Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8A1B4200D14 for ; Tue, 3 Oct 2017 20:58:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 84A61160BD5; Tue, 3 Oct 2017 18:58:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id ABBFE1609BD for ; Tue, 3 Oct 2017 20:58:07 +0200 (CEST) Received: (qmail 26962 invoked by uid 500); 3 Oct 2017 18:58:06 -0000 Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: Reply-To: legal-discuss@apache.org List-Id: Delivered-To: mailing list legal-discuss@apache.org Received: (qmail 26951 invoked by uid 99); 3 Oct 2017 18:58:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Oct 2017 18:58:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 8BA80180B00 for ; Tue, 3 Oct 2017 18:58:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.681 X-Spam-Level: *** X-Spam-Status: No, score=3.681 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, KAM_LINEPADDING=1.2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id Ch1kNr5ycBg1 for ; Tue, 3 Oct 2017 18:58:00 +0000 (UTC) Received: from mail-it0-f49.google.com (mail-it0-f49.google.com [209.85.214.49]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id C53765FCE2 for ; Tue, 3 Oct 2017 18:57:59 +0000 (UTC) Received: by mail-it0-f49.google.com with SMTP id c195so13162402itb.4 for ; Tue, 03 Oct 2017 11:57:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=cvFDc9xQIXbl4ijRbuKjFHuDMEmBMsBul9ywJaYhqHM=; b=HVuWyCYp8VkUnikceY1QmG8FJxhVw7xB3wnNX85r+FvxNsh5kRHPHAWBE3CIQWOinR AdGQ29p+bZ3Tle8neH5oceYnWUaC+9cFVjEYBxBIQJ5mrphraFaFvx66ZCTigEby7bIn +ec10pM+SdaQiT/Cd7ax6R31Ol5sF6DUU/z564a5Sja+wtGL+1U78P29n4okSOrx3dtB n0b0AVZV+N3aFap66Wx+tOKc/aXNTyVRjMNqwTqRrewmiWz3X25z7ZXsCg7tJCCoRgie xLEk00ekHqyzLPyFNU9kdOBNJ51U8dDpucEGPdV/DYjZ6T1ZNRn064z+XsLGKyiTW23t KPUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=cvFDc9xQIXbl4ijRbuKjFHuDMEmBMsBul9ywJaYhqHM=; b=RlDdd8NQPZ/6A1DMaDbiPMDKO/mLbxGCrcirgCf3Umi9njYTNShjzlkvWQGIvaCjtH ov+6k5u+XG884xCOUb6Z21m25hFM0T8RSYX3ceOMvtXXr9DqIqp5DQXtmMl2EpELfs37 N91Pdtv2TrEpOEltVulpwsDT6IRSil49pNH/1EuOBUGRqeEzhzBWH39g1PSd2KpE+r5a BCS0wkLX/dcgKjC5muUa5pQDE6vb/5Zl5Fu8akgUw9SwFHCPhGCCxpzsLXhXEV5j46kz bOgyWyFmOzdJnVvPFilVXf7KtqMhudrXsFlRm5XeuO5i/nysZOIGRnGgEb2Jh2+HshBb Szng== X-Gm-Message-State: AMCzsaWkIo6pm/SvX9xIXqFS1KqiAr5O7BlMQGYsRXJr1PmCdBtNSelq hFD9TPOMBfm35xUiDNs/xNj0L5sqGy6Da/tdURo5Wg== X-Google-Smtp-Source: AOwi7QAIOnRXocs2nCkJmmuDDUvOgy0WsOZzfilxqQ53cOseTIbn/8VwYM3Kdq5qbJYyDSqq395AxT9QYy+mVMRa3ME= X-Received: by 10.36.69.163 with SMTP id c35mr4610227itd.63.1507057073240; Tue, 03 Oct 2017 11:57:53 -0700 (PDT) MIME-Version: 1.0 Sender: hyandell@gmail.com Received: by 10.107.143.6 with HTTP; Tue, 3 Oct 2017 11:57:52 -0700 (PDT) In-Reply-To: <42F015F1-4D57-46A2-8C2D-D6064A306EFB@jpl.nasa.gov> References: <03141833-ADD2-4741-AF4F-3ABCBFF139D2@jpl.nasa.gov> <136A63A4-A646-4040-B5DD-A079E560E0D4@jpl.nasa.gov> <093AA3E5-CD28-412F-A813-F45950A0ED03@gmail.com> <7DEA4C2C-5509-4F24-B1D9-3C98D12177E7@jpl.nasa.gov> <589A89B8-9041-48D8-92C2-F501C4CE98CE@jpl.nasa.gov> <42F015F1-4D57-46A2-8C2D-D6064A306EFB@jpl.nasa.gov> From: Henri Yandell Date: Tue, 3 Oct 2017 11:57:52 -0700 X-Google-Sender-Auth: 6cxAGxgyYWM820MR7MRLMVpe8SU Message-ID: Subject: Re: Podling CLA/Grant advice To: ASF Legal Discuss Content-Type: multipart/alternative; boundary="001a11c14f7c81bf4c055aa9116c" archived-at: Tue, 03 Oct 2017 18:58:09 -0000 --001a11c14f7c81bf4c055aa9116c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Because you're saying that an ICLA does not cover past commits? On Tue, Oct 3, 2017 at 11:45 AM, Chris Mattmann wrote= : > Gotcha. > > > > OK this email came out of order for me. > > So if an SGA was obtained, it would likely be important for the people wh= o > incepted the IP to > file the SGA, aka the original academic authors of the project. I don=E2= =80=99t > know how many, or if > they are even willing to sign it, but worth asking. > > > > If there is no SGA on