[DannyBee]

So does this mean all original code (IE not third party code) requires a CLA?

Or not?

If so, then Rust requires CLAs. Great, legally sound.

If not, this makes no legal sense. Simply having people with a CLA commit it buys you nothing, legally :)

As I said, all-in and all-out policies make sense. Pass through policies (IE i can commit code by another), you may as well have no CLA. It's just overhead with no legal benefit. The benefit of CLA's is to have legal assertions about ownership and patents, from the people who wrote the code.

So without having the people who actually wrote the code make those assertions, you get nothing legally.

In those cases, or if it isn't your goal (like the DCO folks), you might as well move to the developers certificate of origin model, and get the same benefits, without any of the overhead.

[kibwen]

The process is as follows:

1. Any Github user submits a PR. This user is not required to have a name or a valid email address.

2. Anyone with review access to the Rust repository (disclaimer: myself included) reviews the PR and leaves a comment on the commit. A bot sees the comment and queues the PR for integration.

I can't comment on the legal implications, but the effect of this process is that there is a very low barrier to entry to contributing and likely explains why the total number of contributors (as measured by Github) is so high.

As to the issue of potential relicensing, the Rust repo is already about as permissively licensed as it gets (a dual license of MIT/Apache 2.0). As far as I understand, this already means that anyone can take the code and relicense it at will (I believe this is exactly what LibreOffice did to OpenOffice). At that point you'd probably still need to distribute the MIT license with each of the original files, but new contributions (and the project as a whole) would be covered by GPL or what have you.

[DannyBee]

So, given this process, there is literally no advantage to having anyone sign legal agreements, at all. I don't expect Mozilla to change, of course. :)

As for relicensing:

Both MIT and Apache require copyright notices be reproduced when you ship binaries. I'll assume MIT since it is the more permissive (Apache also requires you give the user a copy of the license, etc).

Rust is statically linked by default, IIRC (and even shared linking often ends up with some runtime code statically linked in).

If Rust binaries include parts of the MIT code by default (I haven't looked at how the runtime and ABI support is structured), then anyone who ships those binaries would be required to reproduce the copyright notice somewhere.

You cannot take this code and relicense it at will, actually. But you can achieve the same practical effect as relicensing, as long as you reproduce the notice, so i won't get into it unless you really want me to :)

(But note that reproducing the notice is exactly the issue for runtime libraries, and without CLA's in place, you would hav to go and ask all contributors who have ever contributed to the runtime libraries in order to be able to remove that notice reproduction requirement)

[kibwen]

  > If Rust binaries include parts of the MIT code by default 
  > (I haven't looked at how the runtime and ABI support is 
  > structured), then anyone who ships those binaries would 
  > be required to reproduce the copyright notice somewhere.

This contradicts other projects that I've seen. From LLVM's documentation (http://llvm.org/docs/DeveloperPolicy.html#license):

"In addition to the UIUC license, the runtime library components of LLVM (compiler_rt, libc++, and libclc) are also licensed under the MIT License, which does not contain the binary redistribution clause. As a user of these runtime libraries, it means that you can choose to use the code under either license (and thus don’t need the binary redistribution clause), and as a contributor to the code that you agree that any contributions to these libraries be licensed under both licenses. We feel that this is important for runtime libraries, because they are implicitly linked into applications and therefore should not subject those applications to the binary redistribution clause."

The "binary redistribution clause" referenced from the UIUC license (http://opensource.org/licenses/UoI-NCSA.php) reads as follows:

"Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution."

Given that it seems that LLVM chose MIT specifically to sidestep any need for end users to distribute licenses with binaries compiled via LLVM, I'd be curious to know where the discrepancy here is.

[DannyBee]

I actually wrote that wording for LLVM, so i'm happy to explain the discrepancy.

Basically, we messed up when we changed the runtime license (I said MIT license when I meant zlib license, which only requires reproduction of notices in the source code), and had to issue a policy statement on the license to make people happy. It is not accurate, legally, in its description of the MIT license. Effectively, by this statement, we are giving permission to not reproduce the notice, even though the license would actually require it.

You don't have to take my word for it though, ask any other open source lawyer whether MIT requires notice reproduction for binaries.

:)

I would urge Rust not to make the same mistake. (This mistake is currently being fixed in a few other "new" languages, in fact)

[kibwen]

What a hilarious coincidence. :)

I'm guessing you can't go giving out concrete legal advice for free, but could you point us towards languages that are fixing this? I see that Julia's stdlib uses MIT for non-external libraries,[1] and Go uses a BSD-style license that explicitly requires distributing the license with binaries,[2] so they're both in the same boat we are. AFAICT D's stdlib uses the Boost license[3] which explicitly allows one to forgo distributing the license with compiled artifacts, but I don't know if solving this issue entirely would require the entire compiler to be licensed under Boost as well. Presuming that interpreted languages can gracefully ignore this issue, I don't know which other "new" languages we could look at for inspiration.

[1] https://github.com/JuliaLang/julia/blob/master/LICENSE.md

[2] https://github.com/golang/go/blob/master/LICENSE

[3] https://github.com/D-Programming-Language/phobos/blob/master...

[pcwalton]

> I'm guessing you can't go giving out concrete legal advice for free, but could you point us towards languages that are fixing this?

Please note that kibwen is not part of the core Rust team.