
Contributor Agreements Considered Harmful - ronjouch
https://www.linuxjournal.com/content/contributor-agreements-considered-harmful
======
jordigh
I don't know about CLAs, but the way the FSF asks for copyright assignment
isn't as careless as Eric makes it out to be. The FSF does require a statement
from your employer that you're able to do the copyright assignment. I know of
at least one prof whose university wouldn't grant that assignment and
therefore the copyright couldn't be transferred. There was no "legal voodoo";
everyone was aware of what needed to happen and understood that it couldn't
because the university didn't want it to.

Whether the FSF getting copyright assignments is helpful or not, I'm not sure,
but it seems that it is: Hellwig's Linux GPL enforcement case against VMWare
has so far hinged on him being able to ascertain copyright over the bits of
code that VMWare allegedly violated, and last I heard, the court threw out his
claims because they decided that git blame logs are not enough proof of his
copyright ownership. If all of the Linux devs could collectively enforce
copyright over their code as a single legal entity with single ownership, this
particular obstacle wouldn't be there.

 _Edit_ : Just checked. Hellwig decided to no longer appeal. A second court
decided to also not hear the case, on "purely procedural grounds", which I
think again is about the question of copyright ownership:

[https://sfconservancy.org/news/2019/apr/02/vmware-no-
appeal/](https://sfconservancy.org/news/2019/apr/02/vmware-no-appeal/)

On the other hand, it's good that VMWare has decided to become GPL-compliant
anyway.

So, yeah, I think the FSF has a good reason to have copyright assignments, to
avoid this particular obstacle.

------
mattl
> Eric S. Raymond is a wandering anthropologist and trouble-making
> philosopher. He's been known to write a few lines of code too. Actually, if
> the tag "ESR" means nothing to you, what are you doing reading this
> magazine?

Seems unnecessary and gatekeepery.

~~~
tsm
When I was getting into Linux as a teenager in 2008 esr came up a lot, but
apart from writing The Cathedral and the Bazaar and a few shorter essays and
contributing to relatively-minor opens source projects…what has he actually
done? Especially recently? He frequently feels like someone who's famous
because he's famous.

I'm not trying to slander the guy; he's definitely contributed more code and
ideas to the open source community than I have. I just don't consider him to
be anywhere near the same level of hacker as Linus or rms.

~~~
h2odragon
I'd say I'm a fan and I'd agree he's not a hacker in Linus or rms class. His
utility is explaining hackers, their actions , and the reasons for those
actions to non hackers in a way that everybody doesn't disagree with too
badly.

 _I_ couldn't articulate why I wanted to release software under an Open
license to my boss, but ESR's writing helped them understand as far as they
were able.

~~~
DonHopkins
He certainly believes he's the most famous programmer in the world.

At least Terry Davis could write code.

[https://geekz.co.uk/lovesraymond/archive/show-them-the-
code](https://geekz.co.uk/lovesraymond/archive/show-them-the-code)

[https://geekz.co.uk/lovesraymond/archive/moral-
compassed](https://geekz.co.uk/lovesraymond/archive/moral-compassed)

[https://news.ycombinator.com/item?id=13147038](https://news.ycombinator.com/item?id=13147038)

tptacek on Dec 10, 2016 [-]

I think we're all pretty sure ESR is not in fact a god, and that nothing could
have occurred with ESR or his magic flute to have demonstrated to him that he
was. Rather, the story is more broadly illustrative of a pretty extreme
narcissism and --- challenging --- variant of self-awareness. For a more down
to earth example, consider how many of us would non-ironically write the
following passage:

I’m wondering about this because my wife Cathy asked me a simple question last
night, and I realized I didn’t have an answer to it. “Are you” she asked “the
most famous programmer in the world?”

This was a question which I had, believe it or not, never thought about
before. But it’s a reasonable one to ask, given recent evidence – notably, the
unexpected success of my Patreon page. This is relevant because Patreon is
mainly an arts-funding site – it’s clearly not designed for or by techies.

It goes on in this vein. Here, by the way, is a link to his Patreon page:

[link redacted]

Apparently we value "the code that makes our digital world work" a bit less
than we value the person who fries our french fries at McDonalds. If that
sounds mean, well, it is, but it was also Eric Raymond who put forward the
idea that his Patreon page may indicate that he's among the most famous
programmers in the world.

For a nerdier take on ESR's merits, hunt down Terry Lambert's take on
fetchmail. (You should know who Terry Lambert is, if you don't already).

[link provided to "A tangential diatribe on the unsuitability of fetchmail"]

[https://markmail.org/thread/pmoqk6tuybncu2is](https://markmail.org/thread/pmoqk6tuybncu2is)

armitron on Dec 10, 2016 [-]

Not to mention that ESR was, at some point, a multi-millionaire. Pretty sure
he still is, in which case that Patreon page of his would be nothing but a
con.