file, of course it=E2=80=99s not a requirement, but= follow > my advice in the previous > reply I just sent. Keep the headers intact, identify what NOTICE updates > if any are required, and > ICLAs on file cover contributions of the Apache variety going forward. > > > > Thanks > > Chris > > > > > > > > > > *From: * on behalf of Henri Yandell > > *Reply-To: *"legal-discuss@apache.org" > *Date: *Tuesday, October 3, 2017 at 11:37 AM > > *To: *ASF Legal Discuss > *Subject: *Re: Podling CLA/Grant advice > > > > > Amazon are not the creators of MXNet, Alex. They are a contributor to the > project. The project predates Amazon's involvement by 1-2 years and was > written by academics at various universities iiuc. Amazon got involved wh= en > it came to Apache (or a month or two before). > > Getting an SGA signed would be easy, but an SGA from Amazon is pointless, > it doesn't cover the contributions in question. > > Hen > > > > > > On Tue, Oct 3, 2017 at 11:33 AM, Alex Harui > wrote: > > Are you saying that Amazon employees own copyright individually and don't > have an employee agreement that assigns copyright to Amazon? At Adobe, > anything I write is owned by Adobe. I signed something to that effect > which is why an Adobe VP signed the Flex SGA. > > > > If Amazon employees assign copyright to Amazon, then an Amazon VP probabl= y > needs to sign an SGA and you don't have to chase down any other Amazon > employees. And then, if only Amazon employees were making changes before > before Jan 2017, hopefully the remaining crew is much more manageable. > > > > I'd be amazed if Amazon employees didn't assign copyright. > > > > Unless you are enjoying figuring out which committers did "trivial" work, > it seems simpler for the ASF to not care about making it perfect and err = on > the side of not changing the header until someone has the time to figure > out that a file can have its header changed. Meanwhile, the project shou= ld > just keep on going. What harm could come to the foundation if there is a > file who could have its header changed to the ASF header but didn't? > > > > Thanks, > > -Alex > > > > *From: *Chris Mattmann > *Reply-To: *"legal-discuss@apache.org" > *Date: *Tuesday, October 3, 2017 at 11:19 AM > *To: *"legal-discuss@apache.org" > > > *Subject: *Re: Podling CLA/Grant advice > > > > Haha, cool, Hen. > > > > If Amazon would be amenable having the original author who created the > repo (is that an Amazon > employee) submit an SGA would be useful in my mind. Let us know if that > can be arranged. > > > > Yes repo & contribution analysis should be ongoing, but not a blocker on > proceeding obviously since > MXNet has already made a release (though I know there were some concerns > with the release perhaps > procedurally from what I=E2=80=99ve read on the threads). > > > > Feel free to use my numbers =E2=98=BA > > > > Cheers, > > Chris > > > > > > > > > > *From: * on behalf of Henri Yandell > > *Reply-To: *"legal-discuss@apache.org" > *Date: *Tuesday, October 3, 2017 at 11:14 AM > *To: *ASF Legal Discuss > *Subject: *Re: Podling CLA/Grant advice > > > > No, there's no SGA and no one to sign an SFA. Who would the SGA be with? > Perhaps the original author who created the repository 2 years ago? He's > already signed an ICLA. > > Note that getting all Amazon employees to sign ICLAs (for those who > havne't) is an easy task and would have limited impact on the numbers her= e. > Amazon contributions from non-ICLA signers would have started ~Jan 2017, > and it's arguable that contributions then were well aware they were a par= t > of Apache as the project was reporting itself as having moved to Apache i= n > Jan 2017 (though the GitHub change didn't happen until July). Basically > there's unlikely to be much here unless Amazon happened to hire a > historical contributor. > > Opt-out would be one approach. Still lots of analysis to work out > contribution