Contributor License Agreement and Developer Certificate of Origin references

In the last few years I have come across the CLA topic several times. It is and will be a popular topic in automotive the coming years, like in any industry that moves from being an Open Source Producer towards becoming an Open Source Contributor.

In my experience, many organizations take the CLA as a given by looking at the google, microsoft or intels of the world and replicate their model. But more and more organizations are learning about alternatives, even if they do not adopt them.

What I find interesting about discussing the alternatives is that it brings to the discussion the contributor perspective and not just the company one. This enrichs the debate and, in some cases, leads to a more balanced framework between any organization behind a project and the contriibutor base, which benefits both.

Throughout these years I have read a lot about it but I have never written anything. It is one of those topics I do not feel comfortable enough to write about in public probably because I know lots of people more qualified than I am to do so. What I can do is to provide some articles and links that I like or that have been recommended to me in the past.

Articles

  • Why you probably shouldn’t add a CLA to your open source project“, written by Ben Alter back in 2018 is a must read. Ben is a United States-based lawyer who works for GitHub as their “evangelist” to government agencies.
    • CLAs are Not a Sham” by Kyle E. Mitchell, a lawyer, is a respond to the previous article.
  • “The trouble with Harmony: Part 1 and Part 2″ by Richard Fontana 2011, a Red Hat lawyer. He came back to the topic this year (2019) in his article “Why CLAs aren’t good for open source” summarising Red Hat’s position.
  • Why Your Project Doesn’t Need a Contributor Licensing Agreement” by by Bradley M. Kuhnon June 9, 2014. Bradley is a well known member of the Software Freedom Conservancy.
  • Contributor Agreements Considered Harmful” by Eric S. Raymond on July 8, 2019, represents a clear view from the individual contributors perspective on the CLA topic.
  • Community contributions and copyright assignment” By Jonathan Corbet, October 28, 2009. This article analyses from the contributor’s perspective the Canonical Ltd CLA which started a heated debate back then, leading to the Harmony project creation first and the initiative by the Mark Shuttleworth Foundation later on, two of the main attempts to standardise CLAs up to date.
  • Some thoughts on Copyright Assignment” by Michael Meeks, 2011, is still one of the most relevant articles on the topic, covering not just the theory but also putting examples of how harmful unbalanced relations with an entity that controls an Open Source project might be for contributors. Specially relevant has been over time the Recommendations section of this article.

DCO

It is impossible nowadays to talk about CLAs without talking about DCO (Developer Certificate of Origin). Here are some articles that I find interesting:

  1. Ben’s Cotton article “CLA vs DCO What’s the difference“, from 2018 is a good article to read because it does not favour one over the other one.
  2. I like the article “CLAs and using DCO clearly” from Hen written back in 2018 because it summarises well the costs associated to CLAs and how they (do not apply) apply to the DCO.
  3. It is worth reading the summary of James talk at Linux Foundation Collaboration Summit 2014, “The most powerful contributor agreement” done by Jonathan Corbet.
  4. Julien Ponge wrote “Developer Certificate of Origin versus Contributor License Agreements” back in 2016.

For companies that “do not buy into the anti-CLA” case, R. Fontana propose another two options:

  1. Eclipse Contributor Agreement
  2. The Software Freedom Conservancy’s Selenium CLA, which are not proper CLAs but DCOs in his view.

FLA

It is always interesting to learn about the Fiduciary License Agreement FLA, developed by the FSFE:

  1. Fiduciary Programme
  2. FLA FAQ
  3. FLA-2.0 announcement.

Inbound = outbound

A serious conversation about CLA requires to understand the concept of inbound=outbound:

GitHub explains inbound=outbound as:

  • outbound licensing”, refers to granting a licence to another party to use, copy, distribute…. (depending on the license) your intellectual property.
  • inbound licensing” means obtaining a licence from another party, to use, copy, distribute…. (depending on the license) its IP for your own consumption (distribution, etc. again depending on the license).

