Canonical is often criticized for its CLAs – Contributor License Agreements – by the larger Open Source community. Ironically Canonical is not the only company which requires CLAs, even communities like FSF or ASF require CLAs. Since Canonical is not a community, but a for-profit company, what makes their CLAs so bad considering that companies like Google don’t get the same criticism for their CLAs? What makes Canonical’s CLA so bad whereas when everyone else is also doing the same thing?
First of all why do companies or communities need CLA? Communities and companies require CLAs to get explicit permission from the code author so that they can defend the product or project as a distributor.
Professor Eben Moglen, Software Freedom Law Center explains, “Under US copyright law, which is the law under which most free software programs have historically been first published, there are very substantial procedural advantages to registration of copyright. And despite the broad right of distribution conveyed by the GPL, enforcement of copyright is generally not possible for distributors: only the copyright holder or someone having assignment of the copyright can enforce the license. If there are multiple authors of a copyrighted work, successful enforcement depends on having the cooperation of all authors.”
To be fair, people just like hating on Canonical. The FSF and Apache Foundation CLA’s are pretty much equally broken – Linus Torvalds
What it means in ‘layman’s’ term is that if I am distributing software which has code from various developers I don’t really have any right to defend the project in case of any conflict. The code authors own the copyright thus only he/she can engage. What CLAs do is grant me, the distributor, rights of that code so I can defend it without having each code writer to intervene. It becomes easier if a projects has hundreds of contributors. So in case of FSF or Apache the primary goal is ‘defense’ of the project.
But here we are talking about communities who don’t have any monetary goals. Things may change when profit making companies are involved. Companies like Google or Canonical also require CLAs for almost the same reason. However, that’s where the conflict starts.
When we talk about Apache’s CLAs – the Apache license, like BSD, already allows a project to be released under a proprietary licence. That’s one of the reasons companies prefer BSD or Apache licences because unlike a community driven project they don’t much care about ‘getting locked out of their own code’ – something that GNU GPL prohibits. They choose weaker licences so that their code is compatible with proprietary stuff. So when Google or Apache require CLA it doesn’t conflict as they already use a weaker licence.
Renowned developer Matthew Garrett explains, “The FSF’s copyright assignment ensures that contributions to GPLed software will only be distributed under GPL-style licenses. The Apache CLA permits the ASF to relicense a contribution under a proprietary license, but the Apache license allows anyone to do that anyway. Going through Wikipedia’s list of CLA users, the majority cover projects that are under BSD- or Apache-style licenses, with a couple of cases covering GPLed projects with a promise that any contributions will only be distributed under GPL-like licenses. Either everyone can produce proprietary derivative works, or nobody can.”
But things change when Canonical does that as they use GNU GPLv3 which prohibits any code to be made proprietary. Their CLA conflicts the licence they use as it give Canonical the rights to release their software under a proprietary licence.