As someone who wants GPL enforcement, I still say don't sign a CLA, for two reasons:
- Centralizing copyright ownership in a single entity grants that entity the ability to lock down the project at any time and defeat the copyleft (e.g. Oracle killing off OpenSolaris). I consider this a worse outcome than a copyleft that is unenforced. It also encourages malicious enforcement (e.g. Oracle v. Google) that runs contrary to the goals of FOSS.
- Due to some very specific peculiarities of US law, regular users can sue companies that don't follow the GPL, because the source code disclosure requirement makes you a third-party beneficiary of the copyright license (which in US law is a contract).
The last one is a bit unfair to the article because the rulings in question happened after it was published. But it obviates the biggest benefit of centralized ownership - clear and unambiguous standing to sue. If things were the opposite - i.e. the courts said third-party beneficiaries can't sue and only owners can - then there would be an argument for keeping ownership of critical parts of the project in an entity with no conflict of interest against enforcement.
Even then, I don't see why ownership has to be centralized. Under US law, joint owners of a single copyrighted work both have standing to sue. Having more owners means more people with standing. In lieu of a classic CLA with a single point of failure, you could have a policy of accepting any code that is either owned by the developer itself (after their employment contracts have been vetted) or any of a number of trustworthy FOSS organizations who are committed to enforcing GPL. All parties would have standing to sue individually and could additionally sue as a class in a single action.
I think you may be overestimating the usefulness of a third-party beneficiary approach. There are two issues with it:
(1) Isn't SFC vs the only case where how third-party beneficiary law applies to GPL enforcement has come up? That case has not yet gone to trial. The third-party beneficiaries have only been considered in the context of motions of summary judgement. The court ruled that this will have to be determined at trial.
(2) You can only have a third-party beneficiary to a contract when there is a contract.
The defendant should be able to defeat a third-party beneficiary claim by saying that they did not agree to the license. They saw code they wanted to use and thought it was public domain or thought their use would be covered by fair use or decided that they would go ahead and infringe its copyright because they thought the risk of the copyright owners suing was negligible.
That approach would have some risks if the copyright owners later do sue, because it would be tantamount to admitting their infringement was willful which can greatly increase statutory damages.
> because the source code disclosure requirement makes you a third-party beneficiary of the copyright license
Isn‘t this an open question and a main point in the Vizio case where trial is still a few months off?
> Centralizing copyright ownership in a single entity grants that entity the ability to lock down the project at any time and defeat the copyleft
It also grants the ability to make the project more open. I once wanted to change a project I was part of to a more permissive public domain license. Leadership was in favour but ultimately rejected it due the impracticality of dealing with getting agreement from everyone who had ever contributed (there were no CLAs). So it remained with the old license.
If an entity unilaterally changes the license, you can still fork it at the time the change was made and continue from there.
Now, I’m not defending Contributor License Agreements. I also dislike them and the hurdles they cause to contribution. Plus, the situation you described of the project becoming more locked down instead of less is likely more common, and forks can be a pain for everyone. Still, wanted to share the other side.
>Centralizing copyright ownership in a single entity grants that entity the ability to lock down the project at any time and defeat the copyleft (e.g. Oracle killing off OpenSolaris).
I don't understand how copyright ownership of FOSS code would impact an entity locking down the project. I don't think owning the copyright gives the entity the ability to do that. Maybe owning the trademark or the Github repo would, but not the copyright.
The entity holding the copyright can change to a new restrictive license, and continue development there, effectively killing the old GPL version and so locking down the project.
The original contributors would not agree, but they gave up their rights.
That's a good point.
However, I think for the entity to do that in practice, the entity would need to also own the trademark and the Github repo (or wherever development takes place). So there's no real risk to assigning copyright to the FSF if the FSF doesn't also own the trademark and the Github repo.
I don't disagree with the general claim, but about your scenario specifically - the "entity holding the copyright" is not, generally, the entity doing the development. If it is, then the question is not copyright assignment but just whether or not the main developing entity sticks to a FOSS development or not.
> but just whether or not the main developing entity sticks to a FOSS development or not
if software is say GPLv3 and they hold no copyright (no CLA) then they must not relicense it.
If copyright was transferred to them they are free to relicense code.
First makes sticking to free software licensing more likely.
If I contribute code to a GPL project without signing a CLA, and they later decide to re-license, they cannot use my contributions in the re-licensed version.
If I've signed a CLA, they can.
The original code up to that point is still GPL though, so they can't lock down your contribution, they are just using it in a closed system. The open system is still available for everyone.
It is not changing that CLA makes easier to abandon open source project and use contributions in proprietary system.
That depends on what the CLA says. A few do not permit arbitrary relicensing.
If you want to switch the license on a software project away from GPL, that is possible. All old versions were and will remain GPL. Any new versions can stop being GPL as long as all copyright holders agree to let this happen.
You cannot use the GPL license to allow publishing this new version. But you can use permission by all copyright holders as an exception.
Right but generally the organization with the CLA has moned and develapers and so can move faster than the old free fork and thus overwhelm it.
even if they don't have money today if someone with money wants to take over they are a target.
> Centralizing copyright ownership in a single entity grants that entity the ability to lock down the project at any time...
By this logic, as well as refusing to sign CLAs you should also refuse to adopt any MIT licensed or similar software, since that can also be "locked down".
Do you?
MIT allows anyone to lock the project down, not just one entity, so there isn't ever anyone who can benefit more than others from a contribution.
So it's okay if the FSF does it but not anybody else?
The FSF is the only entity I'd trust with a CLA. Considering they're the stewards of the GPL, if they went evil everything would be FUBAR anyway. So I'd say yeah, the FSF doing it is fine.
Yep. I signed their CLA way back when under that same logic. I absolutely would not sign a CLA from anyone else.
Stallman is old. Who will take over when he dies? What when thos people die? Sure you trust them today but do you trust them in 50 years?
Friendly reminder that Geoffrey Knauth, not RMS, is the president of the FSF.
Which makes my point.
My new rule is to never contribute and do my best to avoid using any free software that requires a CLA. Shared copyright ownership is very important to maintaining software freedoms. It makes it impossible for a single party to change the license in ways counter to the communities desires. There have been many recent examples of this sort of bad behavior that have driven this point home for me.
Agreed: don't sign a CLA!
But then following this philosophy, shouldn't you favour copyleft licenses, too? Because if it's permissive, they can suddenly go proprietary without caring "much" about copyrights, right?
I have come to these rules:
- Never sign a CLA.
- In my projects, the "most permissive" licence I use is MPLv2 (which is weak copyleft). When I release OSS software, there is absolutely no point in using a permissive license: MPLv2 should be fine for everybody. Of course sometimes I like the GPL family, and recently I've come to like the EUPL.
Would you sign a CLA if it specified the License your code would be able to the project under? (I.e. the project can only use your code if it says MIT or BSD or GPL licensed).
CLAs can have a legitimate purpose in clarifying copyright ownerships.
How do you need CLAs to clarify copyright ownership? DCoE does the job equally well.
> Would you sign a CLA if it specified the License your code would be able to the project under?
I don't understand.
> CLAs can have a legitimate purpose in clarifying copyright ownerships.
Isn't that the whole point of a CLA? The CLA is usually a way for the contributor to renounce their copyright. In other words, the project asks me to make a contribution for free, and on top of that they want to own the copyright for it.
If they want to own the copyright for my work, how about they pay me?
> If they want to own the copyright for my work, how about they pay me?
If you want to merge your code into someone else's repository, thereby benefiting from their continued maintenance efforts, how about you give them the copyright? You don't have to if you don't want to. You can keep your copyright by merging your improvements into your own fork and maintaining it yourself. It is within your power.
Seems like a fair deal to me. Everyone gets a nice AGPLv3 project to hack on. That's freedom and it is assured. If you want someone else to maintain that project for you the least you can do is give them control over it by assigning copyright. It's still AGPLv3 for everyone else, and it gives the maintainers the leverage needed to negotiate deals with corporations.
Companies paying for exceptions to the GPL is something even Stallman promotes.
https://www.gnu.org/philosophy/selling-exceptions.html
This is a good thing and strengthens free software. Being against this is a position so extreme that even Stallman rejects it. And it can't be done if you need the consent of every single contributor.
I even emailed Stallman directly to confirm the ethics of this. He says it's better this way because only the copyright owner can do it. Permissive licenses give everyone that power. Copyleft keeps it contained.
> It is my understanding that as the copyright holders > they have the right to do it without any problems. > They leverage the AGPLv3 to make it harder for their > competitors to use the code to compete against them. I see what you mean. The original developer can engage in a practice that blocks coopertation. By contrast, using some other license, such as the ordinary GPL, would permitt ANY user of the program to engage in that practice. In a perverse sense that could seem more fair, but I think it is also more harmful. On balance, using the AGPL is better.I'm confused. The part with Stallman is about using AGPL vs GPL and has nothing to do with the CLA, has it?
It's an excerpt of a much bigger email.
I told him about corporations using AGPLv3 as leverage in order to build SaaS products around the software. As copyright holders, they can do whatever they want while everyone else must comply with license terms. The CLA is a necessary component of that strategy.
I asked him what he thought of the practice. That's what he replied. He didn't go into much detail about SaaS. He said it was too broad a term to judge.