GitHub explains inbound=outbound as:

Whenever you make a contribution to a repository containing notice of a license, you license your contribution under the same terms, and you agree that you have the right to license your contribution under those terms.[…]

In the CLA discussion context, the general idea behind inbound=outbound is that the project should make evident to every contributor the contribution conditions, including those related with licenses rights and restriction. The contributor will then contributes her code with the same license, giving little room for later claims, either by the project, the contributor or third parties, based on those conditions being unclear or not easily reachable.

The project license and its description should be prominent and located at least where it is common practice in Open Source to find them. The same applies to all the assumptions and conditions affecting the contributors and the project in this area.

Common practice, many will claim, but sadly some projects are better than others on this.

Who is doing what?

In CLA discussions, it helps to know what others are doing. Here you have some links I have collected over the years and I still find relevant. I have to recognise that in a couple of cases cases I do not remember exactly why they called my attention at the time.

Company driven projects:

Consortium driven projects:

Community driven projects

Organizations with different agreements for individuals and entities:

Organizations with CLA:

Additional links

And finally, I have several links that I think are worth reading for different reasons:

  1. Project Harmony is worth investigating as an interesting attempt to standardize CLAs:

2. GitHub uses an Individual and an entity CLA. It is interesting their CLA-assistant.

3. James Bottomley’s ideas about the Corporate Contribution Pledge published back in 2016 as complement to the DCO are worth reading.

Additional suggestions from readers

I hope my effort triggers the contributor in you so you provide additional links or challenge the ones above. I will substitute this text for those links you provide, obviously giving you credit by default. It would be a great way to help others in the future. Thank you very much in advance.

Akademy 2019 is over.

Akademy 2019 took place in Milan, IT, at the University of Milano Bicocca from 7th to 13th of September. I arrived on Friday 6th and left Milan on Tuesday 10th.

Akademy 2019 group photo

This year Akademy was a little bit different for me. I joined MBition recently to push Open Source and, giving the kind of activity and technologies we use, KDE is an community we can learn a lot from. We have many things in common.

MBition decided to sponsor the event at the Supporter level and my colleague Julia König came with me for a couple of days to learn more about these kind of events and this community in particular.

We attended to the welcome event, the sponsors dinner and the first days of talks together. During the second day of talks, I introduced the company to the attendees during the sponsors talk.

It was also great to see my former employer, Codethink Ltd, as sponsor once again.

Several of the talks were very interesting although in general I did not attended to many. I spent quite some time outside talking to old friends, some new young contributors and other sponsors.

In terms of talks, the highlight of the event was Lars Knoll, CTO of the The Qt company. The interview published a few days before his talk is worth reading. He presented the most relevant plans about the coming Qt 6.

One of the things that have improved in KDE is our communication with the outer world. And Akademy reports are just an example. Check out the report about the first couple of days (talks).

On Saturday several talks reported about the accomplishments and challenges of the goals the community have been focusing on the last couple of years. The new goals were presented on Sunday, the second days of Akademy.

On Monday 10th, part of the day was invested in the KDE eV General Assembly. Some BoFs also took place that day. You can watch the report published on The Dot.

As mentioned, I came back to Málaga on Tuesday morning but you can read the reports about the Hands on Sessions and discussions tat took place on Tuesday, Wednesday and Thursday.

Last but not least, do not miss the interview with Leonardo Favario, Project Leader at the Italian Digital Transformation Team. It is a good one.

Thank you to the organizers and sponsors as well as the rest of the people who made Akademy a great event, in record time. It would be a great sign for MBition to be able to come back next year.

KDE is looking for a place and a team to host the event next year. If you are interested in gaining some traction locally to your Open Source efforts and are willing to meet a whole bunch of crazy, smart and friendly developers, think about applying to organizase Akademy 2020 (download the brochure).

I would like to finish this article sending my condolences to the family and friends of Guillermo Amaral, now that it has been made public that he passed away, victim of a cancer he fought hard.

Guillermo Amaral. Pic from one of his videos.

Guillermo was a great person. He had magnetism and an unique sense of humor. I cannot say but good things about him. He did great stuff.

Life is not fair.

