 I'm Kevin Fleming I work for Bloomberg in New York City and also in London and wherever else they send me so I was gonna ask them the questions Karen just asked so first of all how many people here do not know what a corporate contributor license agreement is? Don't be shy raise your hand if you don't know would you like okay there's enough I can tell you so there are some open source projects that when you want to contribute to them in addition to whatever open source license the code is distributed under which of course your code is a derivative of also we require you to sign an additional agreement which could be for a variety of reasons we're not going to go into the many reasons why those exist because that would be a day-long discussion on its own but this talk is about the practicalities of being a large company which I work for a large company and wanting our developers to be able to contribute to those projects and having to deal with the mechanics of doing this that sort of thing you probably all experienced if you've ever contributed to an open source project the wide varieties of ways they accept patches and then the way they do code reviews and the way they discuss code and all those kinds of things and you would prefer of course a simple easy to navigate process what I'm going to talk about here is I would prefer in a simple easy to navigate process when one of our developers wants to contribute to one of these projects so I'll make sure I try to get these slides in a reasonable place so I have been contributing to open source software for a very long time we'll not say how long because you know how that was I have run projects I've actually been on both sides of this equations I used to run a project that used to contribute your license agreement and which it still does now I'm on the other side I work for a company that produces open source software as a small part of what we do our primary businesses commercial software and data services but we use open source software heavily and so we end up of course contributing to those projects so ubiquitous slide for this room I'm not a lawyer not your lawyer don't play a lawyer on TV if you take any of this is legal advice you're entirely on your own so and unfortunately because I couldn't use the the slides in my original form I didn't get to have these lines show up as I press the button so you get to see the answers to the questions before I get to ask them this was going to be the question that the softball question for Richard to answer because he's the one who would have answered this so as you might imagine when someone comes to us and wants to contribute to an open source project the simplest option is when that project doesn't require any contributor license agreement at all we can just go look at what open source licenses distributed under look for any other interesting potential caveats that might be associated with that project and then say go ahead you're all set there are some projects who's to don't want to go to the extent of having a contributor license agreement which is great but they still want each contribution that comes to the project to have some explicit acknowledgement of the fact that yes I do intend to give this to the project and so some time ago I don't remember how many years now I'm sure someone in the room can tell me this thing called the developer certificate of origin was created which is a very straightforward attempt to solve that problem it basically requires it basically is a very small process that the developer can use to say yes I am giving this contribution to the project and I certify that it's either my work or that I have permission to give it to you under the terms of the license that the project uses it would be wonderful in ideal fantasy world if that was the end of this if we did not have to do individual contractual agreements to contribute to some projects unfortunately many projects have been told by their attorneys or others that they do need to have them so we have to deal with this so this is unfortunate because I would have been able to go through this much more easily but in our company in which is probably true in many large companies there are going to be at least four people involved when an employee wants to begin contributing work that they've done at the company so it's property that belongs to the company not something they did on their own spare time or on their own computer or whatever they want to contribute that to an open source project and that open source project requires a contribute contributor license agreement to be signed obviously you've got the developer that wrote the code in the first place you have someone from the company's legal team because this is a legal agreement that the company is going to be signing it gives permission in some to some greater or lesser degree for this project to use intellectual property that was created and owned by the company so obviously the company's legal team whether that's internal or external counsel is going to want to review that agreement then of course you're going to have to have someone in the company who has the authority to sign agreements giving away the intellectual property of the company that's not a trivial thing this is very different from signing an agreement that says yes we will buy 10,000 t-shirts a month for the next three years I mean most of us wouldn't sign an agreement like that either because we don't want 10,000 t-shirts a month but for a company to make a purchasing contract is a relatively trivial thing and lots of people inside a company will have permission to do that sort of thing but as you might imagine if they're hiring people for example and a potential employee wants to negotiate their employment agreement if the company uses employment agreements and wants to make changes to those permission to negotiate those and then the authority to sign that is not something that's doled out to tens of hundreds of people or even tens of people it's usually a handful of people and the same is true when any agreement involving the company's intellectual property is in place so this will tend to be a very high level executive it may be the company's general counsel in which case we can actually skip having four people here and only have three and then you're going to have a person like me who has to navigate these waters and figure out exactly what process needs to be done who needs to be brought in where are the pitfalls so they can make sure that nobody makes a mistake that could be damaging down the road etc and that is because of course the developer is a developer they don't have the knowledge of understanding what a CCLA looks like and what its terms might mean and the attorney as good as many of them are especially in many of that are probably in this room they aren't particularly familiar with open source software and license agreements and software development in general and they could use some guidance on how the terms that they're seeing in this agreement may apply to the work that's being done so the first step of course is the developer Alice's beautiful developer that follows all the company policies that her company where she works and she knows immediately before she tries