Here's the full email exchange:
Hello, Dr. Stallman. I would like to know your views on the ethics of certain uses of the AGPLv3. There are apparently some corporations that are releasing free software under the AGPLv3 while building software-as-a-service platforms using the same software. It is my understanding that as the copyright holders they have the right to do it without any problems. They leverage the AGPLv3 to make it harder for their competitors to use the code to compete against them. In online discussions on this matter, I pointed to an article that you wrote regarding the ethics of selling exceptions to the GPL. You argued that that if selling this exception was unethical then so was releasing software under permissive licenses, and rejected the idea that it was unethical. The conclusion was that this enabled proprietary software to be freed, an ideal outcome. I'd like to ask if you think the same logic applies to the SaaS situation I mentioned. I think it does, but others did not agree. People are using the AGPLv3 to maximize leverage. Corporations seem to be incapable of tolerating the license's terms, a situation that leads to copyright holders providing a business solution: paying for it. They can buy special permission to use the software. These days, it appears the choice being offered is to buy into the company's SaaS platform instead of purchasing a special permission or license. The exact mechanism employed by the business seems like a minor detail to me but perhaps there are some ethical considerations that I'm not seeing. So I decided to send you this email and ask what your opinion on the matter is. Thank you for your time, Matheus --- > There are apparently some corporations [...] "Software as a service" covers such a broad range of computing practices that I generally don't use it. It is too broad, and gives too little information, to judge whether a practice is good or bad. > It is my understanding [...] I see what you mean. The original developer can engage in a practice that blocks coopertation. By contrast, using some other license, such as the ordinary GPL, would permitt ANY user of the program to engage in that practice. In a perverse sense that could seem more fair, but I think it is also more harmful. On balance, using the AGPL is better.Right. So this is about AGPL, not about CLA... I thought we were talking about CLAs.
> how about you give them the copyright
under US law, this is an impossibility. Under a CLA, you retain your copyright, and you (typically) give someone else a perpetual, irrevocable license to use your copyrighted material in their own product.
to clarify, it's an impossibility to give it to them irrevocably as under US law you can reclaim a copyright that's been transferred to another party after a statutorily defined period of time
I just looked it up and you're right. Apparently there's no way to sell or give away the copyrights. Ever. You can "transfer" it, license it, whatever... Then suddenly show up and demand it back 35 years later.
Copyright law is completely insane.
This is probably designed for book authors and delinquent publishers that stop selling author's books, then the authors can take back the copyright and go to another publisher.
Why do you believe that the contributor benefits more from contributing to a project than the project does?
Because they get to leave while others get to maintain the code including their contribution until the end of time.
They don't have to accept the contribution if they think it's not worth it. If they think it's worth something, they can pay for it.
> how about you give them the copyright?
I refuse in general. If they want me to read and sign extra legalese, I expect to be paid for it.
If they are unwilling me to pay for my time and code I license away, then I will find other project to contribute to.
> The CLA is usually a way for the contributor to renounce their copyright
I don't know about other countries, but you actually cannot renounce your copyright under American law. It is an impossibility.
The only way your own code can belong irrevocably to someone else is if you are contracted under a work-for-hire arrangement or if you are an employee of the other entity when you produce the work. (Or if you die and your heirs become the new owners)
If you were to write code and then later submit it to a project (say, via PR), they cannot retroactively implement a work-for-hire arrangement.
In all other cases, the creator is the copyright owner forever. That status cannot be assigned to anyone else. (Except to one's heirs upon death.)
A CLA is a licensing agreement (that's the "LA" part!), where you license your own copyrighted material to another entity, and it's often in perpetuity.
But here's the trick: under US law, an author or author's heirs (i.e., copyright holders in non-WFH situations) can revoke a license in certain situations. The provisions allowing this exist specifically so that non-remunerative licenses (i.e., ones the copyright owner didn't get paid to license) can be revoked.
You can read about some of these termination provisions in 17 USC 203, 304(c), and 304(d).
Copyright can be transferred in the US. I think you are confused from copyright can’t be destroyed to put work public domain.
Indeed they can https://www.copyright.gov/help/faq/faq-assignment.html
I never said you cannot transfer copyright. I said you cannot irrevocably give it up.
And this is true: under US law, after 35 years you can reclaim your copyright
Taking the most sensible meaning of renounce, the court in Micro Star v. Formgen opined exactly the opposite of what you claim:
"It is well settled that rights gained under the Copyright Act may be abandoned."
https://casetext.com/case/micro-star-v-formgen-inc
As for reclaiming a transferred copyright, it's possible, but complicated. It also takes at least 35 years, which is likely too long to be of practical use to most folks.
Does that mean that all those projects using CLAs may end up at some point with someone saying "I want you to remove the part of your codebase for which I have a copyright"?
I mean in practice nobody will ever be able to do that, just like most licences are just completely ignored. But I mean in theory?
i'm fine with my company owning copyright on code I write. Sometimes they let me keep copyright on things I contribute to open source on their time but I get permission before I do that. (they are considering changing the rules such that they retain the copyright and then I would contribute back in their name not my own)
> i'm fine with my company owning copyright on code I write
Sure, but that's not a CLA. You have a contract, and your company buys your work. If you contribute for free to a random project and they ask you to sign a CLA, they are not paying you for your work. They just want your work + your copyright for free.
A CLA doesn't give them your copyright; you still own it, and you're licensing it (hence the "L" in "CLA") to them. And, at least under US law, non-remunerative license agreements can be revoked under certain situations (usually having to do with that free work being turned into profit for the licensor IIRC although I admittedly haven't thought about this aspect of copyright law in twenty years)
That is dangerious. While unlikely there are a few possible attachs. If the law changes such that the license is invalid you need to change to an up dated versian. if you allow them to change the license for that case they can change the license to anything. Consult with a lawyer to see if there is legal language that allows them to change the license as needed only so long as it meets the intent... note that intent is tricky. GPL 2 and 3 do not have the same intent according to Linus Torvalds but Richard Stallmen will say they do. good luck getting you contract to allow license changes if the intent is the same and having it really be your intent.
the above all seems unlikely but you cannot discount it. which is another reason to not sign a CLA - you have no idea what future changes you might agree with.
Can you please share why it is dangerous? If I release some code that I wrote myself, I own this code so I can always re release it in another strongly copy left license if there is a defect in AGPL v3 or whatever.
If you sign a CLA you no longer own that code. Thus you trust who ever now owns the code to make decisions you agree with but have no way to assure that.
depending on the terms you may own the code but it isn't a useful right as without everyone else including them you can't use your right to get a good license in place (one they disagree with so of course they won't)
> If you sign a CLA you no longer own that code.
This is untrue. The "L" in "CLA" means you are licensing the code to someone else, not transferring copyright.
Edit: [Here](https://github.com/Decathlon/template/blob/master/contributo...) is a sample CLA you see on Github.
Inter alia,
> You hereby grant to Decathlon and to recipients of software distributed by Decathlon a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute your Contributions and such derivative works.
Observe you are licensing the code, not transferring copyright.
What's the practical difference? They still have the right to do anything they want with it.
Those are the terms of that one CLA the terms of others can be different.
I see you've repeated this in a few comments. Do you have a link?
By the way, I'm not disagreeing. I'm Australian and curious about the US situation. My understanding was that whilst you can't assign copyright — insofar as you ought to always be able refer to yourself as the original author — you can provide an irrevocable license giving someone else the rights to reproduce, license and sublicense as they see fit.
The person you're responding to is wrong. CLAs are not transfers of copyright ownership or code ownership. They're only licenses (that's the "L" in "CLA") that grant the recipient a set of rights for how they are allowed to use your code that you retain ownership over.
... GPLv3, or any later version with a similar spirit published by the Free Software Foundation or its successor.
Remember that without a license most people don't have any right to copy the software at all, so it's in a corporation's best interest to make sure the GPL continues to be valid. And the law always does what's in a corporation's best interest.
What is the spirit - is gpl 2 and 3 the same spirit? Some will argue no.
Right now gpl assumes things fall back to copyright but companies have an interest inencoding open soure into law in a way that would benefit them. Some trickery could make something in gpl illegal and then by law it falls back to the new open source license not no license.
This is usually a misunderstanding of permissive licenses.
You can't change the license of the code, even if that license is permissive enough for the code to be incorporated in proprietary works.
I mean, often this doesn't really matter because, unlike with GPL, publishers are not required to give you the source-code. But it matters when that source-code gets republished, say, under a source-available license, after having been under MIT/BSD/APL2, in which case, that's illegal, unless the company owns the copyright to do so.
As an example — if you have a file with a copyright header saying the code is licensed under a permissive license, you can't just change that header to a different license. There's even a famous case about it: https://undeadly.org/cgi?action=article&sid=20070913014315
It all comes down to copyright. If you copy a piece of code that's not trivial, even if the license allows you to copy and reuse that piece of code, you're not suddenly the copyright owner of that code. Permissive licenses are permissive, but they do have restrictions, and most importantly, with copyrighted works, excluding the fair use cases that depend on legislation, you can only do what the license allows you to.
So, no, code licensed under permissive licenses can't be re-licensed as proprietary, even if it can be incorporated in proprietary works. And this is often a useful distinction to make, as I can think of several re-licensed projects under source-available licenses that couldn't have been re-licensed without copyright assignments.
> There's even a famous case about it
Note this is not a legal case which has been ruled on, just an opinion. It sounds reasonable to me, but also not a hill I would die on personally.
I didn't mean "re-licenced". I meant that it can become closed-source. Bad wording on my end.
