Contributor License Agreements

I wrote this post in 2009, more than 14 years ago. It may be very out of date, partially or totally incorrect. I may even no longer agree with this, or might approach things differently if I wrote this post today. I rarely edit posts after writing them, but if I have there'll be a note at the bottom about what I changed and why. If something in this post is actively harmful or dangerous please get in touch and I'll fix it.

Mike Malone emailed me an interesting question, which I thought I’d answer publicly:

[We’ve released code] under the BSD license. We want to accept patches from the community, but were wondering whether we need to get everyone who submits a patch to sign a release or something saying that their patch is BSD too. [Does Django] require everyone who submits a patch to sign that sort of release?

The Right Way is to require that all contributors sign a contributor license agreement (CLA). These differ from project to project, but generally say:

The code I’m contributing is mine, and I have the right to license it.
I’m granting you a license to distribute said code under the terms of this agreement (typically “as you see fit” or “under an OSI-approved license” or whatever).

The Django Software Foundation does indeed have a CLA, based on Apache’s CLA, and we require signatures from those who contribute significantly to Django. We have a pretty good CLA FAQ, written mostly by Malcolm, which goes over some of the common questions folks have about CLAs.

CLAs are unfortunately the only way [1] to prove proper provenance.

An IP lawsuit is a Game Over moment for most open source projects. No way the DSF has enough funds to fight that kind of case; it’s doubtful even that bigger organizations like the ASF does. But if you’ve got your documents in order, the chances that a firm like the SFLC or the EFF would help you pro bono increase dramatically.

In a perfect world, all open source projects would collect CLAs from day one. But realistically most maintainers ignore that advice [2].

Thing is, the chances you’ll actually need to ever produce proof of IP provenance are slim. Lawsuits around open source are thankfully rare, especially when you’re a small target. And most open source projects are extremely small targets. It’s really not worth suing an organization whose net work won’t even cover your court fees.

Provenance does come up sometimes – a year a BigCo was prepared to reject Django over provenance doubts, and being to provide paperwork solved the problem – but in general CLAs don’t really get used for anything. Having CLAs won’t in any way even prevent a lawsuit, either [3]. So they do seem kinda useless.

So, to recap: you should ask anyone who contributes to sign a CLA, but you probably won’t.

Note

IANAL. The above is based on nothing more than my understanding of copyright law, which is fairly extensive but quite possibly wrong in areas.

Are you a lawyer? Then please feel free to correct me!


[1]	Actually, outright copyright assignment would work, too. However, copyright assignment is more difficult, requires counter-signed, notarized paperwork, is problematic across borders, and is unpopular among contributors. So it’s almost never used in open source circles.


[2]	Years ago, Alex Russell told me that Django ought to be collecting CLAs. I said “yeah, whatever” and ignored him. And thus have spent more than a year gathering CLAs to get DSF’s paperwork in order. Sigh.


[3]	This is the US-of-fucking-A, man; you can sue anyone for anything!