to send any code to an open source project that she's supposed to get permission right that's what all developers at every company in the world do right everybody's lying their heads yes of course that's not what happens but anyway let's assume of course that that's what happened and so Alice does the right thing and she makes a request however that's supposed to be done email phone call instant message some sort of ticketing system which is what we use something like that that's going to get routed to the person who gets to decide how this is going to proceed that's me in our company so for me to be able to process Alice's request obviously I'm going to go learn about this project and the first thing I'm going to learn is yeah they're contributing file in their github repository or wherever else they post their code says that in fact to contribute to their project you have to sign a contributor license agreement might be individual might be corporate usually it's both if either exists you would expect the other to exist as well so what am I going to need to be able to make these decisions well obviously I'm gonna have to be able to read I mean I can't I can't forward it along to our legal team for their review and give my notes on how I feel that it might go if I can't actually read it obviously I'm gonna have to be able to forward it along I'm gonna have to be able to have the person who signs this agreement be able to do so that seems like a trivial thing to have to say but just wait till the next slide and then of course once the agreement is signed that agreement can cover and hopefully would cover all employees at our company who want to contribute to that project we hope to not have to do a special a single a explicit agreement for each employee that's a lot of work as you might imagine if you're working in a company that has let's say 20,000 employees around the world which is roughly what we have getting time on the calendar of the CTO or some other C-level executive in order for them to sign an agreement that they don't even understand is a non-trivial thing I don't want to have to do that any more often than I have to so I've been doing this now at my current employer for a little over four years when I joined we didn't have very much open source contribution going so that was fun for me I got to build all of this from the ground up but that means of course I've been exposed to lots of different things that open source projects have chosen and these are some examples some of these are really awesome I've also forgotten any more than I put up here which is probably because I didn't like them very much but the first one is goes back to that readability thing I have literally gone to a projects website click to the link that says click here to learn how to sign our corporate contributor license agreement and ended up in Adobe sign which used to be called a cosine or docuSign looking at a third or fourth generation scanned copy of an agreement that's you know faxed and off skewed and speckled and everything else and it's like really they expect somebody at a big company to read this and sign it that's not going to happen not only that of course I can't pull the text out and have our attorneys review it because it's not in a form that I can do that I've seen projects that have individual contributor license agreements but no corporate contributor license agreement that's just a failure on their part to understand that the contribute contributions that they receive are not always going to be owned by individuals in some cases they are going to be owned by companies or other legal entities that are not people let's see I'll skip the other ones to two two oh number two that's the most fun one I'm not gonna name any names here because that's not fair but there is a large group of projects that are open-source projects that use very friendly open-source licenses and are really fun projects to work on and we use many of them and when you go to the projects source code repository and you look at the contributing file and it says hey if you want to learn about how to contribute to our project click here you land on their developer website which requires you to log in to their social network in order to proceed to even find out what the terms of the agreement might be you can imagine how much I'm willing to use my personal social network account should I happen to have one on that network in order to just review the terms of the agreement you can imagine how much fun it would be when I went to the general counsel of our company and said yeah for you to return this you're you're gonna have to also log into the social network in order to read and then it gets a step further the CTO has to sign this so I have to have the CTO go log into the social net this is clearly not not useful so I'm gonna go quickly through the rest of these I'll take questions the end I'll go quickly through the rest of these because unlike good slides I actually have lots of text on these and I you can read all of these and of course they're on the Fosdent website it's actually where I'm presenting them from so you're welcome to review them later but these are the things that I need in order for me to be able to do my job well and for me to do my job well means we get more contributions given to projects that want them which is of course what most open source projects want so I need the text I need an inform that I can copy it around and hopefully not ever try to edit it because that would not be fun but to at least be able to copy it around more importantly it's it's a document it's like a piece of source code over time it can change people will be notified that maybe terms in the agreement might not apply the way they thought they did because they were drafted by a US lawyer but the laws in the EU are different and so maybe some additional terms need to be added or something needs to be changed or in cases where you have well this I guess is true in the EU as well where you have moral rights if the if the content the agreement does not contemplate those at all there are some people who won't sign them because the agreement doesn't even say anything about moral rights and they wanted explicitly stated so over time the agreement is going to change you can imagine how much fun it is when I download the agreement send it off to the legal team for review that takes time I mean days hopefully maybe sometimes weeks depending how busy they are then I have to get scheduled time for it to get signed when I bring it up for someone to sign it I have to verify letter by letter that is exactly the same as the one that we reviewed because these documents never have version numbers they don't have any way to know whether they whether there's been an intentional change or not let on an intentional change that's not good the next thing projects get told they need to have contributor license agreements what most projects should do like they do when they pick an open source license they should go to the OSI website and say look at all these licenses we have to pick one pick from let's pick one and use that we've apparently although not completely but we've apparently gotten beyond the and the next the next major open source