Now I guess they can modify permissively-licenced files without licencing their modifications permissively, in which case the file is a mix between both, and good luck making the difference?
- [deleted]
You should consider signing one anyway depending on whether you like the creator. This gives the maintainer of the project a way to make money from his work: sublicensing it to companies under a different license. This promotes the use of extreme copyleft licenses like the AGPLv3.
I actually emailed Stallman to ask about the ethics of this. He replied that it's better for everyone when only the creator has this power. Permissive licenses give everyone else that power too. Copyleft licenses don't. Only the copyright owner can sublicense. Others must comply or pay for it.
> It is my understanding that as the copyright holders > they have the right to do it without any problems. > They leverage the AGPLv3 to make it harder for their > competitors to use the code to compete against them. I see what you mean. The original developer can engage in a practice that blocks coopertation. By contrast, using some other license, such as the ordinary GPL, would permitt ANY user of the program to engage in that practice. In a perverse sense that could seem more fair, but I think it is also more harmful. On balance, using the AGPL is better.> Only the copyright owner can sublicense
If that were true, then the distribution of OSS would be illegal.
If I contribute to an open source project, I have licensed my code to that project. If someone downloads that project, the OSS project has sublicensed my code to them.
I doubt there's a CLA in the world that doesn't grant the right to sublicense.
For example, here is the CLA for VS Code: https://opensource.microsoft.com/pdf/microsoft-contribution-...
the key bit is:
> You grant Microsoft . . . a . . . license . . . to sublicense any or all of the foregoing rights to third parties
I probably used the wrong word. I intended to say "release the software to someone else under a different license". If you own the copyrights, you can release code to the general public under AGPLv3 and simultaneously allow some specific third party to use the software under completely different terms. Other people can't do that, they are stuck with AGPLv3.
Not a lawyer so I could be terribly mistaken about all this. Hopefully someone will tell me if I'm talking nonsense.
GPLv3 says that you cannot sublicense. It says that it is not necessary because of section 10 of the license, which says that "Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License".
It also makes it impossible for a single (or multiple parties) to change the license in ways in line with the community's desire, including moving to more permissive licenses.
And I'm not really sure I get the risk here. Projects (Redis, Terraform) changed license, the community responded by forking, and the result is at worst more fragmentation. If a company doesn't think a project is worth maintaining without a more monetizable license having multiple code owners isn't going to force them to keep maintaining the software.
I'm not saying multiple owners doesn't have benefits, but it's far from clear enough to present a cut and dried policy like this I think.
> It also makes it impossible for a single (or multiple parties) to change the license in ways in line with the community's desire, including moving to more permissive licenses.
You contribute under the existing license because you approve of that license. Not allowing change is not allowing change... there is no way to make it to allow only change you like. So it is a compromise and, IMO, a good one. .. And, while not specifically relevant to my point, moving to a more permissive license isn't necessarily a good thing.
> If a company doesn't think a project is worth maintaining without a more monetizable license having multiple code owners isn't going to force them to keep maintaining the software.
My thought is that it would be better if companies didn't have this option. That releasing software under a free software license but then reserving the rights to change it later for business reasons is bad behavior. It is using free software as a marketing tool while you keep on hand on to yank it out from under your users at a whim. I think free software is better (best?) when developed to scratch an itch and released to reduce the long term maintenance and development burden (and hopefully some altruistic leanings).
To an extent I think that the outrage over redis new licence was excessive, this based on two (I think true) facts:
1. The new limitations had a temporal limitation of two years since release, that is every commit/release would automatically return to the old license after two years of the commit/release publication date
2. Using a two years old version is not that bad unless you are a cloud vendor reselling the software
3. A permissive license in this case was effectively a lot of free money given to Amazon
I don't understand why this isn't everyone's policy for open-source contributions.
Surely there is a middle ground for contributions which you don't really care to retain ownership of? I don't sign CLAs for projects I want to form a long term contributor relationship with, but if I am just trying to fix a small bug that the (probably corporate) owners don't care to fix themselves, I'll sign that code away without hesitation.
FWIW CLAs do not sign away your ownership in code. It merely gives the project the right to use your code via a license
You know how you sign those end-user *license* agreements, which do not give you ownership in the code of those applications?
That's the same principle at work here. You are licensing certain rights in your work to another entity. Generally, the license is giving the right to, inter alia, reproduce and distribute your code in perpetuity.
Because 1) I work on an open source project as part of my employment, not for free on the side and 2) If there was no cla, most likely the source would not be open as the project wouldn't want external contributions. That's strictly worse. Also, the types of contributions that the project would ideally see are mostly from other companies, not people working in their free time, so the cla doesn't really discourage contribution.
Your rule is a common one, but somewhat misses the point of the argument. In the absence of a CLA who does own the copyright to the work you do?
The point of the article us that it may, or may not, be you.
I notice that you weren't clear on this part in your post, suggesting perhaps that it's not something that's front-of-mind like the CLA is.
On the CLA front I'm on the fence. Assign, don't assign, that's for each person to decide.
But the alternative to CLA is not necessarily "I keep the copyright". That's the point the article is asking you to consider.
Aside; unless you have a specific bit of paper assigning copyright to you, and assuming you have a day job, it's very unlikely that you hold the copyright even if you only do OSS work at home on weekends.
And lastly - have you ever enforced your copyright legally? If you have never enforced a copyright violation then your work is effectively public domain. Yes the threat that you could take action exists, but in practice your contributed-to-project can change their license and call your bluff.
> In the absence of a CLA who does own the copyright to the work you do
under US law, if you are not an employee of the company that owns the code you're contributing to, and you didn't sign a work-for-hire agreement with them, then you own the code you produce, full stop.
Unless you signed a work-for-hire agreement with somebody else! Yhis is where it gets tricky.
In the US (afaik / ianal) your employer gets to claim your copyright if you’ve contributed to a project on company time, or using company equipment, or something else I can’t remember. This actually sounds reasonable to me.
- [deleted]
I am sorry but I don't understand what you're saying.
> Your rule is a common one, but somewhat misses the point of the argument. In the absence of a CLA who does own the copyright to the work you do?
If I don't own the copyright in the absence of a CLA, then I don't have the authority to sign a CLA and therefore the CLA should be void. I can't sell/gift/whatever you something I don't own.
Disclaimer: I anal. Even if I were a lawyer which I am not, I am definitely NOT your lawyer.
Very true, you cannot assign what is not yours.
(Ianal, but I assume that means if you did sign a CLA and submit then you are breaking copyright.)
But that's not my point.
My point is that "not signing a CLA" is only half the job. The other part of the job is actively finding out your status with your company to understand their position. (And I recommend getting that answer in writing. )
The contributor owns the copyright. In Germany for example, there's no transfer of copyright, only non-exclusive license to use. The Developer Certificate of Origin can be used to be make it legal.
I'm Germany it may default to the author. Different jurisdictions behave differently.
In other jurisdictions, and depending on employee contract it may default to your employer. Hence the posted article.
I used to think that copyright is always assigned to the creator, like in Germany, and it appears that I was wrong: according to Wikipedia, at least English law actually defaults (no contract clause needed!) to assigning your copyright to your employer if the contribution was done as part of work for hire. This was a surprise to me but it explained why some OSS projects, like ones by Adobe, require a CLA: many people use their libraries at work, and if someone like that contributes a fix Adobe’s lawyers justifiedly would not want part of their code to be owned by another company.
It is a sad side-effect that assigning away your rights with a CLA to some company also enables some shady behavior[0], but it seems that the possible intent to “to place a rug under the project, so that they can pull at the first sign of a bad quarter” co-exists with a more reasonable desire not to have parts of the codebase that you started and mostly maintain at your own cost owned by a potentially hostile entity.
That said, it’s sad that DCOs are not used instead[1]. IIUC, DCO basically makes it clear that the contributor is the one owning the copyright, eliminating the above issue without enabling the rug-pulling.
[0] https://drewdevault.com/2023/07/04/Dont-sign-a-CLA-2.html
> I used to think that copyright is always assigned to the creator, like in Germany, and it appears that I was wrong: according to Wikipedia, at least English law actually defaults (no contract clause needed!) to assigning your copyright to your employer if the contribution was done as part of work for hire
It‘s basically the same in Germany. Urheberrecht is not the same as copyright, but comprises personal rights and exploitation rights. 99% of questions about Urheberrecht in commercial settings are about exploitation rights, so ~ about copyright in an American sense.
Personal rights (mostly the right to be named) stay with the author and can never be transferred, exploitation rights default to the employer in employment situations (and are usually explicitly transferred in work contracts, to be safe).
Copyright is not the same as licensing. There is a big difference between granting your employer a license to your work (or OSS contribution), vs. making them the copyright holder (meaning they actually created the work, and you are entirely out of the picture for all intents and purposes). I’d like a lawyer to chime in regarding this English law.
> This was a surprise to me but it explained why some OSS projects, like ones by Adobe, require a CLA: many people use their libraries at work, and if someone like that contributes a fix Adobe’s lawyers justifiedly would not want part of their code to be owned by another company.
A CLA does not affect who owns the code. It only grants the OSS project the right to use the code.
Generally speaking, a CLA will be a non-exclusive license, meaning you can give the OSS project the right to use your code while you also retain the ability to license that code to others as well (as well as continue to use it in your own projects)
CLA is about licensing, CTA is about copyright, but legally licensing seems enough to avoid a dispute.