triviality so I'd be tempted to simply contact everyone who > has contributed pre-July, or pre-January. > > Having specific numbers of what is trivial, what is major would be useful > (as always). Your numbers are higher than I would come up with, so I pref= er > yours obviously :) > > > > Hen > > > > On Tue, Oct 3, 2017 at 11:05 AM, Chris Mattmann > wrote: > > Hi Hen, > > > > While I understand the below, there is no need to make it more complicate= d > then it has to be. > > > > For MXNet, I assume there was an SGA filed, no? There only needs to be 1:= 1 > on the project level, > and contributors don=E2=80=99t need to separately submit an SGA. I would = assume > you wouldn=E2=80=99t have to > email 380 people and that the initial SGA and whomever were specified on > it in the attachment, > is sufficient to begin. > > > > Then we look that we have ICLAs on file for all **major** and non 5-10 > lines of code, or 30+ lines > of code, or some number N lines of code **contributors**, for commits and > contributions going > forward. For those before hand, if there were 380 contributors, I=E2=80= =99m > assuming not all of them > were Amazon employees. However, perhaps within the 380, many were the 5-1= 0 > lines of code > variety, a fix here or there variety, etc etc. I know you can adopt an **= opt > out** rather than **opt in** > there. That is, leave the code in there. We assume good faith and that th= e > person will want it there. > If they **don=E2=80=99t** want it there, and they make that known, we tak= e it out > (we only want code that > wants to be here). > > > > Taking the above into account, I do not think it has to be harder than > that. And the PMC is responsible > for IP management in relation to the code, so this is something the PPMC > needs to decide. Consider the > above (and below else-thread) advice helping you all to come to your > decisions =E2=98=BA > > > > Cheers, > > Chris > > > > > > > > > > *From: * on behalf of Henri Yandell > > *Reply-To: *"legal-discuss@apache.org" > *Date: *Tuesday, October 3, 2017 at 1:37 AM > *To: *ASF Legal Discuss > *Subject: *Re: Podling CLA/Grant advice > > > > > > Here be dragons :) > > > > In #1, there are two sets: > > 1a) The entity are the copyright holder for 100% of the work (ignoring > clearly decoupled dependencies). > > 1b) The entity are a partial copyright holder of the work (ignoring deps)= , > have received a license to the rest of the work, and have the rights to > assign that license to Apache. The latter is probably rare, yet this opti= on > (1b) is most likely for any codebase that has been public. That is, we re= ly > on the entity contributing the project to Apache to have clean IP, we don= 't > rely on them to be able to hand over their clean IP to us. > > I believe in #2 (below, not 1(b) above) that the git/github model has > changed how we look at this. Historically we would have looked at the > commits, but I don't believe we would have analysed the issue tracker. Wi= th > pull requests on GitHub, folk who would have attached a patch to the issu= e > tracker are now a part of the commit history and we see the authors > increase by an order of magnitude. > > > > Note that MXNet did have a form of IP management. As a user of the Apache > 2.0 license every contribution to the project (per clause 5) was licensed > under the Apache 2.0 license ('in/out licensing'). That's the same IP > management Apache uses for contributions on JIRA/pull requests, both > trivial and anything up to 'major' (where the occasional major contributi= on > requires an SGA, or lazily (in a good way) an ICLA). > > Going back to the original email; I'd like to know what to say to 380 > people to explain why we need them to sign something. With a relicence it= 's > easy, relicensing needs the copyright owner's permission, they are a > copyright owner, please can we have permission. With this, not so easy. > "We don't