Should ICLAs be Required of Every Contributor?

Update: Title changed from “Committer” to “Contributor” based on a suggestion from Andrew Petro (see comments)

In Apereo/Sakai there is discussion of whether or not we need to doggedly require Individual Contributor License Agreements (ICLAs) from every person who sends in a simple github PR. It is generally agreed that if someone will be making significant contributions we need an ICLA – but many (myself included) feel that an ICLA is not necessary for a simple submitted patch. The issue is that this leaves a grey area and soe folks stay a bit conservative on this.

Andrew Petro did some research on this and here are his notes. I keep them here for my own reference.

Here is the thread where we discussed this:!topic/licensing-discuss/c1puG3RKZcA

Since this post, CLAs have come up a few times on Apache legal-discuss@, including in July when I brought up Apereo’s desire for a canonical position.

In February 2017, “it is considered good practice to collect individual CLAs even if the contributors are not committers. Strictly speaking this is unnecessary”. That is, Committers and Projects via their PMCs may require CLAs of Contributors rather than just only of Committers, and it may be a good practice for them to do this under some circumstances, but Apache does not strictly require this. Also, this post again confirmed that while it is a good practice for Committers to secure Corporate Contributor License Agreements of their employers, this is a judgment call on the part of the Contributor.

In December 2016, “our IP provenance relies on both our license, our ICLA/CCLAs, and the fact that we have written policies that define who can be a committer and how PMCs can make releases. It’s usually good if a code author (or someone who could otherwise legally sign an ICLA in terms of granting us the right licensing rights to that code) actually submits the work to some Apache project before we put it in a release.” That is, it’s sufficient that an ICLA-signatory Committer actually merges the code into the canonical codebase.

In August 2016, “To avoid the risk associated with clever or large contributions, most PMCs request a formal ICLA to be filed.” Which is to say that some do not, and that therefore Apache does not require that projects do so; individual PMCs get to locally decide when to go beyond requiring ICLAs of Committers to require it of a Contributor in the context of a given Contribution.

In August 2016, on this very topic, “I don’t see that there’s a ‘canonical position’ that can exist.” and “Stating my understanding of the Apache policy – Apache requires ICLAs of its committers, uses ICLAs or a software license ( for exceptional contributions from contributors and generally relies on clause 5 of theApache License 2.0 for other contributions from contributors.”

There have been opportunities for someone to argue that ICLAs are required of all Contributors, and that position has not been argued on legal-discuss@.

I think it’s also looking likely that this is as canonical a position as one can get from Apache on this matter.

4 thoughts on “Should ICLAs be Required of Every Contributor?

  1. Reinier Post

    It has always been my understanding that the act of contributing itself already constitutes agreement to such terms.

    The wording of Apache’s ICLA does a very good job of making this precise, and of course it’s a good thing to ask for explicit confirmation, but I don’t think it’s legally required. Of course this may vary from country to country.

  2. Andrew Petro

    Thanks for drawing attention to this.

    Commenting only wearing my individual contributor hat and not the Apereo Licensing chair hat:

    Here’s my favorite single slide on this topic:

    Here’s my favorite essay on the topic:

    and here’s my (growing!) collection of resources, for and against and about CLAs: .

    My latest favorite model of another open source community navigating these tradeoffs is Fedora’s transition from Apache CLA to its FPCA which is *not* a typical CLA:

    This model is especially attractive because:

    1. Fedora once required the Apache CLA and successfully transitioned away from requiring this ( ), and
    2. Fedora has use cases Apereo is gaining about coping with a multiple-licenses ecosystem where not all contributions and projects are just under Apache2 or under GPL or …, and
    3. Fedora doesn’t require anyone to physically sign the CLA, or even digitally sign a form or whatever. Agreement is an “I agree” button in the course of creating a user account in Fedora’s user account system. ( ).

    Fedora had required the Apache CLA (much like how Apereo currently does) and dropped that requirement. CLAs typically work by licensing additional rights to a single player, rights above and beyond those granted by the open source license in use. In the case of Apereo, the CLA licenses additional rights (all the rights of exercise of copyright save exclusivity) to Apereo, rather than the Contributor licensing the Contribution to Apereo under the underlying open source license (typically in Apereo, Apache2 or ECL2). The FPCA doesn’t do this. It functions as a Developer Certificate of Origin — it doesn’t change the open source licensing terms under which Contributor licenses Contribution to Fedora (and everyone else), it just reassures (or at least tries to reassure) that the Contributor really has the rights to make the Contribution and really intends to make it. And it sets some default licensing terms so that if a Contributor fails to clearly state the open source license under which a Contribution is made, the right things (the things the Contributor almost certainly intended) happen anyway.

    I’m (personally!) hopeful of Apereo being able to give Fedora’s model some thoughtful consideration as a way to navigate the tradeoffs between friction and licensing confidence.

    As they say: I am not a lawyer; I am not your lawyer; this is not legal advice. My personal perspective only; not speaking as Apereo Licensing.

  3. Andrew Petro

    Rather than titled “Should ICLAs be Required of Every Committer?”, this post might be better posed as “Should ICLAs be Required of Every **Contributor**?”

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.