> while you also retain the ability to license that code to others as well
Depends on the license! Always read what you sign. Get a lawyer to read it.
The DCO does let someone who doesn't own a piece of code to contribute it to a project, they just have to be certain that it is licensed under the license it says it is licensed under.
DCO solved the problem of potentially hostile corporate entity owning part of the code.
> When you take a job, in most places in the world, by default, your employer owns and/or effectively controls all your copyrights.
Is this really true? I haven't checked my employment agreement, but I'm pretty sure that my employer only controls the copyrights for a) work I do for them, and b) any other side work I happen to do in my employer's field (which never happens).
AFAIK, work I do on my own that is unrelated to my employer belongs to me, and I've never had anyone from my job try to assert otherwise. (I have plenty of publicly-visible code on GitHub that they could glom onto if they wanted, although none of it is commercially important.)
---
Edit: My employee agreement says "I understand that the provisions this Agreement requiring assignment of Company Work Product do not apply to any Non-Company Work Product that qualifies fully under the provisions of Section 2870 of the California Labor Code, or any similar state invention law."
That labor code says "Any provision in an employment agreement which provides that an employee shall assign, or offer to assign, any of his or her rights in an invention to his or her employer shall not apply to an invention that the employee developed entirely on his or her own time without using the employer’s equipment, supplies, facilities, or trade secret information except for those inventions that either:
(1) Relate at the time of conception or reduction to practice of the invention to the employer’s business, or actual or demonstrably anticipated research or development of the employer; or
(2) Result from any work performed by the employee for the employer."
The employment lawyer I consulted a few years back stated all work done outside office hours is essentially implicit property of your employer in Canada/UK... unless explicitly stated in your employment contract that external unrelated projects are your own.
In most of the US, all work done outside of your employers business is implicitly your own... unless explicitly stated in your employment contract that they have rights to such works.
In general, most commercial businesses won't care unless their IP or resources were misappropriated for a personal project. Best of luck =3
My UK contract had no IP terms and after many years they tried to sneak them in via the employee handbook - I objected and we negotiated, ending up with a reasonable and amicable split: anything directly related to their line of business is theirs (whether in the office or not) but everything else is mine personally.
This seems the ideal balance as we each get what's valuable to us without overreaching (the original proposed terms would've covered literally everything including random stuff like books and video posts, which they didn't genuinely care about)
Indeed, there are also some hidden advantages to contractor status, in that personal copyright implicitly remains your property until licensed to a firm.
An NDA can also have some nasty obfuscated golden-handcuff clauses. =3
Yeah. I think a lot of people who write these contracts (or work in HR) simply never consider the idea that people would create things outside of business hours. They don’t want to steal your fanfic or that song you’re writing or whatever. Just talk to them and make the contract look right.
I‘m currently trying to get a mechanism established at my employer where developers can (optionally and voluntary) show their „private projects“ and get an official statement that the company does not consider it company property. Parallel to how the company can release inventions it does not plan to patent.
It‘s not supposed to change any legal rules, but to document a usually silent agreement, if the employee wants that peace of mind. Obviously, nobody is under any obligation to show what they are doing in their private time, but especially when there can be a question if it is „too close“ to what the company is doing, it should be valuable to establish that line early and give the employee something tangible.
It's a slog because at big companies anyone below a "department head" is not getting custom addendums added to their contract.
Depends on the company. I've had companies do this for me.
In one large company I won't name, the way we did it was to have someone with enough authority give me a statement in writing acknowledging that anything I made outside of business hours, using my own computing equipment wasn't owned by the company. That was good enough for me.
> anyone below a "department head" is not getting custom addendums added to their contract.
Nonsense. My wife negotiated modifications to her employment contract in her first job out of school. This included a diabolical adjustment to the non-compete clause that essentially made it worthless because it granted her the right to work so long as it was more than one mile away from one of the branch offices.
And since two of the branch offices were more than a mile from each other, that meant she could work anywhere, since any location, including in the same building as one of the branches, was at least a mile from a different branch.
You should probably check it, in the UK this is pretty standard, and I believe it is in the US as well. I suspect most of Europe is similar as well. It will vary by company and industry, but in my experience when you ask HR and Legal to put together a contract for a knowledge-worker, this is a standard edition by them.
I've never had a job actually assert anything around this personally, but I do make sure to have anything notable signed off by my employer as "mine". That's assuming it's unrelated to my employers field of course.
- [deleted]
> this is a standard edition by them
note that in many/some cases they are happy to drop such clause if you demand it
at least I negotiated it away multiple times (though it was not some large corporation, they were more cargo-culting contract text)
Yeah I always check this too - and if needed add a clause to my contract to make it clear that programming work I do outside of business hours & using my own equipment remains mine. I do a lot of opensource work and it would be a disaster to have copyright ownership clouds hanging overhead.
But for a company to assert a copyright like this, they would have to actually sue. And companies will always be loathe to sue employees over incidental stuff like this because the negative press will almost always make it not worth it.
The point raised by the article is the reverse.
They agree with you that your company does not want to sue. Specifically (in some cases) they explicitly remove your ability to sue violators.
Obviously each company and employee situation is different, but the default position is they own the copyright, and they'd prefer not to sue anyone.
This leads to copyright violations being ignored.
Whether violations are something you care about or not is up to you. Personally I don't get over wound up by it (my code is pirated all the time) but others feel very strongly in this space. This article is pointing out that if you do care, then it pays to make sure where your copyright exists.
I work at a fortune 500 and you have to go through hoops to own anything. By letter of the contract they own all the IP we produce which legally includes photos taken. Doubtful they'd enforce that, but it gives them a strong position if one were to write any useful code outside of work.
Are you saying if you worked as a programmer in your standard fortune 500 company and wrote fiction on the weekends they own the copyright to the fiction?
Would be interesting to see how it would play out if a programmers fiction blew up as big as Harry Potter or something.
If you utilize any of the company’s assets or property in its creation then they can argue ownership. For example if you write it on their laptop that you take home on the weekend, or you spend your lunch break at the computer in your office writing it, etc. (this will almost certainly be outlined in your employee contract)
If you write it at home on your personal property during your personal time, then they have as much claim to it as the work you do on your house or the models you paint or the soap you make and sell to your friends… which is none.
However, if it’s work you’re doing in the same industry, then you have to deal with non-compete clauses in your employment agreement depending on what state you live in.
Edit: This is USA law as I understand it (IANAL)
Sure; but it’s a lot more ambiguous if you’re a programmer & writing code on the weekend. Especially if the code is in any way related to your work. Also whatever your contract says takes priority over the law in cases like this.
Always read your employment contract carefully and clarify stuff like that if you need to. Your company doesn’t want copyright over the fanfic you’re writing on the weekend. If that matters to you, the best time to clarify it is before you sign the contract.
- [deleted]
The contract explicitly includes IP unrelated to the company's business.
Yes, I've seen that too. Then I said "well, you're hiring me in part because of my opensource work. It looks like this contract wouldn't allow me to continue doing any opensource work once I start working here. That would be a huge problem for me." I think the managers involved hadn't read the employment contract itself - or didn't understand the implications of a clause like that for opensource devs. They didn't want to stop me writing opensource code when I felt like it. So we figured it out.
Contracts aren't written in blood. They're just an agreement between two parties. You don't have to agree to whatever crappy, one sided terms are waved in front of your face.
And remember, its common for companies to spend 40+ hours of work in sourcing, interviewing candidates, hiring panel discussions and so on before they finally give you an offer. Especially in the era of AI generated resume spam. It would be extremely silly to throw all that work away over a grabby IP assignment clause added on a whim by one of their lawyers. Now, yes - some companies are absolutely that silly. But most people have a lot more negotiating power than they think. Especially when it comes to ridiculous clauses like this. At a minimum, its always worth raising.
This is an extremely important point. A lot of managers don’t read the employment contracts. Often times the legal departments (or just lawyer depending on company size) has just drafted something that protects the company as much as is legally possible. That’s often the safest thing for the attorney to do.
It’s never a bad thing to redline a contract and have discussions over sections that you’re uncomfortable with. A good company will work on them with you.
First, definitely consult a lawyer and your contract. In the US contract law pretty much says if you signed it, you agreed to it, then it holds, unless the law overrides it. For example, you could sign a contract that says you are now an indentured servant, but that violates the law, so would be unenforceable (at least in the US since 1917). However if it says the equivalent of “any code you write on your personal time is our property” you basically agreed to that being the case and you’d have to consult a lawyer in your state before making a determination if that contract would hold up in court. The best assumption prior to that would be to assume it is valid.
In addition, the FTC recently banned non competes country wide, which went into effect in September 2024. There have been a number of challenges to the ruling that have yet to work through the legal system, so it’s best to consult your states laws for the time being.
But outside of that, if a company in the US is telling you that your software that you can prove you developed on your personal time on your personal property is somehow theirs, and you are certain you never signed such a non-compete or an assignment agreement that covers work on your personal time; then find a new company to work at. They are basically bullying you. If your employee contract is so ambiguous regarding copyright assignment of software written on your own personal time and assets as to not be certain, find a new company as well, as they are probably incompetent. (You’d probably be safe however, as Contra proferentem in the US is a rule that states an ambiguous contract term should be construed against the drafter of the contract)
In fact, in the US, the author always owns the copyright. So in fact the company has to put in place an agreement that outlines that your code copyright is transferred to them. If you pay someone to write software, without such an agreement, the author will still actually hold the copyright. The company can use “work for hire” but since that means they have to prove that they hired you specifically for what your wrote, that it was written in the “scope of employment”; most employers who know what they are doing will have you sign an assignment agreement. Without an assignment agreement; if you write something they didn’t hire you to write and you didn’t agree to assign the copyright to them, you own it.
