We are happy to see a growing number of contributions from external contributors. Until now we have a very lean process to make sure that these contributions are compliant to be published under the Apache License 2.0. For this, I just ask each new contributor to agree to contribute this and future changes under the license.
I see a growing need to make this process more formal.
I see further need to have an automated check that the PR cannot be merged if this agreement is not there, at least from PRs from forked repositories. This could be by a bot or action in the worflow. Does anyone has experience with such CI integration of CLAs?
Do we need additionally a formal CLA that contributors have to sign?
I would like to attract more contributors, but we should make sure that formally everything is correct.
I agree with you that we need to get things moving here. Unfortunately, I am rather of a layman in this field and have little experience with software licensing (except with very, very cautious corporations).
I could offer to arrange a meeting with our open source lawyer to clarify what we really need to be legally compliant. If they recommend a CLA, we’ll probably have to bite the bullet and put a process in place to avoid contributions to Operaton. If they find another solution, we may be able to implement a lighter-weight process. How does this sound to you?
I would really appreciate when you could arrange the meeting with your lawyer. We should be on the safe side to make sure that the contributions are compliant and that we can further attract more contributors. Please contact me directly to arrange an appointment.
A meeting with a lawyer specialized in Open Source Licensing and legal topics regarding Open Source was scheduled for first August, we will update this thread afterwards.
Hi, a quick update after meeting with a lawyer. I’m not going to summarize everthing that was said, because I’m not a legal expert and I don’t want to post something which is incorrrect or contains some ambiguity due to my wrong understanding, but the gist was:
What we did so far was okay
We could add a “Developer Certificate of Origin” (DCO) to our repository and point first-time-committers to this (e.g. https://developercertificate.org/)
Maybe there is an automated way of making first-time-committers agree to the DCO, we are checking this
Any solution which is more complex, like a contributor license agreement (CLA), would not protect us from having to remove code which was contributed without the proper license (even thought the committer promised that they had all the rights to the code, so when they lied about this)
More complex solutions like CLAs could protect us when somebody is suing us for damages due to including wrongly licensed code. To the knowledge of our lawyers, such a legal situation has not occurred in Germany even once, there is no precendence to this. Hence the recommendation in the meeting was to concentrate on the DCO.
If you have any further questions, feel free to ask them in this thread, I’ll try my best to answer them.