trust your contribution, please sign this SGA so we can trust > your contribution"? > > > > Hen > > > > On Mon, Oct 2, 2017 at 6:21 PM, Chris Mattmann > wrote: > > Craig, I share the below opinions. > > RE: SGA, let me clarify, I think there are a few situations: > > > 1) SGA for a donation e.g., from a company or gov agency > a. The person providing or =E2=80=9Cgranting=E2=80=9D the SGA may have > the permission of the institution e.g., a signing authority, that > represents the IP from the company or agency, fine. > b. The person may be someone without signing authority but > designated by the agency as someone who can provide the Grant, > fine. > 2) SGA for a donation e.g., from a set of contributors > a. The person providing or =E2=80=9Cgranting=E2=80=9D the SGA would ideal= ly point to > some permanent URL or public URL with the decision by the binding > set of members of the contributors (at a minimum, within reason e.g., > defined as all those active, or as all contributors ever, or all those > that responded to my email with a deadline of 2 weeks, or a month etc.) > b. If the community already uses some form of IP management besides > having a version repository and headers, etc., then pointing to those > on file would be useful and welcomed. > > I=E2=80=99m sure there are variations on 1ab or 2ab but those are the one= s fresh > in my mind > with what I was talking about. > > Thoughts, Craig? Roman? > > Cheers, > Chris > > > > > > On 10/2/17, 5:51 PM, "Craig Russell" wrote: > > > > On Oct 2, 2017, at 5:23 PM, Roman Shaposhnik > wrote: > > > > On Mon, Oct 2, 2017 at 3:23 PM, Craig Russell > wrote: > >> Not to contradict our VP, Legal, just to clarify. > >> > >>> On Oct 2, 2017, at 1:17 PM, Chris Mattmann > wrote: > >>> > >>> Clearly, an SGA is intended for the copyright holder. If that=E2= =80=99s an > individual who as an > >>> individual represents those copyright holders, OK, but it=E2=80= =99s gotta > be pretty clear. > >> > >> That is a pretty high bar, and I've not seen it in practice. In > order for an individual to own > >> the rights and grant those rights via an SGA, there would need to > be some grant document > >> from the contributor to the individual(s) signing the SGA. > > > > +1 to what Craig is saying -- I've also seen a much laxer attitude = in > > the past. The very questions > > I'm asking is whether we should consider tighten our practices or > > still allow SGAs that are lax. > > > > I'm actually working on a proposal right now for a project that > > existed on GitHub for sometime. > > I've assumed that an SGA *on behalf* of the community (but NOT from > > somebody who is legally > > speaking a copyright holder) will be a way to go. > > Speaking as a non-lawyer, "You cannot grant rights that you do not > own." And the following is strictly my own opinion. > > A project that is licensed under alv2.0 and has existed for so long > that the contributors cannot be found can still use code with the Apache > license, but not with the Apache header. > > If the project is currently licensed using the alv2.0 as its license, > then the project can continue to use the license with its original header= s > and NOTICE. > > Craig > > > > > Thanks, > > Roman. > > > > ------------------------------------------------------------ > --------- > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > > For additional commands, e-mail: legal-discuss-help@apache.org > > > > Craig L Russell > Secretary, Apache Software Foundation > clr@apache.org http://db.apache.org/jdo > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > For additional commands, e-mail: legal-discuss-help@apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > For additional commands, e-mail: legal-discuss-help@apache.org > > > > > > > --001a11c14f7c81bf4c055aa9116c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Because you're saying that an ICLA does not cover past= commits?

