>> law, technology, and the space between

All content by Kyle E. Mitchell, who is not your lawyer.

You can subscribe via RSS/Atom or e-mail and browse other blogs.

Real and Imagined CLA OverreachCLAs go wrong when they act like hiring terms

I have seen no end of online comments taking HashiCorp’s license change as opportunity to decry contributor license agreements. These are always dismaying moments. When the knee-jerk anti-CLA activists come out, they make a sad parade of enduring misconceptions.

There is a situation where deciding specifically not to use a CLA makes sense. In fairness to CLA opponents who understand the mechanics, I’ve seen consistent and reasoned support for not using CLAs in situations checking all these boxes:

Whether “locking open” and trusting license stewards are or aren’t things projects should do is where the well studied debate on CLAs actually is. Disagreement on these things leads to justified disagreement about CLAs, not the other way around.

Edge case aside, CLAs do important work in other circumstances. And some of their terms do place risk and responsibility on contributors. When it comes to their rights to actually license their contributions, rightfully so. No “contributing” IP problems to public projects, please. But it is absolutely true that CLA terms, being essentially freeform, can overreach and become unfair.

Case in point, this bit I spotted in section 6 of Artifex’s CLA:

You agree to cooperate fully with Artifex, to take such actions, to execute such further instruments, documents and agreements, and to give such further written assurances, as many be reasonably requested by Artifex to carry into effect the intents and purposes of this Agreement.

This is not something Artifex made up. It’s what’s known among lawyers as a “further assurances” clause. Further assurances clauses appear in nearly any intellectual property agreement for employees and independent contractors. Here it is, in more readable form, in the Square One hiring form I help publish. You can probably find it in the last “confidential information and invention assignment agreement” you signed for a job.

The classic scenario where further assurances come into play is where you leave your current employer, then a few months later they get around to registering a copyright, trademark, or patent on work you were involved in. The company preps the paperwork and you sign it, even though you no longer work there. You promised to come through in the IP agreement you signed on your first day, when you started.

Employees and independent contractors don’t like making open-ended promises any more than anyone else. But it’s often part of what they give in exchange for a paying opportunity. Even in industries with far more active patent action, where “further assurances” has in the past had people flying off to distant courthouses to testify in infringement suits.

I’d guess outside contributors to Ghostscript aren’t usually getting paid by Artifex. They may get something else for their patches—distribution through Artifex’s “official” channels, the potential of, if not a promise for, ongoing maintenance of their work by Artifex devs. But Artifex would be getting quite a lot on the “deal” already: contribution to their software, which they’d usually have to pay some dev for.

When I try to imagine situations where taking a perpetual, open-ended obligation to deal with legal matters for the steward company makes sense, I can only think of two:

  1. circumstances where it’s either clear no “further assurances” will ever be needed at all, so it’s dead letter
  2. where Artifex actually is paying the dev, but has them sign the CLA instead of a proper work contract

As part of a generic CLA form to be used as most CLAs are used, it doesn’t feel fair. A bit like saying “we’ll take your free puppy, but you have to agree come back and drive around the neighborhood with us if we let it run away”.

There isn’t any further assurances clause in Apache’s CLA forms, which have become popular standard templates. There isn’t any in the Fedora CLA, either. There isn’t in the ill-fated “standard” Harmony CA, which is actually a copyright assignment. I’m not sure I’ve ever seen a “further assurances” obligation in a CLA before this.

If I were looking to contribute to a project and the steward presented me Artifex’s CLA, I’d strike that section. If they were willing and able to consider changes at all, I’d bet I’d get my way. I don’t think that term belongs in rules for public, potentially drive-by collaboration.

That’s not a flaw in contributor license agreements overall. It’s a sharp point on one particular contributor license agreement that’s pretending personnel assignment terms belong in terms for everybody else.

Your thoughts and feedback are always welcome by e-mail.

back to topedit on GitHubrevision history