Reviewing CLA policy

I concur with your “contribute second hand” being OK as I read it, from my OSS experience. Docs changes are also extremely low risk.

Yeah I think that in today’s world, without any concerns about a corporate owner wanting to re-license TW, a CLA isn’t necessary.

I’ll confer with some OSS lawyer friends.

And I think this is connected to people volunteering for Docs improvements. Great to see the energy here!

I am not sure how much of an obstacle it is in reality that contributors who create their first PR also need to sign the CLA. However, there are mechanisms to make the signing of the CLA during a PR easier: https://cla-assistant.io/

But can I post for someone else who hasn’t signed the CLA? Because that would be the most logical strategy to overcome the GH speed-bump.

The easiest way is, if both of you have signed the CLA, then one of you can create a pull request, without causing licensing problems.

Everything else makes it more complicated, to keep the project “clean”. We probably can’t “merge” PRs that aren’t clear, what’s intended by the author.

Fixing typos will not create any problems. Where things will get complicated start with eg: “fair use” [1] … First of all it’s an areal law. So it’s not applicable all over the world.

Avoiding such complications is easy. We use a CLA and 2 open source licenses. BSD 3 clause for the code and Creative Commons Attribution 3.0 [2] for prose text.

[1] Fair use - Wikipedia
[2] Creative Commons — Attribution 3.0 Unported — CC BY 3.0

1 Like

If we create a multi-user documentation platform with a “sign in” mechanism that “allows” users to “sign” the CLA by creating an account, it would be possible.

From my point of view it will still require a GitHub account. Which also has the advantage, that every GH user is allowed to “star” the TW project.

With the usual IANAL disclaimer, the CLA just requires that the contributor vouches for the copyright status of their contribution. I can’t see how there would be a problem if person A signed the CLA, and then person B emailed person A saying “here’s some stuff for tiddlywiki.com, and I hereby hand over the copyright”, and then person A committed the changes on their behalf. That’s a slightly different conclusion than @pmario’s but I think it’s a reasonable reading of the text of the license.

The motivation for having a CLA in the first place is that back in 2011/12 there was a lot of concern about legal vulnerabilities for open source projects (which I guess would mean being sued by Evernote), and CLAs provided an off-the-self defence mechanism.

We’ve never subsequently reviewed our usage of the CLA. I wouldn’t change anything on a whim, but I’d be happy to consider changing our process if we got robust advice from a lawyer or other expert in the field.

see: IANAL - Wikipedia

1 Like

There is a different form of “signing off” pull requests. See: git commit - What is the Sign Off feature in Git for? - Stack Overflow

BUT I personally think this is much more complicated than signing a CLA once and it is more aligned with code than with documentation prose text

I was thinking about the signing of CLA for docs volunteers. My happy idea is the group have a group/organization in GH and then the organization signing the CLA. But I don’t know nothing about how the organization in GH works and it can work for this purpose.

Hi @Alvaro – no, Github organizations can’t be used like that. Either a person or a company that a person has control over needs to sign the CLA.

But this thread is about figuring out if we can skip the CLA. We’ve already determined that committing to GH on behalf of other people is likely OK.

I’m going to take this on, and ask some lawyer friends :slight_smile:

If someone is contributing documentation about an open source project to that same open source project I wonder;

  • What would anyone submit that they could make any copywrite claim on? I mean people are free to submit or not and surely if they want to retain copywrite they would not do this in the first place?
  • I am also thinking how could we even locate copywritten material that is appropriate for use in TiddlyWiki documentation that is not itself already part of the tiddlywiki licences?. Anything more complex than tiddlywiki itself is best linked to anyway.
  • I could take someone’s material copywritten on top of tiddlywiki, but will it make any sense as documentation?

Potentially, we can skip having to sign a CLA for anyone, whether core code or docs. Not really looking for opinions here, the next step is to consult a lawyer.

