[riffraff]

I think CLA signing is fine if the projects is owned by a reputable organization (Apache, FSF, whatever).

If the project is controlled by a commercial entity, you just have to understand it will likely change in a way you disagree with.

[soraminazuki]

A CLA is all about changing the terms of the deal after the deal. It's hard to imagine a scenario in which that can be legitimate.

[riffraff]

The scenario is that the world in which those terms were written changed.

E.g. the original GPL or Apache licenses did not consider patents, DRM or Tivoization, but the modern versions do.

I think it's legitimate for a project to say "we think we should address these issues but we didn't think of them" and update their license.

I'm not saying this is always the case, but it's the reason I think it's ok to sign a CLA for an organization you trust: it's _likely_ you'd also trust their choice to change a license.