Using DCO / CLA for reassurance and passing the OpenSSF BP Certification

[james-d-elliott]

I think a firm commitment to having all contributors including the core maintainers sign a waiver that their contributions are not in part owned by a company would be a reasonable and reassuring change to users so that at no point could a company, such as Red Hat or Company X claim the legal ownership over this repository or individual commits.

This would likely require the core contributors to seek a waiver from legal. As you appear to be working on, or the previous maintainers were working on the OpenSSF Best Practices certification this would also contribute towards that which makes it a very logical step.

[coreydaley]

This is not a corporate-backed open source project. Please take a look at https://ben.balter.com/2018/01/02/why-you-probably-shouldnt-add-a-cla-to-your-open-source-project/ and let me know your thoughts.

[james-d-elliott]

Hi Corey thanks for responding, and from what I can tell, being open to the idea rather than just shooting it down even though you don't specifically agree. This to me is a very open attitude.

I took a read and generally agree with the ideas expressed. I think the DCO is a much lower barrier for most people since it's already part of a tool most developers use daily. My thought process is that the impression I get from the developer community and recently in particular in the go community that they do not trust large corporations to not claim contributions by their employees as evidence they legally own something.

I think thees factors may affect contributions and usage anyway. As to how much I don't know. I think both the article and my ideas on this are very subjective. I'm not even sure the DCO or a CLA would actually do anything to solve this feeling by users either. It's quite plausible that they would not even notice or care even if they did notice.

I think in general this discussion and in particular the factors highlighted in first paragraph of this reply realistically will probably help reduce concerns about this, as to how much I'm not sure. I think if you were unaware of how the DCO works it would be good to take a look into it however to at least familiarize yourselves with the technology. In my opinion it alleviates several of the points in the article and is very simple to do and enforce (can be added to GitHub and allows maintainers to override it which is useful during the transition process).

Also after some introspection I think in general that both the DCO and CLA's do not offer any measurable legal protection anyway as the contributions are done as part of the advertised license and can't logically be claimed as personal intellectual property or by companies anyway. I think I have thought about this factor in the past as well, however I think it was just a fleeting thought. Also as it's clearly explicit in the GitHub terms of service now (which I was unaware of) there is no real logical benefit.

[coreydaley]

I think the best thing to do would be to get more of the communities opinions on this. I think it would be a great idea if you were to post links to this on the Slack channel and the mailing list.

[amustaque97]

I don't think it is much needed because in real life even if some company or any legal entity comes to pretend they own this, there are a bunch of toolkits available on the internet. I still don't think someone can take any commercial/financial advantage by owning it. I do understand there are organizations or large-scale projects built over the Gorilla toolkit seeing the past, devs were already prepared or were preparing when the whole project was going into archive mode. If I think about the future we're always assured our stability and excellence so at worst there won't be any updates iff some company legally owns it and puts some kind of restrictions.

Thoughts?