Re: [open-regulatory-compliance] When is a contribution a contribution ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] When is a contribution a contribution ?

From: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
Date: Fri, 27 Dec 2024 12:45:11 +0100
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

On 27 Dec 2024, at 11:37, Maarten Aertsen <maarten@xxxxxxxxxxxx> wrote:

> On Mon Dec 23, 2024 at 13:20 CET, Dirk-Willem van Gulik via open-regulatory-compliance wrote:

>> Taking this - is this a good list of `tests' if something is a contribution to an open source steward (OSS) ?
> 
> I am trying to understand the problem space you are attempting to address.

According to the CRA@CNECT their presentation - these contributors are not in the scope of the CRA (first blue box, first exit).

The vast majority of open source contributions comes from contributors - who are usually at quite some (legal and social) arms-length of the open source (legal or informal/defacto) cabal  that gets the software into a distributable state/distributes it. 

However - contributions in open source take many many forms. It is not just patches. So I would like to have a set of tests, or guidance, that very easily lobs this group while group `off' s as `not a concern'. In typical lossy (sales) funnel style.

Historically - open source foundations have acted as a `shield' between developers and the downstream users of their software. To shield these developers from (personal or other) liability when (end) users bring some sort of legal action (in civil court) -- which is a somewhat US/common law risk issue.

One of the things that this has created in the USA is the (individual) Contributor License Agreement (CLA). It has a very simple list of `things' that a `something' needs to be in order to be a contribution to open source. And once you meet those rules - the contributor is legally of the hook for as much as is practically feasible.

So this CLA gives us a 'test' that we can apply to a something that a person or company `contributes' and lets us then say - yes that is a contribution and yes that is enough for the downstream path to (re)distribute under enough of the OSI definition and what not to be something that can end up at an Open Source Steward (and as opposed to some form of fake/commercial open source).

> Can you clarify why you feel there's a need to equate whatever Apache does with the CRA text?

Not trying to equate. However Apache probably was the very first to create a CRA*. Now it is quite common. And as it happens, these all are extremely similar across the open source foundations and across a lot of loose nit kabal's on github. I guess simply as every one selects the default/example.

So I thought that to be as good a starting point as any. If there is a modern/updated CLA - that would be lovely. Or if someone has a set of substantial dissimilar ones. (I spend a few evenings searching for these; but nothing yet).

> What happens if you don't?

So I would like to have this early 'test' to get rid of as many worried people in the `funnel' as possible. I.e. tell 90% of those attending FOSDEM that the CRA really does not read on their contributions to open source. And make it `easy'.

Secondly, and way more important long term, is that I very much believe that the thing that has made open source the dominant innovation model in IT is its frictionfree-ness ability to redistribute the lessons/input learned at the coalface from actual people/companies. So IMHO the most worrisome thing to me to open source is not so much the thing we need to do further down the path near release engineering (that just cost time/resources) -- but having the spigot turned off - breaking that information feedback loop from actual downstream users.

So I reallly would like a very easy (also for corporate lawyers & liability insurances of sole traders) to understand rule - if you contribute under a CLA - then you are essentially of the hook for the CRA for everything post that point.

Does that help ? Or am I missing something ?

Dw

*: The ASF was largely born out of the need for having a legal entity - lawsuits were flying during its births. That made it a quite a bit more liability/isolation & individual/natural legal person oriented than most other open source community efforts in the last century. I.e others like the FSF; which often had noble and a very healthy dose of ethics, philosophy, evangelism & political acumen mixed in. For Apache in its early days - these were far too low on the Maslow's hierarchy of needs.

Follow-Ups:
- Re: [open-regulatory-compliance] When is a contribution a contribution ?
  - From: Maarten Aertsen
- Re: [open-regulatory-compliance] When is a contribution a contribution ?
  - From: Dick Brooks

References:
- [open-regulatory-compliance] When is a contribution a contribution ?
  - From: Dirk-Willem van Gulik
- Re: [open-regulatory-compliance] When is a contribution a contribution ?
  - From: Maarten Aertsen

Prev by Date: Re: [open-regulatory-compliance] When is a contribution a contribution ?
Next by Date: Re: [open-regulatory-compliance] When is a contribution a contribution ?
Previous by thread: Re: [open-regulatory-compliance] When is a contribution a contribution ?
Next by thread: Re: [open-regulatory-compliance] When is a contribution a contribution ?
Index(es):
- Date
- Thread

Breadcrumbs