A contributor license agreement, or CLA, usually (but not always) includes an important clause: a copyright assignment.
This is a strategy employed by commercial companies with one purpose only: to place a rug under the project, so that they can pull at the first sign of a bad quarter. This strategy exists to subvert the open source social contract. These companies wish to enjoy the market appeal of open source and the free labor of their community to improve their product, but do not want to secure these contributors any rights over their work.
List of some companies that use CLAs: https://en.wikipedia.org/wiki/Contributor_License_Agreement#Users
First link gives an SSL warning for me. Here’s the WayBackMachine link https://web.archive.org/web/20240425192244/https://drewdevault.com/2023/07/04/Dont-sign-a-CLA-2.html
Maybe your browser doesn’t like Let’s Encrypt certificates.
No issues here whatsoever with other sites, including those that use L.E. certs. Weird. I guess it is a Tor circuit related issue. On another browser without Tor it loads fine.
I’m surprised that other people are surprised that for-profit companies constantly try to increase their profits; such companies only contribute to FOSS when that’s more profitable than the alternative. The Linux kernel, AMDGPU, Steam, etc only exist because some part of the software/hardware stack is proprietary (which becomes a more attractive product as the FOSS portion of the stack improves).
I’m definitely not justifying the “rug-pulling”, but people need to stop supporting projects with no potential for long-term profitability unless those projects can survive without any support from for-profit companies. Anything else is destined to fail.
A major caveat I’ve noticed some people misunderstand: it’s corporate CLAs that are problematic. The Apache Foundation also requires contributors sign a CLA, but it’s to provide a legal fail safe and a way to update to say Apache 3.0 if need be one day. Apache’s non profit, open source mission aligns with respecting the rights of contributors and the community. Corporations, on the other hand, not so much.
The way I see it is that we don’t know the content of Apache 3.0, nor have a vote to chose what license they adapt in the end. Does Apache have a good track record? Yes, but it is getting diffcult to put trust in sonething today. It’s still a rug under, or fail safe as you name it, which is used by corprates today. I would rather have a framework/procedure in place preventing it from happening from the get go.
ADDITION: I haven’t read Apache’s CLA yet so it might or might not contains copyright grant clause.
Sentry also did this by embracing the Business Source License. Technically, you can still get an MIT-licensed version, but it has to be more than two years old.
As a former employee that worked there during the days that Sentry really promoted itself being Open Source, it was disappointing to see. VC Funding and a growth obsession basically poisoned the well.
I just found out some softwares around infrastructures also uses CLA, including:
- Kubernetes (hosted by CNCF)
- Istio (hosted by CNCF)
- Grafana
- All projects under Apache Software Foundation (e.g. HTTP server)
- OpenStack (hosted by OpenInfra)
To my surprise, even Golang core uses CLA too.
EDIT: Add more to the list
EDIT 2: Envoy Proxy also hosted by CNCF uses DCO instead of CLA. Interesting.
It looks like very difficult to bulid an infra without some components uses CLA.
