Apache contributors need not sign a CLA

In which I observe that the Apache Software Foundation does not require code contributors to sign Contributor License Agreements.

I am not a lawyer and this is not legal advice.

As always in this blog I speak only for myself and not for my employer, organizations with which I work, or anyone else.

Background

Suppose you are choosing to piggyback your open source software community's intellectual property practices on those of the Apache Software Foundation.

Suppose you've also realized that Git and GitHub (or even GitLab) are radically more satisfying and open tooling than is Subversion. Social coding and all that. Compelling web-based user interfaces, those are going to be a big transformative thing someday.

This tooling lowers the barrier to entry for someone who isn't a committer to fork your project, develop virtuous improvement in a feature branch, and offer this change, propose that it become part of the software product, via awesome artifacts called "Merge Requests" or "Pull Requests".

The question

Here's the question: must code contributors proffering Pull Requests first sign a Contributor License Agreement before those Pull Requests can be merged? Must, further, that signature happen via a PDF?

My analysis

The Apache Software Foundation does require committers to sign a Contributor License Agreement to gain committership. And that signature process does require physically printing and signing a PDF, or the digital signature equivalent. Not a convenient web-based click-through process, to be sure.

But one need not be a committer to contribute code to an Apache Software Foundation project. Indeed, most people aren't committers, most people don't become committers, and those who do become committers earn that rarified status by first contributing.

The Apache Software Foundation primarily relies upon Subversion, sometimes with Git mirrors. Non-committers have only read access to Subversion. Their avenue for contribution more involves composing patch files and submitting these via post to an email list or attachment in an issue tracker.

Offering a patch file in this way does not entail signing the ICLA. Rather, e.g. in the case of Bugzilla, there's simply click-through language stating that by logging in, you represent that anything you submit can be redistributed in the project under the Apache licensing terms.

Please note that by logging in/creating an account here, you:

  • Understand that projects developed at the Apache Software Foundation are licensed under the terms and conditions of the Apache License version 2.0.
  • Have read and understand the terms and conditions of the Apache License version 2.0.
  • Certify that any object code, source code, patch, documentation, etc. that you may supply to an Apache project can be redistributed under the same license terms and conditions as the project itself.

No printing, no signing, no PDFS, no hassle.

More generally, what is essential is clear intent by the author to contribute under the Apache license terms, and clear record of that intent. That's why contributions via attachments in Bugzilla, or JIRA, or post to an email list, or so all work.

We don't need a CLA on file to accept contributions from non-committers. We just need a clear intent by the author to contribute under our normal terms.

We have archives on all of our communication channels. We don't need the silly checkbox. We never have.

(source).

I argue that it is this offering patches that is most analogous to what would-be contributors are doing when they offer a Pull Request to an open source project via GitHub. They are not Committers. They are merely contributors, expressing an intent to contribute something specific.

And so the analogous intellectual property posture to adopt via a vis these contributors is not to require that they sign ICLAs. It is to consider their clear expression of intent to contribute (which is fundamentally what a Pull Request is -- one is requesting that the project pull in the contribution, and even more so if the CONTRIBUTING.md clarifies.)

You don't need my analysis

I'm not a lawyer.
And you and I should really let Apache speak for itself.

Committers sign ICLAs, contributors don't...

that opinion comes from me speaking as a board member and author of the Apache License, and has previously been cleared with Apache's legal team for a long ago discussion with Incubator. We don't need a CLA on file to accept contributions from non-committers. We just need a clear intent by the author to contribute under our normal terms.

You don't need Apache's analysis either

The Apache 2 license itself specifies

Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions.

Pull Requests are maybe the world's purest form of intentional submission to the Licensor of a Contribution for inclusion in the Work. They're a detailed, technical request that the Licensor include a specific changeset in the Work.

Disclaimer

There's at least one Apache example of requiring CLAs of Pull Request submitters.

There are instances of Apache projects intaking code contributions via Pull Requests on their GitHub mirrors. Since Git is only a mirror, these pull requests flow through a process of being linked from an issue tracker entry. Conceptually this is like attaching a patch file to the issue tracker entry, except representing the patch file in a radically more friendly and compelling way.

Weirdly, some contributor guidance does ask those offering Pull Requests to first sign a CLA. This is weird because the same changeset represented as a patch file attachment presumably wouldn't require a CLA, would only require a clear expression of intent.

I suppose Apache project PMCs / committers are free to impose more requirements and higher intellectual property standards on contributions. No one is entitled to have their contributions accepted and projects and project participants can gate their acceptance beyond the requirements of the Foundation further on whatever they want.

But when Apache project committers require Pull Request offers to sign the CLA, they're not doing so out of a requirement of Apache licensing policy. They may be doing so to achieve sufficient comfort that in their adding the third-party contribution to the repository they, the Commiters, are themselves fulfilling their obligations under their agreement to the CLA.

Post image credit: xkcd via cc-by-nc-2.5.