I have complained about this IP protection blabla put forth by CLA protected projects previously. But I keep hearing the same (imho false) arguments that CLA's are a non issue. I was kind of shocked that neither the Zend nor the eZ Systems representative at the PHP Conference in Frankfurt was able to display that he actually knows what is in their respective CLAs. One issue is the one-way OSS, where due to the explicit copyright grant required, it becomes hard to cherry pick OSS code. While thats annoying, the bigger issue imho is the problem of the patent grant clause found in all CLA's I have seen (which all seem to be derived from the apache CLA). I keep bringing up this point until people who push CLA's will finally stop repeating lies about them. Saying that single developers do not need to worry about getting sued over patent infringements is simply wrong.
Anyways, we have had CLA'ed off PDO drivers in PECL for a while now. Wez decided that as king of PECL he has the right to make such decisions on his own, though I presume that Zend was in full accord of these actions. There was some upflair back then, but it died down. I hope this time we will settle things once an for all in regards to CLA's. AFAIK Rasmus has refused to sign the Apache CLA and I think the fact that PHP wasn't so thrilled about CLA's is one of the reasons why we are no longer an official subproject of Apache.org. But that is just a guess on my part. Yesterday the first public sightings of what seems to be a behind the scene group discussing PDO2 have been made in the form of a commit by Wez that created yet another CLA'ed of section on cvs.php.net for pdo-specs. There was no explanation at all, but after some people requested one from Wez he came back with it will be explained later. Poking Jay of MySQL AB fame a bit, the answer was that for the most part there hasn't been much more than lawyers talking and that very soon now they will have a CLA hammered out and then they will go public, which will include some (maybe all?) of the email exchanges done as part of this process. However I guess a lot was discussed in phone conferences. I actually do not have that big of an issue with people discussing things on private lists, especially if all discussion will be made public later on. I do understand that for larger organizations it might be necessary to first scope potential partners before setting off discussions. It will lead people to make certain assumptions which could spin off from reality.
Now I am about to do exactly this. I am going to make assumptions about what they are about to announce. Following is what I send to the internals PHP list earlier today. I am posting this in order to put some pressure on the people to ensure that they think very hard about any patent grant clause they put into the CLA. I will be gone for 3 weeks starting tomorrow, so I hope that when I am back they have published a CLA that does not validate my fears. Anyways here it goes:
To me the key piece that would kill the idea of a CLA is if it required me to be able to grant all patents that may be covering any of the code I contribute. So far all the CLA's I have read seemed to imply this. And from my understanding this is what makes the CLA work for companies. The alternate interpretation, that the Apache CLA and its many derived CLAs, only requires that you grant all patents that knowingly cover the given code, seems bogus to me, since that would defeat the purpose of the CLA to begin with. And that is to be able to deflect all law suits aimed at the project and its users, by pointing the finger at a single developer. The idea being that single developers are no interesting targets for patent trolls. I find this claim, that most OSS projects keep repeating, so hideously evil. If all you need is to ensure that only single developers are to blame for patent violations, than the patent system would probably quickly get an update (because then even our friends at IBM, SUN etc would start to care - they do like software patents, do not let yourself get confused by their patent pool schemes).
The point is, there is no guarantee that a patent holder will not still proceed to sue developer Joe Schmo. Number one, not all of us stay poor, but more importantly it will just take a few law suits to teach all the developers in the world that all the guys that gave you friendly advice on CLA's were either lying or uninformed (or lying about being informed). However all the Joe Schmo developers that were taught this lesson can kiss happy life good bye.
Now without CLA's, there would be more incentive for companies like IBM and SUN to actually take a different approach to software patents, like using their happy lobby money to actually put an end to them. Or invalidate the patent claim in question, because otherwise they can be sued as well for using the given code, since they do not have a patent grant from Joe Schmo.
I have asked IBM to validate the legal situation with a proper legal analysis (which I might still get cross checked by a lawyer of my choice), but I do not know if my contact at IBM was too lazy to actually ask, or if IBM just chose to not answer because they know full well that CLAs is essentially using developers as bumpers. And when the big guys slam into each other .. there is not much left of the bumpers in between.
Update [16/06/2008]: Fixed a screwed up non intended double negative (I made the offending "able" - used to be "unable" bold up there in the very first paragraph).
Hi Lukas,
There were at least five representatives from eZ at the Frankfurt conference, myself included. As the auth^w^w^w^whacker of the eZ CLA, I would have been happy to explain it to you. Do keep in mind that I am not a lawyer.
I do not believe that one-way FOSS is an issue with the eZ CLA. The CLA requires that you grant eZ a license to do what we want with the code - except license it exclusively. On the copyright front, authors who sign the CLA lose the right to exclusively license the code. They can still license their code any other way that they see fit - the code never gets locked up.
On the patent front, the CLA requires that contributors give eZ and the people who use your code a license to any of _your_ patents (or patents that you acquire the rights to license) that are expressed in the code (or by your code combined with our code.)
