[Python-legal-sig] Certifying provenance of contributions (was: Making it possible to accept contributions without CLA)

[Ben Finney]

"M.-A. Lemburg" <mal at python.org> writes:

> On 09.12.2014 21:23, Ben Finney wrote:
> > The PSF does not need any special powers for [knowing the
> > contributor has the legal right to grant the PSF license in the
> > contribution]; the contributor can be asked merely for some
> > certification they have the authority to grant Apache License 2.0 in
> > their contribution.
> > 
> > So that's a separate need from the CLA, and no CLA is needed for
> > that.
>
> Well, it's an agreement which a contributor would have to sign
> before having the contribution accepted in the code base, so
> it's a CLA as well :-)

I meant by the above that such a certification would not be an agreement
at all. It would be a one-party declaration that the contributor holds
copyright in the contribution; there is no other party so it is not an
agreement of any kind.

There is no need to enter some special unilateral transfer of power to
the PSF. The PSF can merely require that the contributor present such a
declaration, without forming any special agreement or transfer of power.

Such a declaration is sometimes called a “Developer's Certificate of
Origin”, and is used by the Linux projects and the Samba project, among
many others.

For example, Samba's requirements for accepting contributions is at
<URL:http://www.samba.org/samba/devel/copyright-policy.html>, and does
not require any special powers granted to the Samba project, while still
requiring positive declaration of copyright provenance.

Is this sufficient to demonstrate that there is no need for a CLA to
have the PSF know the copyright provenance of contributions?

-- 
 \       “Working out the social politics of who you can trust and why |
  `\      is, quite literally, what a very large part of our brain has |
_o__)                                   evolved to do.” —Douglas Adams |
Ben Finney