[GRASS5] FWD: [OSGeo-Discuss] Incubation Committee / Contributor Agreements]

Frank Warmerdam warmerdam at pobox.com
Wed Mar 8 09:40:31 EST 2006


Hamish wrote:
> I see your point. Maybe we should look at incorporating "GRASS
> Development Team" as a non-profit organization. It takes time but isn't
> all that hard to do.

Hamish,

Well, forming a legal entity hasn't proven to be exactly trivial for
OSGeo.  You would still have to decide who runs said organization
and how to avoid it being "taken over" from without or within.  In
the case of OSGeo we have tried to avoid the "take over" by having
the foundation ultimately controlled by a diverse but limited set of
"voting members" who are respected within the community.  It is hard
to imagine the current set of members electing a board that is
antithetical to the goals of the foundation.   Of course, that doesn't
mean there couldn't be some issues (ie. GPL vs non-GPL).

My point I guess is that OSGeo is an attempt to do just this, but
at a broader than project level.

> I think the trust issue will disappear with time as the foundation gets
> established. e.g. I don't think folks would think twice about assigning
> copyright to the FSF or GNU foundation today if that is what they wanted
> to do with their code. The "distance" from the board to the devels on
> the ground may not disappear with time, and that worries me -- if the
> "shareholder rights" are not clear, people may not contribute.

Well, we are working to make a very clear set of rules about control
which places ultimate control in the hands of the "voting member" class.
I would add that the board isn't some high-faluting "executive class"
people.  Markus and I are normal in the trenches sort of folks, as are
most of the other board members.

> Assigning co-copyright to yourself & to the mothership is probably a
> good idea for any developer. i.e. both parties are free to do with the
> code (relicense or reuse) as they please. - I take it if co-copyright
> is assigned one party doesn't need the permission of the other to do
> whatever it is they want to do with it?

This is my understanding though I'm a bit vague on the issue.   We
do have a foundation legal counsel we can ask such questions if to
if we need.

> as far as I see it, having commit rights restricted to those who have
> signed a legal contract does two things:
> 
> 1) makes managers at corps & govts happy that their "mission critical"
> software has controlled entry points, procedures, and chain of command.
> In reality I don't think it improves the quality or reduces the chances
> of backdoors, but it means the foundation's customers can tick the
> no-hippy box when trying to certify their production chain to their
> internal auditors.

I haven't considered the agreement to do anything to improve quality.
What it is intended to do is demonstrate to a judge, in case of a
legal dispute, that the foundation and it's projects have made a
reasonable effort to avoid incorporating any code with disputed
copyright claims into the code base.  If the foundation can demonstrate
it has undertaken due diligance in accepting contributions, and made
ever effort to correct issues that are discovered then it is very
hard to make a lawsuit stick (as I understand it).

This is the approach Apache takes, as well as a number of other respected
projects.

As well as protecting the projects in case of lawsuits it also makes
some people building on foundation projects more comfortable about the
safety (in the IP sense) of foundation projects.  This is likely less
of an issue with GRASS than with libraries like GDAL where some
corporations are very concerned about it's legitimacy.

But I want to stress this is about making a reasonable effort to
ensure we don't end up with chunks of proprietary or otherwise encumbered
code getting into foundation projects.

There is an aspect of the "no hippy" check-box in the foundation too,
but it isn't really related to the CLA.  It is some of the other stuff
we do to prepare promotional material, and have a strong legal organization
to make end user organizations comfortable that this isn't just a bunch
of teenagers in their basement, or a bunch of hippies on their commune if
you wish.

Actually, that's kind of funny, because I recently moved out "into the
woods" in an area of Canada known for hippy communes.  I'm trying to
live the sustainable back-to-nature lifestyle.  When I stood up at the
Chicago meeting to give my reasons for why I thought the foundation
was a good idea, one of mine was so that folks wouldn't think GDAL/OGR
was just work of some whacky guy living in a bush.

> 2) It deflects a large amount of the liability from the foundation to
> the developer. The project is protected, but my house isn't, and I can't
> expect that the OSGeo or FSF lawyers will come to my defense, even in
> the case of a no-fault submarine patent suit. The CLA creates a paper 
> trail which focuses the blame. Item #5 should be manageable, but item #4
> is harder unless everyone has a contract lawyer when they start their
> job, submarine patents, etc...
> 
> I don't really care about (1) but am willing to do a minimum amount of
> work to comply with the needs of large organizations. I do care about (2).

This is an interesting point.  The intent of the "chain of due diligence"
is to allow the foundation to protect against lawsuits, and a fundamental
assumption has been that a major goal of the foundation is to protect
the developers from legal problems.  What the CLA and CLA-FAQ fail to
convey is what the foundation will do to protect developers.

> Also, I think it is unrealistic to expect a couple of signed-on gate
> keepers to QA all the incoming code, especially in the case of GRASS.
> There is just too much to understand & review.

Well, the hope is for the substantial contributors all to be under
the CLA and have commit access.  Substantial contributions from someone
not under a CLA may still require they sign the CLA before the
contribution is accepted.

I would add that core GNU projects run by the GNU foundation are also
very picky about ensuring code provenence.  It might be interesting
to review their CLA sort of thing.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | President OSGF, http://osgeo.org




More information about the grass-dev mailing list