On Tue, Oct 3, 2017 at 11:45 AM, Chris Mattmann <mattmann@apache.org> wrote:

Gotcha.

=C2=A0

OK this = email came out of order for me.

So = if an SGA was obtained, it would likely be important for the people who inc= epted the IP to
file the SGA, aka the original academic authors of the = project. I don=E2=80=99t know how many, or if
they are even willing to s= ign it, but worth asking.

= =C2=A0

If there is no SGA on file, of cour= se it=E2=80=99s not a requirement, but follow my advice in the previous
= reply I just sent. Keep the headers intact, identify what NOTICE updates if= any are required, and
ICLAs on file cover contributions of the Apache v= ariety going forward.

=C2=A0=

Thanks

Chris

=C2=A0

=C2=A0

<= /u>=C2=A0

=C2=A0

From: <hyan= dell@gmail.com> on behalf of Henri Yandell <henri@yandell.org>
Reply-To:= "le= gal-discuss@apache.org" <legal-discuss@apache.org>
Date: Tu= esday, October 3, 2017 at 11:37 AM


= To: ASF Legal Discuss <legal-discuss@apache.org>
Subject: Re: Po= dling CLA/Grant advice

=C2= =A0


Amazon are not the creators = of MXNet, Alex. They are a contributor to the project. The project predates= Amazon's involvement by 1-2 years and was written by academics at vari= ous universities iiuc. Amazon got involved when it came to Apache (or a mon= th or two before).

Getting an SGA= signed would be easy, but an SGA from Amazon is pointless, it doesn't = cover the contributions in question.

Hen

<= p class=3D"MsoNormal" style=3D"margin-right:0in;margin-bottom:12.0pt;margin= -left:.5in">=C2=A0

=C2=A0

On Tue, Oct 3, 2017 at 11:33 AM, Alex H= arui <ahar= ui@adobe.com.invalid> wrote:

Are you saying = that Amazon employees own copyright individually and don't have an empl= oyee agreement that assigns copyright to Amazon?=C2=A0 At Adobe, anything I= write is owned by Adobe.=C2=A0 I signed something to that effect which is = why an Adobe VP signed the Flex SGA.

=C2=A0

If Amazon employees assign copyright to Amazon, then an Amazon VP proba= bly needs to sign an SGA and you don't have to chase down any other Ama= zon employees.=C2=A0 And then, if only Amazon employees were making changes= before before Jan 2017, hopefully the remaining crew is much more manageab= le.

=C2=A0=

I'd be amazed if Amazon e= mployees didn't assign copyright.

=C2=A0

Unless you are enjoying figuring out which committers did "trivia= l" work, it seems simpler for the ASF to not care about making it perf= ect and err on the side of not changing the header until someone has the ti= me to figure out that a file can have its header changed.=C2=A0 Meanwhile, = the project should just keep on going.=C2=A0 What harm could come to the fo= undation if there is a file who could have its header changed to the ASF he= ader but didn't?