In fact, if a company also wants to patent something that you’ve invented or been part of inventing, they need to get you to file a patent assignment with the USPTO. This may or may not be outlined in your employment contract, but the assignment still needs to be made. You could refuse, most likely at the cost of your employment, however the patent rights would still remain with you the inventor. Not even work for hire would transfer patent or trademark rights.
All that said, it should be obvious, however it’s probably best pointed out.. if you copy any code that is owned by the company (code written by another employee or that you transferred ownership of to the employer) then you’re committing copyright infringement and can be held liable. So you better be sure your code is 100% yours.
Just adding some links for reference.. in both California and New York, employers explicitly can NOT enforce IP assignment of work done on an employees own time and with their own equipment. (As long as the work is not related to the employers buisness). In other words such clauses in employment agreements in those states would be unenforceable.
https://www.ebglaw.com/insights/publications/new-york-restri...
https://law.justia.com/codes/california/code-lab/division-3/...
The non-compete thing never went into effect. A court paused enforcement of the rule.
As I said, there have been challenges to the rule and it’s currently under injunction.
However, if you talk to any corporate attorney they will tell the company to prepare and position itself for having to comply with the ban.
If you’re an employee with a current non-compete, assume it applies unless you consult with an attorney.
If you’re a prospective employee, and a job offer includes signing a contract with a restrictive non-compete.. personally I’d redline it, and if they pushed back I’d find another job.
Don't write code related to work on the weekend. That is unethical no matter what the law says. There is plenty of code not related to work that you can write on weekends and thus it is ethical (may or may not legally be yours but ethicaly it is)
There is no way that it is unethical. According to who’s ethics?
According to my ethics it’s unethical for a company to believe it has any say whatsoever about what I author unless I give them specific assignment of what I create for specific compensation. Outside of that, they can go float a boat.
They hired me for my talent; and will compensate me adequately or I will provide my services elsewhere; and it’s up to me to determine what that looks like when I signed a contract with them.
It sounds like the corporate lawyers have succeeded in making you think they’re doing you all the favor when you create the value for them.
There’s a reason the FTC ruled against non-competes. It’s “ethically un-American”.
The work related part makes it unethical. Unless they pay you to work weekends or otherwise compensate you (on my team when you work a weekends we expect you to take time off in the near future to compensate for that time) doing something that competes with the company you work for is not ethical.
Are you perhaps not from the United States? Your take that it’s unethical seems to contradict with nearly 200 years of American IP law, or even further back to the 1400s in English common law where non competes were considered unjustifiable restraints on trade.
In the United States IP rights go to the inventor and most must be explicitly transferred to an employer. The whole point of the patent office is to encourage inventors to invent and not allow corporations to own everything and prevent competition. Although some companies have attempted to rig the system to prevent competition, ultimately the law has come down to foster competition (see the recent defeats of patent trolls)
And as the other commenter here points out, there are so many cases where someone working at a company discovers a way to improve business in the industry they are employed in, that could compete with their current employer, and that employer is unable or unwilling to devote resources or compensate for it. Huge swaths of US innovation or driven by such things. Probably the most iconic example is Steve Wozniak inventing the Apple I while he was working at HP, which HP refused to acquire and support causing Steve to resign and start Apple.
I also write this as someone with a name on a patent I chose to transfer to a company I helped found for an invention I helped create while working there. But to be clear, that was my choice. Ultimately the law said it was my invention by default, and there was no legal, moral, ethical, or god given obligation preventing me from walking away with it.
> non competes were considered unjustifiable restraints on trad
I'm sure you will find that non-competes are perfectly legal in the US.
No they were totally banned by the FTC. And the states that do the most innovation and economic activity had also limited them significantly.
https://www.ftc.gov/news-events/news/press-releases/2024/04/...
And why do people even comment before they do like 30 seconds of googling?
From your link:
On August 20, a district court issued an order stopping the FTC from enforcing the rule on September 4. The FTC has appealed that decision. The district court’s decision does not prevent the FTC from addressing noncompetes through case-by-case enforcement actions.
They are not, in fact, blanket banned as we speak.
First off I never said they were “blanket banned”. I said “they were totally banned by the FTC” which is true and correct. And I said other states “also limited them significantly” which is also true and correct.
A Texas federal court ruled the FTC overstepped its bounds and has currently issued an injunction. However a federal court in Pennsylvania has ruled the opposite. Our legal system isn’t so simplistic that you could possibly interpret that as “it’s perfectly legal” as in the comment I was replying to.
In addition , in many if not most states (especially states in my opinion where innovation and economic activity matters most), most courts have ruled consistently against non-compete overreach and have precedents that do not favor non-competes.
For example § 16600 of the California’s Business and Professions Code, for the most part bans all non-competes along with civil penalties of $2500 per violation. Other states also have severe restrictions on what can be prevented in non competes, especially things not specifically related to the job the employee is hired for or outside of proven trade secrets, as has been the focus of most of the discussion here.
As can be seen on the following map the vast majority of states have restrictions on non competes.
https://eig.org/state-noncompete-map/
So any attempt to intemperate the current law around non-competes in the US as perfectly legal is ill informed. I don’t know if the comments on here attempting to paint things as “non-competes are perfectly legal” is either just employees being ill informed, or employers on here trying to convince people of things they wish were true.
Short take, If a company is attempting to get you to sign a non-competes you should definitely consult an attorney. Personally I will not work for anyone attempting to get me to sign a non-compete.
Maybe different states hav different laws. Even where they are legel courts look down on the idea that someone wouldn't be allowed to do there job. In all states there is some form of noncompete but generally for the most obvious cases - don't work for two companies doing the same thing with access to their private plans at the same time type of thing
> Unless they pay you to work weekends
That is really different from "Don't write code related to work on the weekend. That is unethical no matter what the law says."
I see no problem whatsoever with taking contract for emergency fixes done on weekend, billed appropriately. Or working flexible tine billed hourly.
(unless it impacts your family badly or something, but it is far from blanket ban on working on weekends)
Ehhh this is way more complicated than you make it sound.
For example, I've been in situations where I've successfully argued for some component of what we do at work to be opensourced. But I wasn't given any extra resources to opensource it. I was doing consulting work at the time and the company didn't have a culture of contributing to opensource. In that case, I spent a couple weekends cleaning up the code I'd opensourced & triaging github issues. I'm proud of my work, and I want to share it.
In another company, we were running into some limitations of the database we were using. I spent a weekend writing up a super simple database prototype from scratch, mostly as a research project for myself. I don't think we ever used any of the code I wrote. I probably ended up throwing it on github and then forgot about it. That database prototype was clearly "work related". But it was also very clearly not part of my job. - Although, working on that database made me better at my job. It helped me understand the limitations of the database we were using, and gave me some ideas on how to work around them.
How can you argue that it was unethical to do any of that work? Frankly, everyone benefited. I learned a lot. I got better at my job - (and more employable). And my company benefited directly (and immediately) from my work.
> Don't write code related to work on the weekend. That is unethical no matter what the law says.
Why getting paid and working on weekend would be unethical? Why law would relevant at all for ethics here?
It is about doing unpaid work. Most progarmmers - at least in the us - are not paid by the hour and so you get nothing for you extra time put in which is not ethical for them to ask. It is perfectly leagal for you to do it.
laws and ethics are often different but many fail to realize that.
> Most progarmmers
Yes, definitely true.
> It is about doing unpaid work.
If someone does unpaid work on weekends and it is not done as hobby or something they are very silly, exploited or both.
> which is not ethical for them to ask
definitely, though I am highly confused why someone would agree to this (unless they are basically enslaved or something which would make it even blatantly unethical)
I guess that if you agree to sky-high wages with implicit agreement to work absurdly long hours, despite written contract being different?
> laws and ethics are often different but many fail to realize that.
not sure about "many", people in general I quite happy to break laws, especially ones widely agreed to be silly and not enforced at all
You are not the arbiter of the ethics of people's choices.
Clearly you have never worked for a large company that lays claim on basically any field.
As I said what is legal and what is ethical. I believe ethically code not related to your job that you do on weekends is yours. The law may or may not agree.
My point is that your company will often claim that any code you write on the weekends is theirs regardless of what it is.
- [deleted]
- [deleted]
[flagged]
I have published novels and awhile ago an Amazon recruiter reached out to me for a tech role on a team building story tracking software.
It never went anywhere but I did wonder at the time how they view employees writing their own novels or movies etc. For example, would they have any possible claims on any future novels based in those existing worlds and characters in my previous works.
Obviously they have the funds to outlast you in any claim if by small chance you happen to have a hit at some point.
> this will almost certainly be outlined in your employee contract
A majority of employees in the US are at-will, meaning there is no employment contract whatsoever.
I work for a Fortune 500 as well, FWIW.
And your employment agreement contract includes the same broad assignment clause?
I work for a Fortune 100 company. Dystopian hell hole of out of touch executives in an amorphous blob of a company that only continues due to its massive size and momentum, gobbling up companies because they can't compete and eventually sucking the soul from them... but they only own the rights to things produced on their time or on their equipment.
You miss the point completely.
