thin-edge
Rewrite CLA to DCO
Part of #1385
This is the tracking task for replacing the contributor license agreement (CLA) with the Developers Certificate of Origin (DCO).
we had a discussion on this topic when we started the project. This article summarizes the issue with DCO https://writing.kemitchell.com/2021/07/02/DCO-Not-CLA and based on our legal team led to the decision to create the current CLA.
Therefore the idea was to stick with the CLA once we move to a new legal entity for thin-edge.io .e.g. the Linux or Eclipse foundation --> this activity has been paused due to ongoing governance &vision discussions to finish first.
My suggestion would be to focus on the foundation activities instead and change the legal entity of the project
I agree with Andrej statement above. Rather than getting caught in legal alignment, I think we should focus on getting the set of things we have planned sorted e.g vision, governance, etc. And then once we have the right foundation picked - in alignment with their recommendations and best practices do this.
we had a discussion on this topic when we started the project. This article summarizes the issue with DCO https://writing.kemitchell.com/2021/07/02/DCO-Not-CLA and based on our legal team led to the decision to create the current CLA.
Therefore the idea was to stick with the CLA once we move to a new legal entity for thin-edge.io .e.g. the Linux or Eclipse foundation --> this activity has been paused due to ongoing governance &vision discussions to finish first.
My suggestion would be to focus on the foundation activities instead and change the legal entity of the project
Reading through the linked blog post I pretty much agree with it!
As he recapitulates in this table:
Reading the table: the DCO + Apache license (which we are using) + Workflow covers all the bases for all points one might have an issue with from a licensing standpoint.
This thus reduces the discussion to 'moving' to a foundation. To do this the CLA gives Software AG unilateral rights to change the licensing terms of the project. Not necessarily bad, but has historically always been a contentious point and is generally frowned upon in the non-commercial OSS sphere. (After all, we are not selling thin-edge itself, so what are we protecting?) It is also not required. After all, anyone who contributes is allowed to re-license their work as they wish. So in the consideration of a move to a foundation, the community can be called upon to ask to change their license to the new terms. This has been done before and generally not seen as an issue. (This is also aided by the fact that any work done by SAG or IFM workers is licensed by their respective company usually. At least what has been done in work capacity.)
So, my suggestion to move away from a CLA to a more community-friendly alternative would be the following:
Either:
- Remove the CLA and put in the DCO, keeping the apache license. This covers all bases and allows the project to continue as is. Should a move to another org. happen, a call for relicensing could be made and the matter discussed there on its merits.
Or:
- Remove the CLA and put in place another agreement that is more restrictive: "By submitting and signing your work, you agree to relicense your work ONCE for the EXPRESS PURPOSE of MOVING THE PROJECT TO ANOTHER ORG. under the condition that the new license is OSI and/or FSF approved and gives AT LEAST the same rights as the apache license." I'd let your lawyers write the foolproof version. This would IMO be more in spirit of: 1. What you are trying to achieve. 2. Bind the project to keeping its promise in the spirit of Open Source 3. Give contributors peace of mind that the license will not be worse for the rights of its users.
In parallel, the key question about a foundation.
Can you elaborate please why you consider joining a foundation to be necessary for thin-edge? I can't find much on the topic that does not come directly from foundations and as such I consider more marketing.
I understand why a company might want to join one of these foundations, but I think that is separate of having a project there.
