Long time Kernel Developer
- SCSI Subsystem Maintainer
- PA-RISC architecture Maintainer
Open Source Business Evangelist and Advocate
Agitating on legal issues for a while now
Project Best Practises
Need Licence and a way to contribute
Old Days had Licence + entity + CLA
Equity problem: CLAs usually privilege the intermediate entity
But have to analyse carefully Licence+CLA to see this
Example: OpenStack
corporation can completely subvert the licence
Also need something to record and keep track of signed CLAs
This model is bad (even if you trust the entity)
New Way Inbound = Outbound
But still can't pick any patch off the street.
Need a Contribution Agreement (CA)
CA doesn't have to be a licence, just an attestation
Solve filing problem by storing CA attestation in source control
Essentially this is what the DCO is
Attestation is
Signed-off-by: J R Dev <jrd@a.com>
The DCO
- The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
- The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
- The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
- I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
Must be coupled to strong source control
DCO+Licence is still the entire agreement
Don't create project specific DCOs
avoids proliferation
Plus it's easy to get wrong
The Legal basis of the DCO
Signoff is a personal attestation from Author and Transmitter
But in US, contribution is likely owned by Employer
So how are the rights transferred?
Happens by common law principles of Agency
Good employer
⇒ Proper Authorization
⇒ Explicit Agency
Everyone Else
⇒ Ostensible Agency
Ostensible Agency only Requires:
External expectation of Authority
Employer Awareness
So rights transfer without Explicit Employer Authority
Everyone has been relying on this for years
So now it becomes standard practise
New Problem: Patents
Newer licences have explicit patent grants (GPLv3; Apache-2)
How does the DCO grant patent rights?
Obvious answer: the same way it grants copyrights, via agency
but the lawyers don't like this
Copyright agency is required
Patent agency is not.
And they've pushed back on OpenStack to prove it
Politically, here's why
Corporate Lawyers Guard Intellectual Property
Problem: OpenStack becomes de-facto Practise
Renders DCO unusable for patent encumbering licences
Questions legitimacy of current projects (Docker, Samba)
But they still want to encumber corporate patents
Effectively empowering engineers to decide which patents to encumber
So can we move them to using the DCO for this?
The Patent Pledge
Instead of signing a CLA with each project foundation
could issue a general pledge on patents in open source
Avaliable at http://blog.hansenpartnership.com/a-modest-proposal-on-the-dco/
It is our expectation that any DCO signoff from a corporate email address binds that corporation to grant all necessary copyright and, where required, patent rights to satisfy the terms of the licence. Accordingly, we are publishing this pledge to illustrate how, as a matter of best practice, we implement this expectation.
For the purposes of this pledge, our corporate email domain is @bigcorp.com and its subdomains.
Warranties
- Our corporation trains its Open Source contributors carefully to understand when they may and may not post patches from our corporate email domain and to obtain all necessary internal clearances according to our processes before making such a posting.
- When one of our developers posts a patch to a project under an OSI approved licence with a DCO Signed-off-by: from our corporate email domain, we authorise that developer to be our agent in the minimum set of patent and copyright grants that are required to satisfy the terms of the OSI approved licence for the contribution.
Pledge would bind corporate patents for DCO signoffs
Pledge also moves the bar on the DCO
Creates expectation that DCO works for Patent binding licences with corporate signoff