Let's say you take a photo and paste it on the internet. It is then used (without your permission) in a global ad campaign.
Your ability to sue is zero. All the user has to do is show that you don't have standing.
Your employer doesn't care. They'll happily ignore the violation. They're not interested in defending some random photo.
Incidentally if you posted the photo to somewhere like Facebook, the user can buy the license to use it from Facebook instead of from you, but that's another discussion for another day.
> if you posted the photo to somewhere like Facebook, the user can buy the license to use it from Facebook instead of from you
This is not true.
Here is Meta's TOS: https://www.facebook.com/legal/terms/preview/?section_id=sec...
> you grant us a non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content
Notably absent from this list is the right to sublicense the content
- [deleted]
Did you miss this part?
> sub-licensable
Ha, thanks that's an excellent, and horrifying, point I had not considered, Thanks! All the same I stand by my point.
> Is this really true?
From my personal experience, this really depends. Some employment agreements are stated very widely, so the employer even gets retroactive ownership of things you do in the past; some include copyrights for work you'll do in the future, after employment, in the same domain which can be said to be based on work you've done for the employer; some include all side-work regardless of domain, while you work there; some don't.
Likewise, I have commercially irrelevant code on GitHub/Codeberg. But as it is all under BSD or MIT licenses, it makes no practical difference to me if my current employer wants to claim ownership; I can pick up where I left off all the same.
IANAL, but I think that if they were to assert copyright over your code, the license you chose would be irrelevant (since the code was never yours to license in the first place).
I should have clarified (and it's too late to edit) that this refers to code I wrote and licensed before the applicable employment. It was already made public under a BSD/MIT license, so everyone (including me) is allowed to use and fork that version, even the ownership later changes and the new owner licenses theirs differently.
Maybe. If you’re a senior engineer, I could also imagine arguing that I had authority to license it under BSD or whatever as an agent of my employer. The argument would probably be much stronger if you got sign off from your boss though. And legal if your company is big enough. (Though IANAL)
What is your own time when you work remotely with flexible hours?
The time I am not getting paid for.
If employer want to control my time they are obligated to pay me for it.
If they want to control all of it, I expect to be paid hourly rate 24h/day.
Good luck enforcing that if there's a controversy. You never check personal email on company devices? Participate in mailing lists? Bug trackers for personal projects?
Business hours is an obsolete concept in modern world, unless you work in an office with precise time tracking.
A signed agreement from your employer is the only thing that holds and that's why FSF asks for it.
> You never check personal email on company devices? Participate in mailing lists? Bug trackers for personal projects?
no
there is no chance whatsoever that something as critical as my email signin is on any device not fully controlled by myself
the same goes for malware/Microsoft OS requested by employer, if they have need for it they need to provide hardware for running it
> Business hours is an obsolete concept in modern world, unless you work in an office with precise time tracking.
I charge per hour, I do a precise time tracking.
> You never check personal email on company devices? Participate in mailing lists? Bug trackers for personal projects?
No, of course I don't. Work time is work time, and personal time is personal time.
> Business hours is an obsolete concept in modern world, unless you work in an office with precise time tracking.
It's not obsolete at all. Some people are foolish enough to blend working time and personal time, which is their affair. But lots of us understand the wisdom of keeping business hours separate.
Life and work can be very well separated even without working 8 hours straight from 9 to 5. That's the obsolete part.
I’ve previously worked doing technology assessments in the M&A world and copyleft is a big deal there. I’ve had to comb through code (not always automatable) to find any copyleft code and then have had to sit through many meetings with lawyers trying to explain the risk and complexity involved. I’ve seen it tank entire acquisitions.
The source of the conflict is summed up here.
> The central thread here is collective action by principled people who will use copyleft primarily as a tool for rights of users and for the improvement of copylefted projects.
Joint stock companies are about hierarchy and control. Free software is very much not about that. Free software is a syndicalist movement by software developers. Software developers have taken control over computing infrastructure, we develop it on our own terms. We have settled on a decentralized model, which shares openly, without constraint.
People with the hierarchical mindset hate another party taking ownership because that’s something they don’t have control over. They would be happy to have you hunched over a keyboard desperately typing while they bark orders at you, regardless of whether or not that produces anything of value. Linux and GCC are both inspired products that grew in the cradle of copyleft, they are excellent because of their open development. Meanwhile, large corporations are happy silo themselves into unproductive morasses and play ritualistic political games [1].
Copyleft benefits users because it produces better software. Enforcement is the only card to play to make sure that continues. Unfortunately our reaction to licensing has been immature. When asked about licensing, we’re happy to throw up our hands and say “I don’t care about that” (see WTFPL) and carry on with development as if some helpful person from legal will do the legwork for us in exchange for our wonderful output. The fact is, legal is still in the 19th-century as far as intellectual property is concerned, and are happy to respond in a formal and threatening way to anything that challenges their hegemony. We have to work with our colleagues in the legal community, educate, and give them a place in our decentralized world. Otherwise, we’ll just be workers fighting for our slice of the pie in a rat race, commanded by people who are happy with consistent mediocrity. Users will suffer.
[1] http://minimsft.blogspot.com/2005/06/bob-herbold-fiefdom-syn...
This is why I don't want to put any free testing into a copylefted copyright like Element, let alone code or docs contributions. I realize I'm testing Discord for free, but it's different with Element, because for years I perceived it as being a vendor-neutral open source project. The copyleft is so it isn't vendor neutral.
OTOH there are projects like Forgejo which are copyleft but are still vendor neutral. Even though it's vendor neutral, I wouldn't be too thrilled if it were AGPL, but it's just GPL. So I am still a happy Codeberg user. (Element is AGPL)
Zulip is my favorite open source chat now. It's used by some stuff that's relevant to me right now including Bytecode Alliance and Julia.
What's the deal with Element? Is it AGPL, but exclusively developed by one company? Or does it take contributions but with a CLA giving the copyright to the company? I'm not aware of the situation there.
Not sure I follow why AGPL is a problem, though.
It's bait and switch, they built the community of Matrix and Element around a promise of openness but specifically chose a license to make it another Discord or Slack.
You can read between the lines here: https://element.io/blog/element-to-adopt-agplv3/
HN thread to help with the context: https://news.ycombinator.com/item?id=38162275
To be precise, I'm guessing the problem is more of the CLA, and not AGPL itself.
Yes, CLAs are abusive, IMO. If I do work for free, I own the copyright (unless my company does, but that's another story). There is no way I give it for free to the organisation that manages the upstream project. Developers should not sign CLAs.
But that has nothing to do with the licence itself (be it AGPL or something else).
It's more that vendor neutral is a sweet spot for me. AGPL, as well as GPL for a library rather than something that works well as a standalone application, brings it closer into what feels to me like no software vendor territory - one where you find something else to sell (vend) other than software, like Stallman musing about choosing to be a waiter rather than have any non-free software:
> Well, the most simple alternative was to leave the software field, do something else. Now a lot of programmers say to me, 'the employers hiring programmers demand that I do this -- if I don't do this I will starve.' Now, that's silly. Anybody can leave the field of programming. Even in the US, there are millions of people who make a living not by writing software. I have no other special skills, nothing else that I'm particularly good at. But I'm sure I could have become a waiter. (Now, maybe I couldn't be a waiter at one of the fanciest restaurants.) There is nothing unethical about being a waiter. And there is one thing -- you are not going to starve.
I am still not sure what you are saying. Are you saying that Forgejo being GPL allows e.g. Codeberg to modify it without releasing their changes, and with AGPL they couldn't build a valid business model?
> with AGPL they couldn't build a valid business model
It's not so clear cut.
There are differences between the GPL and AGPL, and they can have an effect on how well a business or non-profit (which Codeberg is) that uses it or is based on it (which Codeberg is) functions.
Forgejo uses the GPL, which is meant for a balance between having it remain open source (a reason for Copyleft) and it being convenient (compared to the AGPL). When a code change is pushed to the servers of someone using Forgejo, they don't need to worry about releasing the changes - only when distributing it. It may take time to prepare the changes to be released publicly, or it may reveal details about a client who is using it.
Forgejo is vendor-neutral because Forgejo itself and their flagship user, Forgejo, use it under the same license as everyone else, and is pretty vendor-friendly because it's under the GPL rather than the AGPL.
Element isn't vendor-neutral because they don't use it under the same license as everyone else. They have the copyright and they don't have to abide by the AGPL. It isn't so vendor-friendly as an open source product to other vendors besides them because people outside have to use it under the AGPL, and might have a situation where a client needs something and the release is held up because the customizations are going to have to be made public as source code as soon as they're accessible over the network.
Both of these are products that are integration-heavy. The AGPL can be a lot more vendor-friendly for products that aren't so integration-heavy.
With the AGPL, you only have to share the code if you modified it. You don't have to keep on top of automatic updates and publish the source code for each update you get.
> they built the community of Matrix and Element around a promise of openness but specifically chose a license to make it another Discord or Slack
This is really unhelpfully inaccurate.
Matrix is as open as ever - and run by the vendor-neutral non-profit Matrix.org Foundation these days. Code published by matrix.org is all Apache licensed.
Element shifted the development of most of the stuff it implements as a Matrix vendor to AGPL+CLA in order to fund FOSS Matrix dev by selling AGPL exceptions to organisations which are allergic to AGPL. We also explicitly put a clause on the CLA spelling out that any contributions under CLA will remain OSI-licensed FOSS for as long as Element is around to release them. Speaking as Element's CEO, if we hadn't switched to AGPL+CLA, we would not have been able to make Element a sustainable organisation (i.e. able to pay the salaries of its developers) - and even then Element isn't quite at break-even yet.
