[ShaneCurcuru]

If you simply believe "CLAs are bad", you're missing the point (unless you refuse all legal documents on principle, or something).

The question is: WHO are you signing the CLA over to?

If it's a for-profit company, well, then do you trust that company to follow through?

If it's a non-profit, then look to see (in the US) if they're a 501(c)(3) public charity, which have legal restrictions on their governance, which typically require serving some larger public good. Also look at their history of past governance. I certainly hope (as an ASF peep) that we've shown who we are to be who we plan to be in the future; namely producing software for the public good.

Key reasons the ASF uses a CLA are protecting the org from future IP issues, and partly simply to be able to fix some future typo or legal issue in our license if one ever comes up. But the ASF will always provide all of it's released software under a similar style permissive license to Apache-2.0, as long as the organization is around.

If they're a 501(c)(6), then they're a business league, and might act more like a for-profit corporation, so...

[elric]

It's important to remember that FOSS contributions are on a voluntary basis. When I have to sign paperwork, things start to feel like unpaid work.

Signing legal documents requires disclosure of personal information. Most CLAs require full legal names and often the names of employers. While Elric is my legal name, I prefer not to disclose my last name for a variety of reasons. Being able to commit to FOSS on a pseudonymous basis is impossible when CLAs are involved, which I think is a real shame.

I understand that orgs want to protect themselves, but CLAs only protect orgs, and can potentially harm contributors. Now, I happen to trust the ASF, and I hope my personal information is safe with them.

[anticensor]

> Being able to commit to FOSS on a pseudonymous basis is impossible when CLAs are involved, which I think is a real shame.

There is a solution to that in many jurisdictions: register your pseudonym as an "alternate name".

[elric]

There are, roughly speaking, two types of countries when it comes to names. One kind (like the UK) where you decide on your name and the government has to comply with it (after minimal paperwork and minimal expense). And the other kind (where I live) where your name is more or less set in stone after your birth, where it is subject to the whims of the approving official, where it is difficult and expensive to change at best, and sometimes impossible to change.

I'll refrain from going off on a naming tangent, but that stuff is wild.

[klardotsh]

Which defeats the purpose, because then your pseudonym is legally tied to your IRL identity in a way that may, depending on jurisdiction, be public or semi-public record.

[bluGill]

> the ASF will always provide all of it's released software under a similar style permissive license to Apache-2.0, as long as the organization is around.

What makes you think that? What stops a few "evil" people from getting on the board and changing the mission in some way and then changing the license so that it is no longer permissive?

I've never been clear on what stops the above attack. Many people have setup foundations on their death that are now promoting things the person was clearly against in their life. Martin Luther King Jr's "I have a dream" speech is now property of his heirs who milk that copyright for all the dollars they can get - I believe this is not what he would have wanted. There are plenty of other examples.

[ShaneCurcuru]

Personally I know it since I've been volunteering there since 1999 and know how elections work and know most of the membership. But that probably doesn't help much if you don't know me.

Practically, I know it because the ASF is a Membership organization, meaning there are hundreds of individual Members who have been elected by their peers inside the ASF. The Membership is the group who elects the board. The ASF has only individuals as Members (never corporations), and quite a lot of folks have made their careers about their ASF project work, while hopping between multiple jobs at various vendors.

So to mount an attack like that, you'd need to "evil-ise" a over a hundred Members to get them to vote for your hand-picked candidates who would be shunned by basically everyone else involved in the ASF.

https://apache.org/foundation/governance/members.html

Vendor neutrality and our permissive license are baked very, very deeply into everything the ASF does.

A fair number of 501(c)(3) foundations are similarly membership corporations, where the board is elected from the set of people who've been volunteering there for years, so they are unlikely to change direction like that. Some (c)(3)s are not, but still have a good track history. (c)(6) organizations are a mixed bag, since some explicitly allow sponsors to pay for board seats - a very different world.