=C2=A0

Thanks,

-Alex

=C2=A0

<= div style=3D"border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0= in 0in">

From: Chris Mattmann &= lt;mattmann@apache= .org>
Reply-To: "legal-discuss@apache.org" <legal-discuss@apache.or= g>
Date: Tuesday, October 3, 2017 at 11:19 AM
To: "legal= -discuss@apache.org" <legal-discuss@apache.org> =


Subject: Re: Podling CLA/Grant advice=

= =C2=A0

Haha, cool, Hen.

=C2=A0

If Amazon would be ame= nable having the original author who created the repo (is that an Amazon employee) submit an SGA would be useful in my mind. Let us know if that c= an be arranged.

=C2=A0

=

Yes repo & contribution analysis should be ongoing, but not a blocke= r on proceeding obviously since
MXNet has already made a release (though= I know there were some concerns with the release perhaps
procedurally f= rom what I=E2=80=99ve read on the threads).

=C2= =A0

Feel free to use my numbers =E2=98=BA

=C2=A0<= /u>

Cheers,

Chris

=C2=A0

=C2=A0

=

=C2=A0

=C2=A0

From: <hy= andell@gmail.com> on behalf of Henri Yandell <henri@yandell.org>
Reply-T= o: "= legal-discuss@apache.org" <legal-discuss@apache.org>
Date: = Tuesday, October 3, 2017 at 11:14 AM
To: ASF Legal Discuss <legal-discuss@a= pache.org>
Subject: Re: Podling CLA/Grant advice

=C2=A0<= /u>

No, there'= ;s no SGA and no one to sign an SFA. Who would the SGA be with? Perhaps the= original author who created the repository 2 years ago? He's already s= igned an ICLA.

= Note that getting all Amazon employees to sign ICLAs (for those who havne&#= 39;t) is an easy task and would have limited impact on the numbers here. Am= azon contributions from non-ICLA signers would have started ~Jan 2017, and = it's arguable that contributions then were well aware they were a part = of Apache as the project was reporting itself as having moved to Apache in = Jan 2017 (though the GitHub change didn't happen until July). Basically= there's unlikely to be much here unless Amazon happened to hire a hist= orical contributor.

O= pt-out would be one approach. Still lots of analysis to work out contributi= on triviality so I'd be tempted to simply contact everyone who has cont= ributed pre-July, or pre-January.

H= aving specific numbers of what is trivial, what is major would be useful (a= s always). Your numbers are higher than I would come up with, so I prefer y= ours obviously :)

=C2=A0

= Hen

=C2= =A0

On Tue, Oct 3, 2017 at 11:05 AM, Chris= Mattmann <matt= mann@apache.org> wrote:

<= div>

Hi Hen,

=C2=A0

=

While I understand the below, there is no need to make it more complica= ted then it has to be.

=C2=A0

For MXNet, I assume there was an SGA filed, no? There only needs= to be 1:1 on the project level,
and contributors don=E2=80=99t need to = separately submit an SGA. I would assume you wouldn=E2=80=99t have to
email 380 people and that the initial SGA = and whomever were specified on it in the attachment,
is sufficient to b= egin.

=C2=A0

Then= we look that we have ICLAs on file for all *major* and non 5-10=C2= =A0 lines of code, or 30+ lines
of code, or some number N lines of code = *contributors*, for commits and contributions going
forward. For= those before hand, if there were 380 contributors, I=E2=80=99m assuming no= t all of them
were Amazon employees. = However, perhaps within the 380, many were the 5-10 lines of code
= variety, a fix here or there variety, etc etc. = I know you can adopt an *opt out* rather than *opt in*
the= re. That is, leave the code in there. We assume good faith and that the per= son will want it there.
If they *don=E2=80=99t* want it there, an= d they make that known, we take it out (we only want code that
wants to = be here).

