 |
 |
Also posted on my blog at: http://bibwild.wordpress.com/2011/12/14/practices-for-simple-contributor-management/ So, like many non-huge non-corporate-supported open source projects, many of the open source projects I contribute to go something like this (some of which I was original author, others not): * Someone starts the project in an publicly accessible repo. * If she works for a company, in the best case she got permission with her employer (who may or may not own copyright to code she writes) to release it as open source. * She sticks some open source License file in the repo saying “copying Carrie Coder” and/or the the name of the employer. Okay, so far so good, but then: * She adds someone else as a committer, who starts committing code. And/or accepts pull requests on github etc, committing code by other authors. * Never even thinks about licensing/intellectual property issues. What can go wrong? * Well, the license file probably still says ‘copyright Carrie Coder’ or ‘copyright Acme Inc’, even though the code by other authors has copyright held by them (or their employers). So right away something seems not all on the up and up. * One of those contributors can later be like “Wait, I didn’t mean to release that open source, and I own the copyright, you don’t have my permission to use it, take it out.” * Or worse, one of the contributors employers can assert they own the copyright and did not give permission for it to be released open source and you don’t have permission to use it (and neither does anyone else that’s copied or forked it from you). == Heavy weight solutions So there’s a really heavy-weight solution to this, like Apache Foundation uses in their Contributor License Agreement. This is something people have to actually print out and sign and mail in. Some agreements like this actually transfer the copyright to some corporate entity, presumably so the project can easily re-license under a different license later. (I thought Apache did this, but apparently not). This is kind of too much over-head for a simple non-corporate-sponsored open source project. Who’s going to receive all this mail, and where are they going to keep the contracts? There is no corporate entity to be granted a non-exclusive license to do anything. (And the hypothetical project isn’t nearly so important or popular to justify trying to get umbrella stewardship from Apache or the Software Freedom Conservancy or whatever.(If it were, the Software Freedom Conservancy is a good option, but still too much overhead for the dozens of different tiny-to-medium sized projects anyone may be involved in. ) Even so far as individuals, over the life of the project who the committers are may very well change, and not include the original author(s) anymore. And you don’t want to make someone print out sign and wait for you to receive something before accepting their commits, that’s not internet-speed. == Best practices for a simpler solution that’s not nothing? So doing it ‘right’ with that heavy-weight solution is just way too much trouble, so most of us just keep ignoring it. But is there some lighter-weight better-than-nothing probably-good-enough approach? I am curious if anyone can provide examples, ideally lawyer-vetted examples, of doing this much simpler. Most of my projects are MIT-style licensed, which already says “do whatever the heck you want with this code”, so I don’t really care about being able to re-license under a different license later (I don’t think I do? Or maybe even the MIT license would already allow anyone to do that). So I definitely don’t need and can’t really can’t handle paper print-outs. I’m imagining something where each contributor/accepted-pull-request-submitter basically just puts a digital file in the repo, once, that says something like “All the code I’ve contributed to this repo in past or future, I have the legal ability to release under license X, and I have done so.” And then I guess in the License file, instead of saying ‘copyright Original Author’, it would be like ‘copyright by various contributors, see files in ./contributors to see who.’ Does something along those lines end up working legally, or is it worthless, no better than just continuing to ignore the problem, so you might as well just continue to ignore the problem? Or if it is potentially workable, does anyone have examples of projects using such a system, ideally with some evidence some lawyer has said it’s worthwhile, including a lawyer-vetted digital contributor agreement? Any ideas?