[nerdponx]

You need a CLA precisely you need a default in the case (99.9999% of the time) when the author fails to license their own patches. Maybe this just has never been an issue before, or maybe there are already court precedents around it. But it seems beneficial for authors, maintainers, and users to reduce or eliminate ambiguity due to "un-licensed" contributions.

[maxlybbert]

If somebody downloads source code for a project, fixes a bug, emails that fix to the maintainer, and then tries to sue for copyright infringement, you can be sure that the first question an attorney will ask is "why did you send the fix to the project?" It would be very hard to claim that the contributor didn't expect the project to distribute the fix.

With git, the contributor has an even harder case to make. A pull request is literally a request to incorporate your contribution into the project. If the pull request doesn't include a proposed change to the license, it would be very hard to claim that the fix couldn't be distributed under the terms of the existing license.

I'm not aware of any court rulings directly on the subject. The best I can think of is the Prenda Law case. They sued people for copyright infringement for downloading some porn videos. A few of the people targeted showed evidence that Prenda Law had uploaded the videos themselves, and Prenda Law immediately tried to withdraw their cases. Some of the judges were very upset about that behavior. I'm pretty confident about how a court would handle a case where somebody claimed the contents of their pull request weren't meant to be distributed.

The traditional concerns have been cases where people try to contribute code that actually belongs to their employer, which remains a concern with this CLA-in-the-license approach, or projects interpreting their own licenses in obtuse ways ( https://lists.debian.org/debian-legal/2002/11/msg00138.html ).

[nerdponx]

That makes sense. Thanks for clarifying.

I imagine this could be an issue if, say, it's a project like Firefox and they start including some binary blobs. Without an explicit CLA, couldn't a FOSS-zealot contributor now sue to have their code excised from the product?

[maxlybbert]

For the record, I'm not a lawyer. If I understand the question correctly, I believe the argument would be that the contributor believed all contributors were on equal footing (e.g., all contributions had to comply with the same rules) or that the project somehow promised to behave a certain way -- and that promise may have been included in the license. Without a separate explicit promise about how the project would act in the future, I wouldn't expect the lawsuit to go anywhere, but I don't think it's a silly argument, and it may have a better chance than I believe.

Broadly speaking, the CLAs I've seen either (1) fall into the classic legal "belt and suspenders" approach of being explicit where there is arguably an implicit promise, or (2) require the contributor to transfer copyright to the project and then make promises about what the project will do with the code, including promises about relicensing, and a broad license back to the original contributor.

US copyright law sometimes assumes that there is some kind of agreement between people who collaborate on a copyrightable project, and generally speaking, the CLA looks like it serves that purpose.

[maxlybbert]

Your question is based on a common assumption, that you asked about a couple of days ago. In the US, at least, there are two ways multiple people can hold copyright on something: (1) if each contribution is independent, like a magazine or encyclopedia article, you have a collective copyright; (2) if each contribution is meant to merge with the others, you have a joint copyright. The rules for collective copyrights are basically what programmers seem to expect for collaborative works: each contributor owns copyright on their particular contribution.

However, I believe most open source projects are actually joint works, and the rules for joint copyrights are wildly different from what programmers seem to expect (e.g., http://copyright.universityofcalifornia.edu/ownership/joint-... , but you can find other explanations online, including at http://copyright.gov ). It's clear to me that the law assumes people who collaborate on a joint work will have some kind of agreement between them, like a CLA. I'm not able to find it right now, but I'm aware of one case where somebody contributed to a proprietary program, declared that made him a joint copyright holder, and started selling copies of the software without permission. The court agreed that if he had been a joint owner he would have had authority to sell copies without coordinating with the other owners, but the court decided he only had copyright in his contribution, like a collective work, not because the contribution could stand alone, but because it was relatively small and easily identified.

Based on that ruling, if I maintained an open source project under some kind of restrictive license that I intended to enforce, I wouldn't worry about getting a CLA for small patches (aside from getting some statement that they had authority to offer the contribution), but I would worry about getting one from regular contributors.

There is some point when a contributor crosses a threshold and becomes a joint owner. You want a clear agreement between the joint owners, but I don't believe the license is the right place for that agreement.

[bonzini]

GitHub terms of service for example say that there is an implicit "inbound=outbound" agreement on code that you contribute via GitHub.