If you can't tell the difference between a proprietary, non-standard-based stack like Discord or Slack and a FOSS, open-standard-based system like Element+Matrix, then I'm not sure you are arguing in good faith here (and it's incredibly depressing to see disinformation spread against Element, given the 10 years we've spent trying to build a good open-standard FOSS solution).
There was clear deprioritization of the community, which to me doesn’t sound like good faith, by Matrix Foundation in closing the ecosystem. Element, which has the stuff that matters, is technically FOSS. And the 10 years just shows how long the rugpull scheme went on, whether the misappropriation of Synapse was planned far in advance I don’t know.
> Matrix is as open as ever - and run by the vendor-neutral non-profit Matrix.org Foundation these days. Code published by matrix.org is all Apache licensed.
Matrix.org was gutted through the transfer of Synapse. With the same leadership as before it’s ready to relicense anything else at anytime.
> There was clear deprioritization of the community, which to me doesn’t sound like good faith, by Matrix Foundation in closing the ecosystem.
The Matrix Foundation has not “closed the ecosystem”! The ecosystem is healthier than ever - just look at all the independent folks building away at https://2024.matrix.org/watch etc. You seem to be conflating Element switching its development to AGPL+CLA with Matrix itself, which is categorically not the case.
> Element, which has the stuff that matters, is technically FOSS
No, Element is not “the stuff that matters”. The Matrix protocol and foundation is. There are loads of Matrix stacks independent of Element now - whether that’s clients for KMP, RN, Flutter, Qt, GTK etc which don’t use a line of code written by Element employees, or alternative servers like Conduit/Conduwuit/Grapevine.
> And the 10 years just shows how long the rugpull scheme went on, whether the misappropriation of Synapse was planned far in advance I don’t know.
Wow. Just Wow. So you’re saying that the 8.5 years spent frantically trying to keep Element sustainable as completely permissive FOSS was actually a long con rugpull - and the longer we managed to extend that to everyone’s benefit, the more malicious we were being? And you would rather Element had gone bust than switched its Synapse dev to AGPL+CLA?
> Matrix.org was gutted through the transfer of Synapse.
Nobody “transferred Synapse”. Element effectively forked it in order to continue working on it as AGPL+CLA, purely so it could sell AGPL exceptions to fund the dev.
> With the same leadership as before it’s ready to relicense anything else at anytime.
Nobody relicensed anything. It is not in the hands of the leadership of the Matrix.org Foundation to somehow force a contributor (Element) to keep contributing as Apache if that contributor can’t financially afford to do so, and choses to release as a new repo instead.
The Foundation doesn’t remotely have the $ to maintain its own Apache fork of Synapse. It has however spelt out which projects it will continue to release as Apache ($ allowing): https://matrix.org/blog/2024/08/heart-of-matrix/
To be clear: the only reason I’m responding here is to try to give a view based on reality to anyone unfortunate enough to read this thread. It’s incredibly depressing to see how you have misrepresented the situation.
Fwiw, if there had been any way to keep Synapse Apache and keep the team alive to develop it, I would have taken it.
> The Matrix Foundation has not “closed the ecosystem”! The ecosystem is healthier than ever - just look at all the independent folks building away at https://2024.matrix.org/watch etc. You seem to be conflating Element switching its development to AGPL+CLA with Matrix itself, which is categorically not the case.
I'm satisfied with this reply. I disagree and I vote with my feet. It isn't the first time something started off very open, became significantly less open, and still had participants who were OK with it being significantly less open, nor is it the first that doesn't seem to be a true non-profit. It's well known that a non-profit sitting close to a for-profit just is often just a structural maneuver at this point. A case in point is the recent WordPress controversy.
So it has an ecosystem with a subset of its former participants. Some of those who are gone see it as closed. Probably not just me.
> Nobody “transferred Synapse”. Element effectively forked it in order to continue working on it as AGPL+CLA, purely so it could sell AGPL exceptions to fund the dev.
The repo was literally transferred, though? With all its issues? As well as the trademark?
I don't mean this just to attack Matrix, just to use it as an example of a type of FLOSS that doesn't interest me, to the point where I'd rather use proprietary platforms than get emotionally invested into open source I don't believe very strongly in, so I'm ready for open source I do believe strongly in. https://sive.rs/hellyeah I also hope to inspire people to look for and seek to develop the next great open messaging platform, or participate in existing ones like IRC. Ergo Chat looks sweet. https://news.ycombinator.com/item?id=42447071
> To be clear: the only reason I’m responding here is to try to give a view based on reality to anyone unfortunate enough to read this thread. It’s incredibly depressing to see how you have misrepresented the situation.
I'm representing my perspective, and you're representing yours. You know, some see Discord and Slack as an open ecosystem, because signup for APIs are open. It's far better than the situation for some other communication tools like Facebook and X.
> Fwiw, if there had been any way to keep Synapse Apache and keep the team alive to develop it, I would have taken it.
So the ideal FLOSS messaging platform is yet to come.
My standards are pretty high BTW. I have been turned off to Go and Swift because they were developed at Google and Apple. So Matrix probably won't win me back, with its purported shift towards open governance. https://matrix.org/blog/2023/12/electing-our-first-governing...
> It's well known that a non-profit sitting close to a for-profit just is often just a structural maneuver at this point. A case in point is the recent WordPress controversy.
I agree there. Which is why we have been separating Matrix and Element more and more - eg by setting up the Governing Board https://matrix.org/blog/2023/12/electing-our-first-governing... and removing as much of the historical interdependencies as possible. Just as Mozilla severed itself from Rust, or W3C is independent of browser vendors.
> So it has an ecosystem with a subset of its former participants. Some of those who are gone see it as closed. Probably not just me.
Probably, hence my enthusiasm in trying to set the record straight :|
> the repo was literally transferred, though?
No… it’s still there at https://github.com/matrix-org/synapse. The Fdn archived it given they have no resources to maintain it.
> With all its issues?
The name & description of each issue (not comments) was copied over to avoid breaking the numbering system and relative links, with a link back to the issue on the old repo.
> As well as the trademark?
There is no Synapse trademark and never has been… The Matrix trademark continues to live with the Foundation, as you’d expect.
> I'm representing my perspective, and you're representing yours.
As is your right. My point is that yours is littered with factual bugs, but you have been presenting it on HN as accurate, which is frustratingly misleading.
> So the ideal FLOSS messaging platform is yet to come.
If you don’t like CLAs and/or you don’t like AGPL, there are full Matrix stacks which have nothing to do with Element which are pretty fantastic, imo. Or keep going with Zulip - kudos to Tim & co for improving their financial viability by ratelimiting push (https://blog.zulip.com/2023/12/15/new-plans-for-self-hosted-... - something we’ve never done) rather than selling copyleft exceptions.
- [deleted]
Why is it not possible for FOSS authors (who hold copyrights and have not signed them away to their employers) to contract with NGOs like the Free Software Conservancy, allowing it to act on their behalf when it comes to enforcement? Do the copyrights really need to be transferred? I mean, people use lawyers, why can't they let the FSC act in a similar role and with similar powers of attorney?
That is possible, SFC member projects get that service, as well as Linux, Debian and probably other projects too. Copyright transfer isn't needed for that, there is the option of signing enforcement agreements instead.
But then why even ask for copyright transfer? i.e. why is that what the linked article promotes? Suggesting signing over the copyright to another entity partially undercuts the very argument.
Corporate ownership of open source copyrights is actually optimal from an efficiency standpoint. Companies have the resources and legal teams to properly steward these projects, while non-profits like the FSF are bogged down with bureaucracy and outdated ideological concerns.
The article vastly overstates the importance of enforcement. In practice, the collaborative nature of modern software development makes strict copyleft enforcement unnecessary and potentially harmful to innovation. Most companies comply voluntarily because it makes business sense.
I've worked at several major tech companies and have never once encountered the kind of enforcement issues described here. This seems like a solution in search of a problem.
> Violations Are More Common Than You Think
For what I see in robotics, I can say that most products I see being shipped violate hundreds (thousands?) of licenses. Both permissive (which generally require attribution) and all kinds of copyleft.
Many IoT products use stuff like https://www.balena.io/os and essentially ship products that contain docker containers of all sorts. If you ship an Ubuntu container, you ship a ton of packages with it that have license requirements, right?
Nobody cares, nobody knows, nobody wanna know. That's the situation.
In general, Debian has been rather strict with what licenses it allows in its repositories.
The right to transfer copyrighted works may also open people to legal action from employers in some countries outside the US. i.e. the identical contract text can have two different meanings depending where it is signed.
I prefer to license most works as Apache 2.0, and this ensures people can do whatever they need to get the use-case solved in whatever legal obligation they are encumbered within.
Note, implicit personal copyright is always in effect... The original author(s) must explicitly state the work is public-domain/CC0, or you could be in violation.
From what I've seen over the years, there are a few groups of trouble makers:
1. Companies from countries that have zero software copyright/patent laws. So will cycle GPL works into the closed-source production pipeline in commercial settings. i.e. the culture views the US concept of owning ideas as absurd.
2. Folks that think linking against a LGPL shared object for compatibility reasons obligates developers divulge source-code. Note, there is source code released under several different licenses for legal compatibility reasons. i.e. the work may be fine with static linking under one version, and at the same time violate LGPL with the identical binary.