=C2=A0

Ta= king the above into account, I do not think it has to be harder than that. = And the PMC is responsible
for IP management in relation to the code, so= this is something the PPMC needs to decide. Consider the
above (and bel= ow else-thread) advice helping you all to come to your decisions =E2=98= =BA

=C2=A0

<= span style=3D"color:black">Cheers,

Chris=

=C2=A0

=C2=A0

=C2=A0

=C2=A0

From: <hyandell@gmail.com> on behalf of Henri Yandell <henri@yandell.org>= ;
Reply-To: "legal-discuss@apache.org" <legal-discuss@apache.org>Date: Tuesday, October 3, 2017 at 1:37 AM
To: ASF Legal = Discuss <l= egal-discuss@apache.org>
Subject: Re: Podling CLA/Grant ad= vice

=

=C2=A0

=C2=A0

Here be dragons :)<= u>

=C2=A0

In #1, there are two sets:<= /u>

1a) The entity are the copyri= ght holder for 100% of the work (ignoring clearly decoupled dependencies).<= u>

1b) The entity are a partial copyright holder of the work (ignoring deps)= , have received a license to the rest of the work, and have the rights to a= ssign that license to Apache. The latter is probably rare, yet this option = (1b) is most likely for any codebase that has been public. That is, we rely= on the entity contributing the project to Apache to have clean IP, we don&= #39;t rely on them to be able to hand over their clean IP to us. =

I believe in #2 (below, not = 1(b) above) that the git/github model has changed how we look at this. Hist= orically we would have looked at the commits, but I don't believe we wo= uld have analysed the issue tracker. With pull requests on GitHub, folk who= would have attached a patch to the issue tracker are now a part of the com= mit history and we see the authors increase by an order of magnitude.

=C2=A0

Note that MXNet did have a form of IP= management. As a user of the Apache 2.0 license every contribution to the = project (per clause 5) was licensed under the Apache 2.0 license ('in/o= ut licensing'). That's the same IP management Apache uses for contr= ibutions on JIRA/pull requests, both trivial and anything up to 'major&= #39; (where the occasional major contribution requires an SGA, or lazily (i= n a good way) an ICLA).

Going back to the original email; I'd like to know what to s= ay to 380 people to explain why we need them to sign something. With a reli= cence it's easy, relicensing needs the copyright owner's permission= , they are a copyright owner, please can we have permission. With this, not= so easy.=C2=A0 "We don't trust your contribution, please sign thi= s SGA so we can trust your contribution"?

=C2=A0

Hen

=C2=A0

On Mon, Oct 2, 2017 at 6:21 PM, Chris Mattmann <mattmann@apache.org&g= t; wrote:

Craig, I share the belo= w opinions.

RE: SGA, let me clarify, I think there are a few situati= ons:


1) SGA for a donation e.g., from a company or gov agencya. The person providing or =E2=80=9Cgranting=E2=80=9D the SGA may have
<= /span>the permission of the institution e.g., a= signing authority, that
represents th= e IP from the company or agency, fine.
b. The person may be someone without signing authority but
designated b= y the agency as someone who can provide the Grant,
fine.
2) SGA for a= donation e.g., from a set of contributors
a. The person providing or = =E2=80=9Cgranting=E2=80=9D the SGA would ideally point to
some permanent URL or public URL with the decision by t= he binding
set of members of the contributors (at a minimum, within reas= on e.g.,
defined as all those active, or as all contributors ever, or al= l those
that responded to my email with a deadline of 2 weeks, or a mont= h etc.)
b. If the community already uses some form of IP management besi= des
having a version repository and headers, etc., then pointing to thos= e
on file would be useful and welcomed.

I=E2=80=99m sure there ar= e variations on 1ab or 2ab but those are the ones fresh in my mind
with what I was talking about.

Thoughts, Craig? Roman?