2 Likes

Boris,

I am not keen on giving opinions either. My point is, and I would expect one would put it to a legal advisor, are contributions to a project, that is itself open source, or has a permissive licence, could such contributions allow anyone assert copywrite anyway?

If the answer is “no” its a non issue. But I think there is value us in warning people to not post something, they or someone asserts copy write over, as well as accepting only documentation refereeing to the way TiddlyWiki works.

That’s pretty much what the CLA says, albeit in legal language: “I have the full copyright of my contributions, and I agree to give those copyrights over to the community”. The way that we handle the CLA in GitHub is designed to provide an audit trail of the signature process.

Stepping back, none of this is unique to TiddlyWiki, and we can learn a lot from how other projects are handling it, which is the thinking that led to us starting to use a CLA in 2011: at the time, it was the standard practice for serious open source projects.

1 Like

As mentioned at: contributing.md the CLAs where derived from the Harmony Project Templates.

I did adjust them to fit the TW project.

Important info about the templates: Guide to the CAs | Harmony Agreements

Relicensing TiddlyWiki is entirely covered by the BSD 3 clause for code and the CC-BY license for prose text.

The CLA is needed for the other way around, to allow TW to use contributed 3rd party content, without getting problems in the future.

It’s worth noting for everyone that there’s been a bit of a shift on this practice in recent years and a number of people are now strongly opposed to having them (see for instance Why CLAs aren’t good for open source). There are places where they’re useful (e.g., if the project wants to use contributions under a different license than the one the software is published under), but (so the argument goes) the open-source community norm is and always has been that submitting contributions is implicitly agreeing to license them under the license attached to the software, so if that’s all you want, the agreement isn’t really necessary. And excessive use of CLAs could arguably harm other projects that don’t use one by eroding that norm to the point that a court might not consider it obvious enough in the future. Not to mention that it’s a significant barrier for new contributors.

I don’t have a particularly strong opinion, but I’d be in favor of removing any bureaucracy that turns out to be unnecessary. :slight_smile:

The general consensus (not law) is that contributions to a repo fall under the license for the code.

One of the reasons to sign CLAs is to allow for easy relicensing in the future.

CLAs are most common when a company owns the copyright and wants to retain the ability to relicense the code. Often, this is when something is eg GPL or AGPL, and then non open source private licenses are sold. A dual license strategy.

This doesn’t apply to TW, and if there is no intent to relicense, then it may no longer be needed.

Thanks for this — great article.

I also don’t have a strong opinion. We’re examining a tiny piece of process and reviewing whether it can / should be changed.

Here are two other links.

And then the rebuttal, with lots of background info and nuance:

This last link is who I was going to ask a casual question of. Kyle Mitchell is an open source lawyer who is also a programmer I know. I highly recommend the rest of his blog if you’re interested in these topics.

In Kyle’s post, he suggests asking in the comments of the first PR. At which point — PR’ing to add your name is really not that much work, and gives us the benefit of a nice list of contributors.

One of the things Kyle advocates for (as do I) is that open source software (OSS) is going through a lot of changes, and sustainability for contributors should be a concern.

He mainly wants to preserve the ability for (easier) re-licensing to something like Prosperity Non-Commercial https://prosperitylicense.com/ — free & open source for everyone if you don’t make money with the software, otherwise buy a license.

I don’t think TW wants / needs to do anything in that regard.

I gave a short talk a couple of years ago if open source licensing evolution is something you’re interested in:

So in summary — maybe we don’t need the CLA process any more. Likely we’re fine with commits of “second hand” content, especially if we ask for a comment on the PR.

The blog post mentioned talks about “Apache-style CLAs” which is mentioned 10 times all over the text. This is meant by Apache-style CLA: https://www.apache.org/licenses/icla.pdf

The workflow mentioned there has nothing to do with our workflow, where signing is as simple as creating a PR.

If creating a PR is considered a problem, than we will need to improve this mechanism, because messing with the CLA won’t change anything with the underlying problem.