3. submarine attacks... malicious/foolish folks that distribute works they have zero legal right to re-license, re-publish, or possess. For Unity developers on US soil, the store is peppered with works still owned by Studios that can get you sued out of existence.
CC0 and Apache 2.0 are the safest options in my opinion, but one still must trust the authors aren't poisoning the chain of trust with copyright violations.
This is another reason why out-of-band package managers are dangerous to commercial entities. Microsoft will be in business for a long time yet... =3
> I prefer to license most works as Apache 2.0, and this ensures people can do whatever they need to get the use-case solved in whatever legal obligation they are encumbered within.
I prefer copyleft licenses, because they ensure that the end user has access to my code :-). I don't do release free work on the Internet to help companies make money out of my work; I want to protect the users.
The great, great thing about Linux being GPL is that Android manufacturers have to share their modified sources, which helps mainlining a lot of hardware.
> I prefer copyleft licenses, because they ensure that the end user has access to my code
Now that so much software (the majority?) is used over a network standard copyleft licenses (GPL etc) no longer ensure this. If you want that you need AGPL.
> If you want that you need AGPL.
Or EUPL :-).
Why the hell would I get so many downvotes for that? EUPL is an actual license that does behave like AGPL in that sense.
Some people on YC tend to be an emotional group, and have feelings about facts they can't otherwise reconcile.
When it comes to facts, never self-censor for other peoples comprehension/mental issues... it will make your life boring like Disney. =3
It's just a shame it's GPLv2, so they don't always have to let you actually install your modified kernel.
The GPLv2 requires allowing installation of modified code too:
https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
I am happy when people find a financial upside to my work... but also understand the $1m revenue limit clause Unreal engine used.
Lets be honest, after a year staring at the same code base... nobody cares what happens to source-code... lol =3
I take it from another angle: I don't care so much about what people do with my code. It's not that I don't want others to make money with it (not at all).
It's just that as a user, I'm always happier when I get access to the sources of the product I buy. So I release my code under a copyleft licence for the sake of the other users like me.
To push the idea to the extreme, imagine a world where all the open source software that was ever written was under the GPLv3? Maybe most software would be open source in one way or another (and GPLv3 gives you a way to update the software). So you could buy a smart TV, get access to its sources and to tools that would allow you to upgrade it. I think it would be pretty amazing.
Conservancy's lawsuit against Vizio is aiming to do for TVs what the lawsuit against Linksys did for routers (it resulted in OpenWRT).
https://sfconservancy.org/copyleft-compliance/vizio.html https://sfconservancy.org/copyleft-compliance/enforcement-st...
I'm not as sure as you that it would work out that way.
Let's take your TV example. I bought my TV from the local store, or Amazon, or perhaps second hand from some random guy on ebay.
Naturally I connect the TV to my home wifi, use the built-in Netflix app etc.
Assume I'm like your aunt. I barely have the skills to plug it in, much less read the code.
In this scenario is it OK that every previous owner, distributer, retailer, had the ability to add to, or change, the code in the TV? Do you think a highly skilled person, such as yourself, can audit the code to see that nothing nefarious has been added?
Today I have "limited trust". I have to assume Samsung is gleaning at least some data from my TV. But I'm reasonably sure it doesn't have malware on it.
In your hypothetical future, can you be as sure?
Your optimism about how secure network-connected devices are against e.g. being added to a bot net in the status quo seems misplaced.
I agree with your concern not just for the future but for today. Something like TPMs could help attest that that example TV is running the software you think it is.
Of course, that would require manufacturers to care about security for their customers, which they currently don't. And the average person doesn't care enough, so the only way to change this is legislation/regulation.
Hmm you seem more optimistic about security than I am. In the current situation, most products don't get security updates ever.
With open source, you could end up with completely open source TV OSes (similare to OpenWRT for routers).
Very true, even cellphones get deprecated very quickly.
However... from the well worn car analogy at some point the warranty must expire.
In general, if software was designed correctly, it should have minimized the attack surfaces. Note if someone has physical access, than one must assume the stack is already insecure by intent or incompetence. =3
> In this scenario is it OK that every previous owner, distributer, retailer, had the ability to add to, or change, the code in the TV?
...yes? If you own something, you can modify it. That's certainly better than a world where the vendor can put in spyware and the user can't fix it.
> Today I have "limited trust". I have to assume Samsung is gleaning at least some data from my TV. But I'm reasonably sure it doesn't have malware on it.
And how would you distinguish their behavior to date from "malware"?
https://www.cnet.com/tech/services-and-software/samsungs-war...
https://www.techhive.com/article/2881944/samsungs-latest-sma...
If you don’t modify any of the source for the applications in those containers, then you have no changes to release. IANAL, but my understanding is that the GPL applies to a body of source code and not other things running alongside that source code. The distinctions are nuanced (Galoob v. Nintendo, etc.) but generally if you’re violating the GPL, you can kinda feel it.
Like, in Welte v. Sitecom, Sitecom didn’t just ship Welte’s work with their product (that would’ve been fine) they modified his work and failed to give source code access to their users (which is what the GPL demands).
> If you don’t modify any of the source for the applications in those containers, then you have no changes to release.
Pretty sure this is wrong. GPL says that if you distribute the binary, you must distribute the sources with it [1]. Modified or not. And not a vague link to the upstream project: the actual sources that were used to build the actual binary you ship.
Then pretty much all licences (permissive or copyleft) require some kind of attribution.
[1]: https://www.gnu.org/licenses/gpl-faq.html#UnchangedJustBinar...
Either the source itself, or a written offer to provide the source. But you're right that 'vaguely gesturing' at it doesn't seem to be permitted. Not to mention the license terms not being prominent in the binary (with hardly anyone outside of GNU actually putting a license command into their programs). This kind of stuff is why I'm not in the business of distributing free software.
And licenses are the easiest part. Scanning for occurrences of copyright notices deep down in the directory tree is usually more burdensome, because every singly file could contain a new copyright owner.
In theory, it could also contain a new license, but after your project has seen n license texts, it is increasingly rare to see the n+1th license text. Because there are far more people and combinations of people that license texts.
Not sure about balena, most Linux based embedded projects I worked on were based on Yocto and all the source is available either through OpenEmbedded or some vendor consortium (e.g. Linaro).
You only need to provide sources for the copyleft components you change and direct requests to the above entities for the rest.
Yocto does provide a way to track the sources. Balena (which just let's you ship docker containers from the Internet) doesn't.
Of course, GPL and copyleft is a kind of trick which serves the interests of the one who owns the exclusive copyrights. GPL was a real gold mine in the early days because companies didn't bother to distinguish between copyleft and permissive MIT-style licenses when using open source. It became a kind of trap to allow open source devs to monetize their copyrights by selling licenses to allow companies to keep their derived work private.
That's such an extreme position that even Stallman rejects it.
Think it over. Even Stallman, the guy who fetches web pages by mail so as to avoid running non-free JavaScript, promotes the business model of selling permission to violate the GPL to corporations.
https://www.gnu.org/philosophy/selling-exceptions.html
It's okay to do it. This preserves freedom for everyone and gives you the leverage needed to negotiate a contract with a corporation. Everyone can enjoy hacking on an AGPLv3 project. The companies that can't will pay you for the privilege. They might pay you enough that you can work full time on it, maybe even hire more contributors, maybe just enjoy life.
If you're against this, then logically you are also against permissive licenses which allow all this and more. Even Stallman, the most extreme free software proponent alive today, found this to be too extreme. He didn't consider permissive licenses to be immoral, therefore he isn't against this.
I even emailed him to confirm. AGPLv3 is better because only the copyright owner gets to do it, nobody else. Permissive licenses allow everybody else to do it, no questions asked. They just give away all the leverage, completely free. One of the biggest wealth transfer in history, from well meaning developers and straight into the pockets of corporations.
As an open source dev, I like GPL for that reason. It was a kind of trick which kept some monetization paths open for the dev. It no longer works though because now most companies refuse to incorporate GPL libraries into their products. They have tools to check for dependencies automatically. Now open source is almost impossible to monetize.
ive always wondered about open source, it seems to me like its a pretty good deal for companies
It is an excellent deal for companies. It's also an excellent deal for end users.
Open Source is not designed to be "anti company". It's designed to be pro-user.
(I'm not sure why you're being down-voted, your comment is a common belief, if somewhat missing the point of OSS).
Permissive open source (MIT, BSD) is a voluntary donation to the likes of Jeff Bezos, but AGPL gives them real obligations to share back.
> Permissive open source (MIT, BSD) is a voluntary donation to the likes of Jeff Bezos
This is like saying planting a tree that converts CO2 to oxygen is a voluntary donation to Jeff Bezos.
Just because you do something that helps everyone without distinguishing between the people being helped doesn't mean it's bad.
(A)GPL helps everyone proportionately, without distinguishing between the people being helped. MIT allows one person to try and capture the entire benefit.
> MIT allows one person to try and capture the entire benefit.
No it doesn't. Software is not a scarce good. If Jeff Bezos uses my MIT-licensed software to make billions, he has taken nothing away from the rest of humanity. They can still use it just as much as he could.
It does when he captures all the attention away from you and makes everyone think it's his project. You will have no users or contributors. You'll be free to maintain your own fork, but it'll be like forking one of Jeff's own proprietary projects.