project is going to roll its own license those days were not fun we're glad to be beyond them we're not beyond them for contributor license agreements projects and companies behind them in some cases will just decide they're going to write their own you can imagine then the legal team takes much longer to review them because they're completely new they've never seen this before and they don't know what it might mean also not going to stress point to there the second paragraph although it is important for us it may not be as so important for other companies we choose not to contribute to projects where the contributor license agreement grants the project more permissions than it get grants to its own users which is called asymmetrical licensing or inbound not equaled outbound or whatever you want to call it there are the companies that will but we generally do not so if you are contemplating putting a contributor license agreement in place on your project and you are going to demand more rights from the contributors then you're then going to give to the people who get the software out from you that may very well mean that some companies choose not to contribute to your project so keep that in mind this is going to seem silly because here we are in a room full of geeks doing all this wonderful thing all these wonderful things that we do in 2017 and yet the simplest and most reliable way to execute a corporate contributor license agreement is literally by printing it out getting someone to sign it and then scanning that and emailing the result to whoever needs it we are capable of using fax machines I think I know where the one is on the floor that I work on although I haven't probably touched it in two years but I could if I had to it's unfortunate that this is the case but this is the case there are also online platforms for doing signing of documents I mentioned names of some earlier and there are others the problems with all of them is that they require the person who's looking at the document to be the person who's going to be signing it that's not the case until you get to the very end of the process there is at least two other people who are going to be reviewing the document I guess I just kind of covered that I would also mention here of course that if you have taken my advice and put some sort of version number or preferably even a content hash as a tag on your document that when we go to sign it on the online execution platform it should prominently present that same exact version number so that if it turns out you have changed the document since we reviewed it we'll at least know that you changed it and then this is one that's important as well we need to be able to add and remove people who have given and given permission under this agreement to contribute to your project there are a variety of ways that's done some of them it's by just sending an email to the product one of the project leaders and saying hey add this person and here's their github or their account or their user email address or whatever that might be in other cases it's more let's say more formal than that and we actually have to sign a new copy of the contributor license agreement with a revised addendum at the end which is kind of a pain I'll say that on the positive side a couple of years ago I've heard of working with a company who did not have a corporate contributor license agreement at all they had an individual one but not a corporate one and so we talked about what would be the easiest thing to do we were actually already comfortable with the terms of the CLA they were using but we needed a corporate version and they didn't have a plan in place for how they were going to allow identifying of users who would be allowed to contribute and I said well so your projects hosted on github that means that when we contribute to it we're going to fork your project into our organization on github and then the pull requests that you receive are going to come from that repository so if you're willing to just say as long as the pull request originates from our fork of the repository it's covered under the CCLA I'm good with that because then I can just use github's commission management to decide who has the ability to generate those pull requests and who doesn't worked out beautifully I hope more projects choose to do that this is another interesting one which that solves but other mechanisms do not there are some foundations I guess we'll say but the only thing that they ask for and the only thing that they store in their database when you give them a list of contributors is the person's name not an email address not any other identifier that you could be used to tie the contributions that are going to arrive to that person well I suppose that could be okay if you have an incredibly unique name although there's something like seven billion people in the world so no name is completely unique but if you have a relatively common name which I have ran into and let's say for example hypothetically in the US I had an employee named John Smith who wanted to contribute to one of these projects how am I gonna feel about putting the name Smith comma John as a permitted contributor on the CCLA how many John Smiths are then going to be able to potentially try to contribute under the auspices of my company which I don't want them to be able to do that's clearly not what we want version updates I mentioned before we should have version numbers if it turns out that you do need to revise your contributor license agreement anyone who's already signed one should be told hey by the way we've revised our contributor license agreement next time you come across this you are gonna see different terms it would be really nice even of course to include diff so we can just look and see what change was that has something that has been a problem in the past as well and then we also need consistency we need to understand when you're gonna require us to do this when we're gonna need to tell you who people are there is yet another unnamed but people will know who they are quite easily large formation with hundreds and hundreds of projects that has very well stated policies for when contributor license agreements are required they're on their website they've been there for years and years and years are easy to understand and yet they're not followed many projects choose to do more relaxed versions of these policies because of all the complications I've been talking about they don't want to have to do this for someone who is just gonna send them one patch or two patches we don't want this so for those of you in the audience who are software developers this is what I want I want to be able to come to your project and say wow this is almost exactly the same as I've seen 26 times before yes there's little tiny details that are different but that's what I want and this is all because we actually do want to contribute to your projects if you make it difficult for us we won't be able to contribute to your projects and you won't benefit and we won't benefit and that's that I'm already told my time is up which of course was partly because of the laptop problems thank you very much I'm happy to take questions out in the hall when we're done here thanks