Slashdot Mirror
Insuring Contributed Code is Legal?
WanderingGhost asks: "Suppose you start a free software project and have people from all over the world wanting to contribute (hey, that's good eh?) How can you tell if they actually have the right to contribute at all? Contributors may live in different countries and work for different companies, and that means different laws and different contractual agreements. Aside from asking the person (I've found that this doesn't always work), what else would you do? Is there some place where you can find all information about IP laws of different countries (for example Japan, India, China, Russia) just so you can tell what would be the 'default holder of copyright' if a work contract says nothing about IP rights?"
Scroll to A Brief History of Windows NT/2000/XP by Andrew Tanenbaum. This is a problem regardless of software license. The unique problem that open source faces is that people do it as well as working at the same time.
I see your point...
If it's a small project I wouldn't worry too much in any case. Otherwise, make the programmers agree to some statement before you'll accept their work (it could be an "informal" email). And always remember that estoppel is your best friend.
The problem is that the contributor himself may not fully understand what he can and what he cannot do. And then after something comes up, I'd have a big company telling me to shut down my project (because it may not be possible to revert a big, findamental patch, for example).
IANAL, but my key fear with using any copyrighted material is authors being able to revoke a license. Copyright and licensing laws are quite strong after all.
Not in the case of the GNU GPL, as far as I understand. I have asked a lawyer about this once (last year I guess).
Isn't this one of the reasons why the FSF requires all contributors to assign their copyrights to the FSF explicitly? I believe this puts the responsibility onto the authors, and not the FSF, to make sure they have the right to contribute.
More info here.
I think the idea is to get contributors to send you something, signed, on a piece of paper. This is what the FSF does, and a few other large projects have followed their lead. In FSF's case, the piece of paper is also a copyright assignment, which you probably don't want as it puts a lot of potential contributors off. What you want to do is check out something like the following with a lawyer:
I hereby certify that the work I have submitted to is my own work, which I am entitled to licence under the provisions of , and that I am not aware of any patents or other legal issues that may prevent its use in . I hereby grant a licence to distribute the work under the terms of (attached).
You possibly also want to include a similarly phrased paragraph to cover future submissions by the same contributor, if you expect any.
What this does is (again, IANAL, so this isn't legal advice, check it with a professional, actual facts may vary from jurisdiction to jurisdiction):
1. Means you've performed "due diligence" before accepting the work. You've got a signed statement from somebody stating that there wouldn't be any issues. If you do have legal expenses insurance (and I'd recommend it; at least where I live it isn't expensive) your insurers will almost certainly want to see something like this before they'll agree to defend you in a court case. In a court case, I think it would be enough to show that you hadn't knowingly infringed any copyrights, which may be enough to prevent any damages being awarded against you. You'd have to cease distribution, of course, but in the end it would probably not actually cost you anything. It's probably not as good in the case of a patent infringement, where I believe strict liability rules apply, but that's substantially less likely to affect you, fortunately.
2. Means you've got a clear, easy to prove licence to distribute, so your contributor can't turn around and sue you. Yes, this is unlikely, but it's great to cover all angles.
A GPG-signed e-mail may be adequate, but check with a lawyer. In my jurisdiction, I believe it would be iff I could prove the key belonged to the person I believe it to, which can be a quite tricky proposition. In yours, it might not be acceptable at all. Check everything. A signed fax may be better than an e-mail. This is the kind of knowledge you pay a lawyer for.
And then after something comes up, I'd have a big company telling me to shut down my project (because it may not be possible to revert a big, findamental patch, for example).
I don't think this is avoidable, unfortunately. If you have to remove a fundamental piece of code due to copyright considerations, that's going to effectively mean reverting your codebase to the point it was added and starting again from there. Code added after it was may be a derivitive under copyright law, so you probably can't use a lot of that, either.
Not in the case of the GNU GPL, as far as I understand. I have asked a lawyer about this once (last year I guess).
Copyright laws vary from place to place; most lawyers only consider local issues. You may find that some regions have local laws that allow revocation of a licence even when that licence describes itself as irrevocable (as the GPL does). If you're worried, make sure the lawyer you consult is well versed in international copyright issues. Try to find a copyright specialist who deals worldwide, if you can afford one.
Isn't 100% foolproof. Go slpunk about in the 2.0.36 kernel and you 'll see where one submission took FreeBSD, removed the FreeBSD copyright notice and bragged about it.
RedHat 6 used the BSD lp code and didn't fufill the 'advertising clause' (same with Microsoft and NT)
And somewhere on slashdot you can find out all about the ATA code issue.
You are just going to have to keep detailed records of who submitted what, and have 'em agree to a contract to sign over the code AND agree that it wasn't code taken from somewhere else.