Going to Akademy together with MBition

I will be at Akademy 2019 in Milano, IT for a few days. I am not going alone, Julia JK König. from MBition, will be there with me during the first two days.

MBition is still in the learning phase as organization when it comes to Open Source, but the enthusiasm among my colleagues, including the leadership team, with the posibility of becoming contributors in the near future makes me confident about our Open Source journey.

One of my initial goals is to help the organization to learn about how Open Source communities operate, what are their motivations, what do they do, their governance, etc. As I have written before, I would divide the Open Source communitiesin three big groups:

  • Community driven Open Source projects.
  • Consortium driven projects.
  • Company driven projects.

In order to learn about community driven projects, I think KDE is a great place to start and not just because I am involved in the project. There are several additional reasons. The most obvious ones are:

  • MBition is a C++ and Qt house, just like KDE.
  • KDE has a significant experience in areas were MBition is currently working on.
  • MBition (and Daimler in general) collaborate with Universities in intership programs. KDE is one of the most successfull Open Source projects when it comes to mentoring programs.
  • MBition HQ is located in Berlin, GE, and KDE eV is registered there.
  • I am not the only current or former KDE contributor at MBition. Motivation is king.

MBition decided not just to attend to Akademy but also to become a Supporter, by the way.

See you there.

Agile On The Beach: my first time

During 2017 and 2018 I got several interesting references at eagileonthebeachvents like Scale Summit and pipelineconf about an interesting event in the south-west of England about lean, agile and continuous delivery that got my attention. I decided that I could not miss it in 2019.

2019 edition of Agile On The Beach was the 9th one. The event has gain a good reputation among agilists for being a good mix of great content and relaxed atmosphere in a beautiful environment. This is not surprising for somebody coming from the Open Source space but is not a so common combination within the lean/agile/CD world.

I bought the tickets and reserved the accommodation on time (months before the event). As you know, I started in MBition in June. My employer was kind enough to make it easy for me to attend. So on July 10th I headed to Falmouth, Cornwall, UK to participate in Agile On The Beach during the following two days, coming back to Málaga on Saturday July 13th.

I liked the event. I felt like home. Like if I was at Akademy, for instance. There were some outstanding talks, a great atmosphere, talented and experienced attendees, reputed speakers, good organization and nice social activities.  Yes, the trip to get there was long but I had no delays in any of the several planes and trains I had to take (who said British trains are awful?) which allowed me to invest a few hours working on each way.

The videos has not been published yet. I will add as comments those I recommend you to check.

Update: please find the videos here.

Next year the event celebrates the 10th edition. They promised to do something special. If you are in the UK or are willing to invest several hours traveling to a good Lean/Agile/CD event, Agile On The Beach is a great one. But stay tuned, the number of tickets is limited and they are gone several months before the event starts.

A new door opens: MBition GmbH

This month of June I have started a new adventure. I have joined MBition, GmbH, a 100% owned subsidiary of Daimler AG focused on …

“MBition focuses on Infotainment-Software, Navigation-Software, Cloud-Software and UI-Software. ” (extracted from the MBition website).

Automotive is one of those industries that is going through disruptive changes. I think it is a very interesting place to be right now if you are looking for some excitement.mbition_logo_color_4

Back in 2018, I did a talk at the Autonomous Vehicle Software Symposium, in Stuttgart, Germany, where I said something like this, when referring to software platforms for automotive in the autonomous driving era:

  • What the industry is doing today will not work then.
  • What the industry knows today in this field will not be enough.
  • Learning fast becomes the only suitable strategy to succeed.

Then I asked if OEMs and Tier 1s were learning fast enough. I still believe today that in general no they are not.

Will we at MBition be able to make a positive impact in the way Daimler is learning about how to design, develop, deliver and maintain a software stack that meets the current and future industry requirements, providing at the same time a premium experience to customers, developers and partners?

I will work to answer YES to that question. It will be an outstanding challenge to face during the coming months. I am very excited about it.

Thanks Gregor, Johan and the rest of the MBition crew for giving me this opportunity. A new journey begins.

I will remain in Málaga working remotely for now but visiting Berlin frequently since MBition’s office is located there.