In my opinion, there is a responsibility for such organizations to identify, define and manage risks related to the responsibility of oversight of what is a very valuable item: the intellectual and creative work embodied in the software products. This is ignored only at great risk to the software, its users and those responsible for the continued development of the software. As a whole, the Free software ecosystem fails more than it succeeds in this, though it is getting better every year.
As a result, I see on a disturbingly regular basis non-profit foundations causing problems for the projects they were formed to support because such oversight was not well defined or managed. (Personally, I feel that a professionally managed service to create and build in the right oversight tools would be invaluable to the Free software community; too many hackers screw this up badly with significant consequences, which is understandable in the sense that they are hackers not lawyers or business people. Linux Foundation, FSFE: are you listening? :)
I also see copyright violations by third parties being brought into the light regularly and distributed copyright often getting in the way. One way to mitigate that is copyright management agreements, such as the FSFE's or KDE e.V.'s Fiduciary License Agreements (FLA), which empowers a trusted third party to act on contributors' behalves without removing any of their original rights while simultaneously setting out firm boundaries on what those third parties are allowed to do. (Such as: "they can't change the license to a non-Free one.")
I also see huge issues popping up around patents, with various remedies with varying levels of utility being put in place as stop-gaps while people work towards actually fixing the patent system (a lifetime's work, really). These include the Open Invention Network (OIN) and including patent clauses in copyright licenses.
Managing the risks around intellectual property law is critical to maintaining the reward of the wide open green pastures of Free software and open source development in a world of business, government and intellectual property law. I am quite firmly in favor of such risk management, to the point that I was one of the people who helped ensure KDE e.V.'s FLA came into existence and that KDE e.V. signed on with OIN.
Now, I'm not a lawyer, and as such I would never, ever give legal advice to others. I can only share my thoughts based on my experience and explain my own personal decisions so that others may, at their discretion and risk, factor them into their own thinking on the matter.
This is all a very long preamble to me making this statement:
It is my personal opinion that Canonical's Contributor Agreement program is, in its current form (as of Sept 2010), flawed such that I can not participate in it due to the risks it brings me and my Free software contributions.
I am making this statement because I was recently asked to sign Canonical's agreement, but I could not. I sent an email of declination today along with the following explanation for my decision:
Normally i would have no problem with doing this, except that the contributor agreement is flawed in a number of ways.
I'll ignore the dubious legality of "signing" the agreement by email, because that's really Canonical's risk, not mine.
However, while I can ignore that oddity, what i can't ignore are the following items in the document:
- Para 3 allows Canonical to adjust what is covered at their discretion with no boundaries. By adding an entry to http://
canonical.com/contributors Canonical gains access to my copyrights in that project. There is no express boundary or definition to what Canonical can add to that list. As a result I can not guarantee that my contributions to any possible project listed there could be held under this contract. Therefore, I can not in good conscience sign the document.
- Para 4 does not provide sufficient definition of what "submited to Canonical by me" means. In this case, I committed code to a repository. How is that submitting it to Canonical? The problem here is that, due to it being so vague, that nearly anything I commit to a repo that Canonical claims maintainership of (regardless of where it is hosted, it's previous history, etc.) could fall under this wording.
- Para 6 says, "Canonical may also, in its discretion, make the Assigned Contributions available to the public under other license terms." This means that the "ordinarily" wording of the first sentence in the paragraph is a "gentleman's agreement" and not actually meaningful in the least. Canonical is fully within its rights to release such code under, for example, a proprietary license. It could hand those rights over to another party as well, given how this agreement is worded. That runs counter to the ethics I hold which have led me to dedicate my professional life to Free Software.
- Para 8 would put a legal requirement on me to notify Canonical if I even become _aware_ of any possible patent (or other IP) issues relating to my contributions. That is highly onerous, and I do not have the time or financial resources to be able to commit to such an absurd burden.
- There are no termination clauses, meaning that no matter how I feel about Canonical (or Canonical about me) or what actions Canonical (or I) perpetrate in the future, there is no clear provision for how to terminate the agreement cleanly.
Since the agreement does not allow for ammendment (see para 13), I regret that I can not enter into an agreement with Canonical based on this document. I am not opposed to such agreements in principle, as I have signed similar agreements with other parties. The material difference in those cases was that the terms were reasonable and well defined and were accompanied with clear guarantees as to how the rights I am signing over will be managed.
If Canonical can present me with a reasonable document (the FSFE and KDE e.V.'s assignment documents meet that requirement very nicely, as just two examples), then I'd be happy to sign.
I am sharing this with you, dear readers, because I am sure some of you have also been asked to sign on with Canonical's contributor agreement program and I am concerned that perhaps not all have considered the implications of the wording of their document.
The only thing worse than risk management is bungled risk management, as it creates new and unintended risk (which often means it's also undefined in scope!) for those you care most about. It's a great way of unintentionally damaging your allies and partners.
I hope Canonical produces a better document in the future, for the sake of all involved. It has the right intentions and even some aspects done "right" in my estimation (such as the license-back). As it stands now, though, it is my opinion that it is too broken to be safe for me as a Free software contributor to sign it. I do applaud their efforts to be responsible with the Free software they tend to (and wish more entities in our ecosystem would show a similar awareness of their responsibility), but another go at it with a more thorough and sound legal treatment is in order.
(This blog entry is not legal advice. :)