~~~
Bartweiss
> _He certainly believes he 's the most famous programmer in the world._

This raises an interesting question: who actually _is_ the most famous
programmer?

(Obviously it's a fuzzy standard, but I'd broadly want to say "famous largely
for coding work". I don't think Brin or Page were household names until they
were in executive roles. Whether Zuckerberg counts, or rather when his fame
stopped counting, is tricky. Snowden, Assange, Swartz, etc. I'd discount for
the same reason.)

Offhand, the same-generation names that I think beat esr are Richard Stallman,
Linus Torvalds, and maybe Knuth. The overall winner might be Sir Berners-Lee,
who regularly gets mainstream press coverage - unless we're including Turing.

~~~
DonHopkins
He's not that famous outside of hard core geek circles, but I am a huge fan of
James Clark (not the SGI guy, but he's awesome too for different reasons), who
wrote the Expat XML parser, Relax/NG XML schema language, and many other
widely used standards and bodies of code that drive the Internet.

[http://www.jclark.com/](http://www.jclark.com/)

[http://www.jclark.com/bio.htm](http://www.jclark.com/bio.htm)

He has such clarity of thought and mastery of diverse languages (some of which
he invented and implemented). He saw exactly what was wrong with XML Schemas,
and addressed it practically and elegantly with TREX, which he and others
refined through humble constructive collaboration into Relax/NG. And he's a
big proponent and creator (not just a talker like ESR) of free open source
software.

[https://relaxng.org/jclark/](https://relaxng.org/jclark/)

Here's a fascinating insightful DDJ interview of James Clark, "A Triumph of
Simplicity: James Clark on Markup Languages and XML":

[http://www.drdobbs.com/a-triumph-of-simplicity-james-
clark-o...](http://www.drdobbs.com/a-triumph-of-simplicity-james-clark-
on-m/184404686)

>A Triumph of Simplicity: James Clark on Markup Languages and XML

>If you peek under the hood of high-profile open-source projects such as
Mozilla, Apache, Perl, and Python, you'll find a little program called "expat"
handling the XML parsing. If you've ever used the man command on your
GNU/Linux distribution, then you've also used groff, the GNU version of the
UNIX text formatting application, troff. If you've ever done any work with
SGML, from generating documentation from DocBook to building your own SGML
applications, you've undoubtedly come across sgmls, SP, and Jade.

>Whether you've heard of him or not (and mostly likely, you haven't), James
Clark (below right) has made your life easier. In addition to authoring these
and other widely used open-source tools (see
[http://www.jclark.com/](http://www.jclark.com/) for a complete list), Clark
served as the technical lead of the original W3C XML Working Group and as the
editor of the XSLT and XPath recommendations. He recently founded Thai Open
Source Software Center
([http://www.thaiopensource.com/](http://www.thaiopensource.com/)). His latest
project is TREX, an XML schema language. Clark sat down with Eugene Eric Kim
to discuss markup languages, the standardization process, and the importance
of simplicity.

[...]

>DDJ: You're well known for writing very good reference implementations for
SGML and XML Standards. How important is it for these reference
implementations to be good implementations as opposed to just something that
works?

>JC: Having a reference implementation that's too good can actually be a
negative in some ways.

>DDJ: Why is that?

>JC: Well, because it discourages other people from implementing it. If you've
got a standard, and you have only one real implementation, then you might as
well not have bothered having a standard. You could have just defined the
language by its implementation. The point of standards is that you can have
multiple implementations, and they can all interoperate.

>You want to make the standard sufficiently easy to implement so that it's not
