Not quite right.
"Those with review privileges or direct push access are required to file a Mozilla "committer agreement". "
(FWIW: From a legal standpoint, this doesn't make any sense. Either all-in or all-out makes sense. There is no legal distinction to be drawn that the above captures, AFAIK)
So does this mean all original code (IE not third party code) requires a CLA?
Or not?
If so, then Rust requires CLAs. Great, legally sound.
If not, this makes no legal sense. Simply having people with a CLA commit it buys you nothing, legally :)
As I said, all-in and all-out policies make sense.
Pass through policies (IE i can commit code by another), you may as well have no CLA. It's just overhead with no legal benefit. The benefit of CLA's is to have legal assertions about ownership and patents, from the people who wrote the code.
So without having the people who actually wrote the code make those assertions, you get nothing legally.
In those cases, or if it isn't your goal (like the DCO folks), you might as well move to the developers certificate of origin model, and get the same benefits, without any of the overhead.
1. Any Github user submits a PR. This user is not required to have a name or a valid email address.
2. Anyone with review access to the Rust repository (disclaimer: myself included) reviews the PR and leaves a comment on the commit. A bot sees the comment and queues the PR for integration.
I can't comment on the legal implications, but the effect of this process is that there is a very low barrier to entry to contributing and likely explains why the total number of contributors (as measured by Github) is so high.
As to the issue of potential relicensing, the Rust repo is already about as permissively licensed as it gets (a dual license of MIT/Apache 2.0). As far as I understand, this already means that anyone can take the code and relicense it at will (I believe this is exactly what LibreOffice did to OpenOffice). At that point you'd probably still need to distribute the MIT license with each of the original files, but new contributions (and the project as a whole) would be covered by GPL or what have you.
So, given this process, there is literally no advantage to having anyone sign legal agreements, at all. I don't expect Mozilla to change, of course. :)
As for relicensing:
Both MIT and Apache require copyright notices be reproduced when you ship binaries.
I'll assume MIT since it is the more permissive (Apache also requires you give the user a copy of the license, etc).
Rust is statically linked by default, IIRC (and even shared linking often ends up with some runtime code statically linked in).
If Rust binaries include parts of the MIT code by default (I haven't looked at how the runtime and ABI support is structured), then anyone who ships those binaries would be required to reproduce the copyright notice somewhere.
You cannot take this code and relicense it at will, actually. But you can achieve the same practical effect as relicensing, as long as you reproduce the notice, so i won't get into it unless you really want me to :)
(But note that reproducing the notice is exactly the issue for runtime libraries, and without CLA's in place, you would hav to go and ask all contributors who have ever contributed to the runtime libraries in order to be able to remove that notice reproduction requirement)
> If Rust binaries include parts of the MIT code by default
> (I haven't looked at how the runtime and ABI support is
> structured), then anyone who ships those binaries would
> be required to reproduce the copyright notice somewhere.
"In addition to the UIUC license, the runtime library components of LLVM (compiler_rt, libc++, and libclc) are also licensed under the MIT License, which does not contain the binary redistribution clause. As a user of these runtime libraries, it means that you can choose to use the code under either license (and thus don’t need the binary redistribution clause), and as a contributor to the code that you agree that any contributions to these libraries be licensed under both licenses. We feel that this is important for runtime libraries, because they are implicitly linked into applications and therefore should not subject those applications to the binary redistribution clause."
"Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution."
Given that it seems that LLVM chose MIT specifically to sidestep any need for end users to distribute licenses with binaries compiled via LLVM, I'd be curious to know where the discrepancy here is.
The Mozilla committer agreement is not a CLA as I understand the term - it does not assign copyright to Mozilla, copyright is retained by the original author. The purpose of the document is to assert that those contributing code have the legal authority to do so. In Rust's case, those with review power are the gatekeepers responsible for ensuring the provenance of the code.
This is common to many CLAs (sane ones, at least). The Go CLA (really the Google CLA[1]) also does not assign copyright to the Go project, it gives them a license to "reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works"
(FWIW: From a legal standpoint, this doesn't make any sense. Either all-in or all-out makes sense. There is no legal distinction to be drawn that the above captures, AFAIK)