This is meant to stop patent holders from including patent trojans, not as way to make a developer somehow the legal buffer for a large company. (Which would likely be a very poor legal strategy for a company, as it would just give the other parties some easy-to-sue target that would establish a precedent on the matter.)
Reading the CLA with the criticism that you have raised, I can see how someone might work to interpret the phrase, "... patent claims licensable by You ..." as having some broad meaning. I'll patch that to be more precise.
The CLA is meant to protect eZ and the users of the software against malicious contributors, and to protect contributors from themselves and from eZ. We've discussed the major ways that it protect eZ and the users of the software. The CLA seeks to protect contributors from eZ by making it clear that contributors are providing the software with no warranty and no support. It protects contributors from themselves by making them understand that they can't and shouldn't give away code that they don't hold copyright on.
You can read the CLA and the surrounding information here: http://ez.no/ezpublish/contributing/cla
Cheers! --zak
BTW Your comment preview seems broken. Pressing preview takes me to the front page of your blog.
Hey Zak,
First up, not sure what was going on when you hit preview. I could not quicky reproduce this issue in FF, but I will play around with it a bit.
Second for the actual message you wanted to convey. If the entire purpose is to prevent patent trolls, then I would indeed appreciate a clarification of language, because I simply cannot read this as the sole aim in the current wording. Thanks for the feedback on this, if would definitely make me take eZ's CLA off my "avoid like the plague" list. I do still think that this explicit copyright claim can lead to one-way OSS, but like I said I see more legitimacy in this item. Especially that once the patent part is acceptable, I can even suggest other people to consider signing the CLA, so that they can contribute their code themselves.
The idea of CLA patent clause is not to go after single developer but to ensure that nobody submits code that is known patented or otherwise restricted by the contributor without disclosing the situation and later go after the users or the developers of the project with claims. Of course, no CLA ever could require you to grant the license for patents you do not hold, and no CLA could make you disclose things that you do not know about. And of course no CLA could prevent anybody from suing you for whatever reason they please. It is not its purpose, as it is not its purpose to take political stand on IP laws or be used as a weapon to promote any policy. Its purpose to make reasonably sure you own the code and to make the fact of contribution "without strings attached" explicit. That's it.
Well I am fine with requiring that the contributor grants all the patents that he owns that cover the contributed code. But thats not what it says in the CLAs. The question of contributing code that the contributor knows is patented, but to which he does not own the patent is a trickier issue. Take every bodies favorite progress bar patent. Suddenly it gets murky grey brown.
Hey Lukas,
I'll take a crack at rewriting our CLA into plain English. If people aren't able to understand the agreement, then it isn't doing anyone any good.
I do still think that this explicit copyright claim can lead to one-way OSS, but like I said I seemore legitimacy in this item.
How is the situation different than any other FOSS project?
For example, if you are working on an Apache Software License licensed project, you can't just grab a chunk of GPL licensed code and distribute it with your ASL licensed project.
Well maybe I am not understanding something here. But take MDB2 for example. Its BSD licensed. Could have eZ just taken that code as the basis for their DBAL? I mean taken the code 1:1 and then refactored it to be more PHP5-ish ..
eZ could do this, as could anyone else.
The BSD licensing would be almost the same as if eZ had a CLA for the code. The eZ CLA is better defined around areas of patents and support.
How does this relate to one-way FOSS?
It was my understanding that this "clean IP" thing mandates that the contribution is always done by the original author (or that the original author has explicit consent from the original authors). For example Doctrine was turned down for inclusion into ZF for this reason, or so I have heard. Doctrine is based on PEAR::MDB2, which in turn is based on PEAR::MDB, which is again based on PEAR::DB and Metabase and takes some ideas from ADODB and Creole (though no verbatim code from the last two). I also felt like eZ was reluctant to base their code directly on PEAR::MDB2. If you are writing a DBAL its imho quite foolish to start from scratch.
Anyways, thanks for your answers, but as I am off to Brazil for 3 weeks in a few hours, I cannot continue the conversation for now ..
So I guess I have one question: I never interpreted the CLA to mean anything other then I personally as a developer will get sued if I steal someone else's code and put it into an OSS project..
My question is: And your point is?
From my perspective, that's absolutely fine. I personally think that developers in OSS projects *should* be held accountable for stealing code. I think the bigger question here is what constitutes stealing code, and that goes into the whole software patent issue which I will digress on for now..
Bottom line: If you didn't write the code it isn't your place to distribute it without permission. I don't buy the argument that CLAs are bad because it puts the responsibility on the developer, because otherwise the responsibility is on a project which simply can't possibly hope to determine what's "clean IP" and what isn't from all of its contributors. Does that mean that contributing to open source software is a little risky because you might get sued? I guess... but heck, I might get sued if someone walking up to my house stumbles over a rock and cracks their head open.. such is life.