so much work to do an implementation that people are discouraged by the
presence of a good reference implementation from doing their own
implementation.

>DDJ: Is that necessarily a bad thing? If you have a single implementation
that's good enough so that other people don't feel like they have to write
another implementation, don't you achieve what you want with a standard in
that all implementations — in this case, there's only one of them — work the
same?

>JC: For any standard that's really useful, there are different kinds of usage
scenarios and different classes of users, and you can't have one
implementation that fits all. Take SGML, for example. Sometimes you want a
really heavy-weight implementation that does validation and provides lots of
information about a document. Sometimes you'd like a much lighter weight
implementation that just runs as fast as possible, doesn't validate, and
doesn't provide much information about a document apart from elements and
attributes and data. But because it's so much work to write an SGML parser,
you end up having one SGML parser that supports everything needed for a huge
variety of applications, which makes it a lot more complicated. It would be
much nicer if you had one SGML parser that is perfect for this application,
and another SGML parser that is perfect for this other application. To make
that possible, the standard has to be sufficiently simple that it makes sense
to have multiple implementations.

------
dctoedt
FTA: " _If it ever comes to a court case, one of the first things [sic] the
judge is going to look at is community expectations and practice around our
licenses. A jurist is supposed [sic] to do this in contract and license cases;
there 's some famous case law about the interpretation of handshake contracts
among Hasidic Jewish diamond merchants in New York City that makes this very
clear and explicit._ Where there is doubt about interpretation _and no
overriding problem of of equity, the norms of the community within which the
license /contract was arrived at should govern._" [Emphasis added.]

The first two sentences of this quote are flat-out wrong and give false hope
about the supposed willingness of (U.S.) courts to rescue people from "unfair"
contracts. Only in the italicized part of the final sentence does ESR get it
right, and even then only partly so.

1\. In American law's protocol ("subroutine") for interpreting contract
language, a judge will never get as far as looking at industry standards
_unless_ the judge first determines that the language is ambiguous, that is,
capable of two or more _plausible_ interpretations, _and_ that evidence of
industry standards can be helpful in resolving the ambiguity.

2\. "Equity" generally doesn't enter into contract interpretation or
enforcement, at least in U.S. law. The normal governing principle here is
"freedom of contract" — as in, you're free to make a really dumb deal, and
(with rare exceptions such as "unconscionability") the court won't rewrite the
contract for you just because you come to regret having entered into it.

3\. If the judge does get as far as taking industry standards into account,
then: (A) Evidence of just what those standards _are_ will need to be
presented; (B) the finder of fact — possibly the jury — might have to weigh
the evidence and "decide" what those industry standards are, for purposes of
deciding the case; and (C) the industry standards won't necessarily be
controlling in any case.

Source: I teach business-contract drafting as a part-time law professor; my
relevant course materials, with links to additional reading, are at
[https://toedtclassnotes.site44.com/#AmbigTop](https://toedtclassnotes.site44.com/#AmbigTop)

~~~
Bartweiss
Thank you for this. The claim that community expectations are relevant in the
face of a clearly-written contract sounded bizarre to me, but it's nice to
have some actually informed confirmation.

As an aside, do you know what case law he's talking about with the diamond
merchants?

