Adopting a CLA for Blender contributions

This is a proposal for the adoption of a CLA/DCO to handle Blender contributions.

Over the past two decades, the Blender project has been granting commit access to contributors through a verification system that relied on a private email exchange of personal information. Contributions in the form of patches, did not require such verification.

While this process has proven effective, there is a desire to better align with other open source projects, and switch to a CLA-based process instead. Signing a CLA requires all contributors to provide limited personal information, in order to establish mutual protection (from copyright issues) for the project and the contributors. The personal information provided will be kept private, in compliance with the relevant laws and regulations.

Content-wise, the Blender CLA is simply a different representation of the current requirements for becoming a Blender repository committer:

  • State that your contribution belong to you
  • State that you accept to have them contributed to the Blender source code, under the GPL (or GPL compliant license, depending on the contribution)
  • State that you either transfer you copyright to Blender Foundation, or keep the copyright yourself (at your discretion)

The full text of the CLA is available below.

Given the identical value of the CLA and the current “contributor agreement” email needed to have Blender commit access, we wish to consider all existing contributors with commit access as compliant to the CLA, without further action required.

For future contributions, including patch submitters, the CLA document is required to be dated and signed.

To make this process smooth, CLA signing should be part of the patch review/contribution workflow on projects.blender.org. In practice, this will result in a first-time PR contributor being requested to “sign” the CLA in order for their PR to be submitted for review. Technical details on this will follow later, but the goal is to make it as automated as possible.

While this might sound scary, it helps and protects current developers and maintainers, enabling them to accept first-time contributions with less legal risks. This also helps to provide direct commit access to contributors, without requiring as much personal information as currently.

Feedback on this proposal is welcome.


Blender CLA

Stichting Blender Foundation, the non-profit corporate home of the Blender project, requests that You sign a Contributor License Agreement (“CLA”) regarding any software code and/or documentation You desire to contribute to the Blender project (“Contribution”).

This license is for your protection as a Contributor as well as the protection of the Blender Foundation and its users. You may choose to keep ownership of your own Contributions, to use them for any other purpose.

By submitting Your Contribution to the Blender project, You hereby agree to license your Contribution under one of the following licenses (“The License”), and to include the appropriate copyright notice required by The License.

  • GNU GPL License, Version 2 or later (for most Blender code)
  • Apache License 2.0 (for Cycles and other module code)
  • Creative Commons Attribution-ShareAlike 4.0 License (for documentation)

Hereby You certify that:

  • (a) The Contribution was created in whole or in part by You, and You have the right to submit it under The License; or
  • (b) The Contribution is based upon previous work that, to the best of Your knowledge, is covered under an appropriate open source license and You have the right under that license to submit that work with modifications, under The License; or
  • (c) The Contribution was provided directly to You by some other person who certified (a) or (b) and You have not modified it.

Your full name
As on your ID

Your email address
This email will be verified to be associated with your projects.blender.org account

Is this Contribution being made on behalf of a corporation?

  • Yes
  • No

If “Yes”, the name of the corporation

The copyright of my Contributions…

  • will be kept by the author(s) of the Contribution(s), mentioned in the copyright notice
  • will be assigned to Blender Foundation, unless indicated otherwise in the copyright notice

Electronic signature.

Type “I AGREE” to accept the terms as above.

7 Likes

To be perfectly honest, if I had to provide personal information to Stichting Blender Foundation to make my first contribution, I probably wouldn’t of made that contribution. So my fear of this switch is that it may have the same effect on amatuer community contributors.

But for the vast majority of people, this probably won’t matter to them. And I fully understand the need/desire for an agreement.

Just double checking, this is the information on our personal identification (E.g. A passport), not our Blender ID?
This may actually be a point where you add some extra clarification.

I don’t know if it’s worth including in this section, but including whether or not AI generated content (such as code from a LLM) is acceptable here may be useful.

Or because the legallity of most AI generated content is still under debate, maybe leave it up to the user to figure out?

18 Likes

Does this mean sending a copy of the ID document to Blender? In that case it would be good to have a clarification as to how long this copy of the document is stored, how it is stored, and how the privacy of the contributor is guarded.

The form will simply ask for the full “legal” name. No need for IDs.

3 Likes

In my experience CLA’s makes people less likely to contribute as they have to jump through more hoops to get their code accepted.

Because of this, certain open source project has actually removed their CLA requirement one of them was Fedora in 2011: Meeting:Board meeting 2011-04-05 - Fedora Project Wiki
Redhat specifically has taken a stance against using CLAs for their projects: Why CLAs aren't good for open source | Opensource.com

As CLAs have a bad reputation associated with them (companies using them to close source software), the general trend seems to me to be to drop CLAs instead of adopting them.
For example here is revoltchat dropping their CLA after community feedback:

I don’t really get what we will gain from this either. The “we want to align with other projects” is very vague and not really describing the problem this is trying to solve.

If the Linux kernel (one of the longest and biggest open source projects) has worked without a CLA and continues to do so without issue. Why do we need one?

16 Likes

Can confirm, before i ended up with blender, I worked on a different project trying to get windows support into a usable state, signing of legal documents lead me to walk away from said project.

I do not sign any legal paper work for time i volunteer, never have, never will

17 Likes

Is this finalized or still pending? All the feedback so far is that this is a bad idea, it’s probably worth pumping the brakes on this. 100% negative feedback is rarely a good thing :wink:
Just to keep things (the 100% negative feedback) consistent - I too would not contribute to a project where I had to sign something like this. My input is nowhere near as useful as the developers that have already commented, but there it is.