Cheers,
Chris<= u>





On 10/2= /17, 5:51 PM, "Craig Russell" <apache.clr@gmail.com> wrote:


= =C2=A0 =C2=A0 > On Oct 2, 2017, at 5:23 PM, Roman Shaposhnik <roman@shaposhnik.org= > wrote:
=C2=A0 =C2=A0 >
=C2=A0 =C2=A0 > On Mon, Oct 2, 2017= at 3:23 PM, Craig Russell <apache.clr@gmail.com> wrote:
=C2=A0 =C2=A0 >>= Not to contradict our VP, Legal, just to clarify.
=C2=A0 =C2=A0 >>= ;
=C2=A0 =C2=A0 >>> On Oct 2, 2017, at 1:17 PM, Chris Mattmann = <mattmann@apach= e.org> wrote:
=C2=A0 =C2=A0 >>>
=C2=A0 =C2=A0 >>= ;> Clearly, an SGA is intended for the copyright holder. If that=E2=80= =99s an individual who as an
=C2=A0 = =C2=A0 >>> individual represents those copyright holders, OK, but = it=E2=80=99s gotta be pretty clear.
= =C2=A0 =C2=A0 >>
=C2=A0 =C2=A0 &= gt;> That is a pretty high bar, and I've not seen it in practice. In= order for an individual to own
=C2=A0= =C2=A0 >> the rights and grant those rights via an SGA, there would = need to be some grant document
=C2=A0 =C2=A0 >> from the contribut= or to the individual(s) signing the SGA.
=C2=A0 =C2=A0 >
=C2=A0 = =C2=A0 > +1 to what Craig is saying -- I've also seen a much laxer a= ttitude in
=C2=A0 =C2=A0 > the past. The very questions
=C2=A0 =C2= =A0 > I'm asking is whether we should consider tighten our practices= or
=C2=A0 =C2=A0 > still allow SGAs that are lax.
=C2=A0 =C2=A0 &= gt;
=C2=A0 =C2=A0 > I'm actually working on a proposal right now = for a project that
=C2=A0 =C2=A0 > existed on GitHub for sometime.=C2=A0 =C2=A0 > I've assumed that an SGA *on behalf* of the communi= ty (but NOT from
=C2=A0 =C2=A0 > somebody who is legally
=C2=A0 = =C2=A0 > speaking a copyright holder) will be a way to go.

=C2=A0= =C2=A0 Speaking as a non-lawyer, "You cannot grant rights that you do= not own." And the following is strictly my own opinion.

=C2=A0= =C2=A0 A project that is licensed under alv2.0 and has existed for so long= that the contributors cannot be found can still use code with the Apache l= icense, but not with the Apache header.

=C2=A0 =C2=A0 If the project= is currently licensed using the alv2.0 as its license, then the project ca= n continue to use the license with its original headers and NOTICE.

= =C2=A0 =C2=A0 Craig

=C2=A0 =C2=A0 >
=C2=A0 =C2=A0 > Thanks,=
=C2=A0 =C2=A0 > Roman.
=C2=A0 =C2=A0 >
=C2=A0 =C2=A0 > -= -----------------------------------------------------------------= ---
=C2=A0 =C2=A0 > To unsubscribe, e-mail: legal-discuss-unsubscribe@= apache.org
=C2=A0 =C2=A0 > For additional commands, e-mail: = legal-di= scuss-help@apache.org
=C2=A0 =C2=A0 >

=C2=A0 =C2=A0 Craig = L Russell
=C2=A0 =C2=A0 Secretary, Apache Software Foundation
=C2=A0 = =C2=A0 clr@apache.org http://db.apache.org/jdo


=C2=A0 =C2=A0 ---= -----------------------------------------------------------------= -
=C2=A0 =C2=A0 To unsubscribe, e-mail: legal-discuss-unsubscribe@ap= ache.org
=C2=A0 =C2=A0 For additional commands, e-mail: legal-discuss-help@a= pache.org





---------------------------------= ------------------------------------
To unsubscribe, e-mail: legal-d= iscuss-unsubscribe@apache.org
For additional commands, e-mail: = legal-di= scuss-help@apache.org

=

=C2=A0

=C2=A0

<= /u>=C2=A0


--001a11c14f7c81bf4c055aa9116c--