Not only can I not find any such "famous case law" with a quick search, I'm
instead finding articles like this which specifically claim those handshake
contracts _aren 't_ enforceable, and analyze how they function in the absence
of legal protection:
[https://scholarship.law.duke.edu/cgi/viewcontent.cgi?referer...](https://scholarship.law.duke.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1719&context=faculty_scholarship)

------
barkingcat
This seems like making a mountain out of a molehill.

To get an ICLA all legit while you are employed, run it by the legal
department of the company you are employed by, and they can give you an idea
if any changes to the agreement is needed (and of course, if you are allowed
to spend company or private time on the project), and get it signed legally
and on file for all parties involved. Done.

Many of the issues outlined here can be resolved by properly communicating all
the concerns before signing a legal document (which is recommended practice).

It seems like ESR is treating these contributor agreements as static one-way
agreements rather than things that can be changed as needed.

~~~
crdoconnor
>To get an ICLA all legit while you are employed, run it by the legal
department of the company you are employed by, and they can give you an idea
if any changes to the agreement is needed (and of course, if you are allowed
to spend company or private time on the project), and get it signed legally
and on file for all parties involved. Done.

IME company legal departments are unlikely to indulge this kind of thing
unless they owe you a favor.

Where they do, their blanket response is usually "no, now go away".

Ideally any solution to this problem should take account of corporate legal
departments' aversion to extra work and risk.

------
jasonvorhe
It's so sad this guy is still getting airtime and attention.

~~~
abvr
Could you elaborate on why you hold a distasteful attitude towards this
person?

Just curious.

~~~
rodan-
Eric Raymond has some questionable beliefs in my opinion, and this is likely
what OP is referring to.

I'm a big fan of The Cathedral and the Bazaar. But currently Eric Raymond has
come out as a climate change denier, a racist, and also has pushed some odd
conspiracy theories.

~~~
DonHopkins
And he hijacked the Hacker's Dictionary and proceeded to inject a bunch of his
ideological words and definitions in, that in no way represent the hacker
community around the early ARPANET and MIT-AI lab from which it came.

[https://medium.com/@donhopkins/mit-ai-lab-tourist-
policy-f73...](https://medium.com/@donhopkins/mit-ai-lab-tourist-
policy-f73b77075631)

And as if hijacking the Hacker's Dictionary wasn't enough, he tried to hijack
and corrupt the very meaning of the word "hacker" itself, by presuming to
define what a hacker is, by preaching to people about how to become a hacker,
by blatantly misrepresenting himself as a great hacker and respected leader of
the open source community, even though his programming chops are lackluster
and outdated, his social skills are deceptive and manipulative, and his hacker
spirit is mean, vindictive, and envious of RMS.

And then there's his death threat to Bruce Perens that he tried to excuse by
explaining that he was only trying to "defame" him.

In 1999, Debian developer Bruce Perens published an "email threat" that he
allegedly received from Raymond. Raymond then "clarified" that he only meant
to defame Perens. From this we can assume that he is batshit insane and will
fucking kill and or write to anyone that says anything about him or his
software. If you are lucky you might get an O'Rielly book about you.

[https://lists.debian.org/debian-
user/1999/04/msg00623.html](https://lists.debian.org/debian-
user/1999/04/msg00623.html)

    
    
        To: debian-user@lists.debian.org
        Subject: email threat
        From: bruce@perens.com
        Date: 5 Apr 1999 22:48:42 -0000
        Message-id: <19990405224842.2386.qmail@perens.com>
    
        Today I received the following threat in e-mail from Eric Raymond. The message
        was copied to the Silicon Valley Linux User's Group officers, who you may
        consult regarding its authenticity. The police have been notified.
    
        Because I know that Eric is a firearms enthusiast, for my own protection,
        I feel the best strategy is for me to publicize the threat widely.
    
                Thanks
    
                Bruce Perens
    
        > Damn straight I took it personally.  And if you ever again behave like
        > that kind of disruptive asshole in public, insult me, and jeopardize
        > the interests of our entire tribe, I'll take it just as personally --
        > and I will find a way to make you regret it.  Watch your step.
    

