laxer attitude in
>     > the past. The very questions
>     > I'm asking is whether we should consider tighten our practices or
>     > still allow SGAs that are lax.
>     >
>     > I'm actually working on a proposal right now for a project that
>     > existed on GitHub for sometime.
>     > I've assumed that an SGA *on behalf* of the community (but NOT from
>     > somebody who is legally
>     > speaking a copyright holder) will be a way to go.
>
>     Speaking as a non-lawyer, "You cannot grant rights that you do not
> own." And the following is strictly my own opinion.
>
>     A project that is licensed under alv2.0 and has existed for so long
> that the contributors cannot be found can still use code with the Apache
> license, but not with the Apache header.
>
>     If the project is currently licensed using the alv2.0 as its license,
> then the project can continue to use the license with its original headers
> and NOTICE.
>
>     Craig
>
>     >
>     > Thanks,
>     > Roman.
>     >
>     > ------------------------------------------------------------
> ---------
>     > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>     > For additional commands, e-mail: legal-discuss-help@apache.org
>     >
>
>     Craig L Russell
>     Secretary, Apache Software Foundation
>     clr@apache.org http://db.apache.org/jdo
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdb.apache.org%2Fjdo&data=02%7C01%7C%7Cea651c00eb9345f34ac008d50a8b5aa2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636426515993386975&sdata=dLPPfurP0CIC7%2F3x69gH6Tsd4SKvBVzaPkPt51xvhmE%3D&reserved=0>
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>     For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
>
>
>
>

Mime
View raw message