Also posted on my blog at:
http://bibwild.wordpress.com/2011/12/14/practices-for-simple-contributor-management/

So, like many non-huge non-corporate-supported open source projects, 
many of the open source projects I contribute to go something like this 
(some of which I was original author, others not):

* Someone starts the project in an publicly accessible repo.

* If she works for a company, in the best case she got permission with 
her employer (who may or may not own copyright to code she writes) to 
release it as open source.

* She sticks some open source License file in the repo saying “copying 
Carrie Coder” and/or the the name of the employer.


Okay, so far so good, but then:

* She adds someone else as a committer, who starts committing code. 
And/or accepts pull requests on github etc, committing code by other 
authors.
* Never even thinks about licensing/intellectual property issues.

What can go wrong?

* Well, the license file probably still says ‘copyright Carrie Coder’ or 
‘copyright Acme Inc’, even though the code by other authors has 
copyright held by them (or their employers). So right away something 
seems not all on the up and up.

* One of those contributors can later be like “Wait, I didn’t mean to 
release that open source, and I own the copyright, you don’t have my 
permission to use it, take it out.”

* Or worse, one of the contributors employers can assert they own the 
copyright and did not give permission for it to be released open source 
and you don’t have permission to use it (and neither does anyone else 
that’s copied or forked it from you).

== Heavy weight solutions

So there’s a really heavy-weight solution to this, like Apache 
Foundation uses in their Contributor License Agreement. This is 
something people have to actually print out and sign and mail in. Some 
agreements like this actually transfer the copyright to some corporate 
entity, presumably so the project can easily re-license under a 
different license later. (I thought Apache did this, but apparently not).

This is kind of too much over-head for a simple non-corporate-sponsored 
open source project. Who’s going to receive all this mail, and where are 
they going to keep the contracts? There is no corporate entity to be 
granted a non-exclusive license to do anything. (And the hypothetical 
project isn’t nearly so important or popular to justify trying to get 
umbrella stewardship from Apache or the Software Freedom Conservancy or 
whatever.(If it were, the Software Freedom Conservancy is a good option, 
but still too much overhead for the dozens of different tiny-to-medium 
sized projects anyone may be involved in. )

Even so far as individuals, over the life of the project who the 
committers are may very well change, and not include the original 
author(s) anymore.

And you don’t want to make someone print out sign and wait for you to 
receive something before accepting their commits, that’s not internet-speed.

== Best practices for a simpler solution that’s not nothing?

So doing it ‘right’ with that heavy-weight solution is just way too much 
trouble, so most of us just keep ignoring it.

But is there some lighter-weight better-than-nothing 
probably-good-enough approach? I am curious if anyone can provide 
examples, ideally lawyer-vetted examples, of doing this much simpler.

Most of my projects are MIT-style licensed, which already says “do 
whatever the heck you want with this code”, so I don’t really care about 
being able to re-license under a different license later (I don’t think 
I do? Or maybe even the MIT license would already allow anyone to do 
that). So I definitely don’t need and can’t really can’t handle paper 
print-outs.

I’m imagining something where each 
contributor/accepted-pull-request-submitter basically just puts a 
digital file in the repo, once, that says something like “All the code 
I’ve contributed to this repo in past or future, I have the legal 
ability to release under license X, and I have done so.” And then I 
guess in the License file, instead of saying ‘copyright Original 
Author’, it would be like ‘copyright by various contributors, see files 
in ./contributors to see who.’

Does something along those lines end up working legally, or is it 
worthless, no better than just continuing to ignore the problem, so you 
might as well just continue to ignore the problem? Or if it is 
potentially workable, does anyone have examples of projects using such a 
system, ideally with some evidence some lawyer has said it’s worthwhile, 
including a lawyer-vetted digital contributor agreement?

Any ideas?