The irony of Eric S Raymond threatening someone else for behaving "like that
kind of disruptive asshole in public" is rich -- very rich.

[https://geekz.co.uk/lovesraymond/archive/bruce-perens-
dead](https://geekz.co.uk/lovesraymond/archive/bruce-perens-dead)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens](https://geekz.co.uk/lovesraymond/cat/bruce-perens)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/2](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/2)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/3](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/3)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/4](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/4)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/5](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/5)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/6](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/6)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/7](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/7)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/8](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/8)

[https://geekz.co.uk/lovesraymond/cat/bruce-
perens/page/9](https://geekz.co.uk/lovesraymond/cat/bruce-perens/page/9)

------
hacknat
Yeah, these got popular with GitHub on bigger projects. It’s like lawyers for
these organizations aren’t sufficiently well versed enough in the laws around
open source to realize they’re already protected, so they apply contracts law,
which is what they learned in law school.

What’s kind of ironic is that I wonder if these are even valid contracts.

Contracts are required to have 5 characteristics: an offer, acceptance,
consideration, competency, and legal intent.

Open source agreements that require disclosing source code changes may lack
the ability to give consideration as you are, in a sense, required to
contribute changes back.

Consideration means you get something in return for signing a contract. The
thing you get for signing ULAs and the like are the ability to use a product.

What are you getting in return for signing these agreements? The ability to
contribute? Already that seems like a pretty weak consideration, but when you
add in that you are required by some licenses to disclose changes and I think
these contracts are completely void of any legal basis.

------
rlpb
The author seems to base his argument on:

1) assuming the reasons a project owner might want to mandate an agreement;
and then

2) demonstrating why those assumed reasons are not fulfilled by an agreement.

However there exist other good reasons a project may want to mandate a
contributor agreement or assignment. If I can demonstrate just one, then his
entire claim is moot.

Here is one reason. A project owner may want to relicense the project in the
future. This would require them to either contact every copyright holder (some
of whom may be unreachable in the future), or to require a copyright
assignment for all contributions, or to require an agreement permitting such
relicensing in the future.

I'm sure some contributors explicitly do not want such relicensing to be
possible in the future. That's fine - but the author has not argued that this
makes such agreements or assignments a bad thing.

Here's a legitimate example: what if your project is licensed under the GPL
but later you want to add SSL functionality by linking with OpenSSL? You'll
need an "OpenSSL linking exception" from all copyright holders which can be
extremely difficult to obtain. If you had a contributor agreement or
assignment in place, then you wouldn't.

What about other things like this that would generally be accepted by the
community in the future, but you haven't thought of today? A copyright
assignment or suitable contributor agreement derisks you from these.

On his "work for hire" point, the same argument applies to any contribution
whatsoever, since if the contributor doesn't have permission to assign
copyright, that contributor may also not have the permission to license their
work.

I'm not trying to argue for or against these agreements here; I'm just saying
that it seems like the author's arguments are moot because of the very narrow
scope of the assumptions that he's made.

------
marcoperaza
Beware this analysis. Intent can matter in copyright law in many important
ways, even if not on the core question of whether there was infringement.[1]
And the fact that a bad actor with a big legal budget can still make hell does
not make something worthless. By that standard, all contracts are worthless.
It’s also worth remembering that not everyone is a bad actor. You can help
secure good will and trust by making sure that the other guy has a full
understanding and proper notice of your arrangement.

I don’t know much about CLAs and I’m no expert in copyright law, but I’m just
saying that this piece doesn’t pass the smell test. It might still be the case
that CLAs aren’t worth your trouble—I really don’t know—but I’d want better
reasons that the ones in this piece.

[1]
[https://www.trademarkandcopyrightlawblog.com/2013/12/innocen...](https://www.trademarkandcopyrightlawblog.com/2013/12/innocent-
infringement-intent-and-copyright-law/)