I’d also be very interested to hear what Ton thinks about this proposal- it’s unusual to have a major shakeup in Blender Foundation SOPs not coming from Ton

Thanks for the feedback. When it comes to the motivation for this proposal, check the first part of the post. In a nutshell: improve the coverage of contributed code with a clear agreement. This is done to protect Blender and its contributors from potential legal issues, and it’s a standard practice in many large open source project (including the Linux kernel).

The agreement can be called CLA, or DCO, their intention is the same, but the process is different (sign once vs. sign-off every commit). To keep the personal information required to a minimum, only full name and email address could be required (no mailing address - I’ve edited the proposal to reflect that).

Keep in mind that the DCO is a license/legal document.


Follow up clarification from a conversation with @ZedDB: the sign-off of a first-time contribution would look something like this (in the projects.blender.org website):

  • Developer submits PR towards official Blender repo
  • Developer is prompted to certify that their work is their own copyright and that they are willing to share it under GPL/Apache license with Blender (optionally transferring copyright to Blender Foundation)
  • Developers signs using full name and email
  • PR goes up for review
2 Likes

Fransesco (fsiddi) and I talked a bit about this and it became a bit more clear to me. From our discussion it seem like it will work more like the Linux kernel but instead of having to add Signed-off-by: to every commit message (or configure git to do it for you), it will only be a one time checkbox for the the first time you submit a PR to blender.

From what I understand there will be no need to go to a specific website to sign a legal document (like most CLA’s on github). It will simply be a one time prompt that you have to check in the PR.

So it seems to basically be:
I <name and email from commit> certify that the code belongs to me and that I am willing to share it with Blender under the GPL

1 Like

Is this something we as reviewers need to keep an eye on/Judge? I’m not sure i’m capable of doing that. i mean if itchy butt <[email protected]> submits a PR i can reasonably assume that’s likely not a proper name we should accept. things already get less clear with micheal bolton <[email protected]> and i’m honestly incapable of deciding if khujaleedaar bat <[email protected]> is a real person or not.

Reviewers are not expected to keep an eye on this, but rather to focus on the quality of the contribution itself (once it has been signed off). Keeping an eye on the “quality” of the sign-offs should be a task for the Blender project admins - details to be discussed.

I appreciate the importance of keeping the Blender project accessible, and making everyone feel welcome to contribute. The goal is to keep things practical!

2 Likes

I don’t believe it should be your responsibility.

Is the implication here that a contribution will not be accepted unless it can be tied to a real person? If yes, this raises some serious concerns.

  • What if a person does not want their online activity tied to their real name?
  • What if a person changes their name?
  • What systems will be in place to prevent dead-naming trans individuals?
  • If having your real name and email publicly accessible becomes an issue, such as in cases of stalking or domestic abuse, how can this information be retracted?
  • How does the Foundation plan to ensure compliance with Right to be Forgotten laws? If a contributor expresses their legal right to have their PII (personally identifiying information) removed, it must be removed. How will this be handled?
  • How does the Foundation plan to ensure compliance with COPPA in storing the PII of individuals? What if a contributor is later found to be under 13? How will the Foundation comply with the laws governing their now illegal storage of PII?

The lack of any kind of proposed compliance plans is crazy- there are complex laws around PII that you can’t just “worry about later”. These are company ending laws- COPPA in particular is often known as the company killer, you cannot mess around with that one.

Most of these remarks are not specific to the proposal and could be discussed in a separate thread. The blender.org privacy policy also covers several points.

I apologize if I’m not being clear, but all of my concerns are specific to obtaining and handling the legal name and email of a user submitting a patch to projects.blender.org.

Also, the Privacy Policy does not cover anything here- it specifically does not mention PII:

Among the types of Personal Data that this Website collects, by itself or through third parties, there are: Cookie and Usage Data, via Google Analytics. The Personal Data may be freely provided by the User, or collected automatically when using this Website. Any use of Cookies – or of other tracking tools – by this Website or by the owners of third party services used by this Website serves to identify Users and remember their preferences, for the sole purpose of providing the service required by the User. The User assumes responsibility for the Personal Data of third parties published or shared through this Website and declares to have the right to communicate or broadcast them, thus relieving the Data Controller of all responsibility.

Obtaining someone’s legal name is not the same as obtaining cookie or usage data via Google Analytics, and it has wildly different legal responsibilities regarding COPPA and Right to be Forgotten laws. This is pretty basic legal stuff, it’s somewhat concerning that I’m having to spell this out

The collection of personal data will be done in compliance with the relevant laws and regulations.

To provide what I find an interesting data point for this conversation, I’ve taken the liberty of going through the list of all time contributors of Blender and counting how many people didn’t sign their contribution with their full name. I’ve just used, as a criterium, whether someone used something that looked like a nickname or just one name. I might have made a few mistakes, so take this with a grain of salt, but:

Out of 953 contributors listed in that page, 110 didn’t use their full name. That’s 11.54% of all time Blender contributors.

It is beside the point to speculate whether those 110 would have contributed differently if the CLA was in place. However, the Red Hat article that was already linked above makes a good point: red tape in general can be detrimental to opensource projects. I personally feel that in Blender’s case, the opensource, copyleft philosophy of the project is really important for it. I also think that this ethos is linked to the idea that anyone, even someone who does not want to share their name, should be able to contribute, as long as they abide to the licensing terms.

6 Likes

What is the desire based on? IE, what existing problem is the move to CLA hoped to solve?

(Something more than “others do this”?)

5 Likes

I’m just going to add some extra comments here.

As of right now, Blender foundation employees and dev grant recipients that are commiters (People with direct commit access to blender/blender and other important Blender repositories) basically already have to go through a process similar to this. But it’s done through a combination of a contract and private emails.

  • Shifting to something more “proper”/“professional” like the proposed contract makes sense for that situation, at least to me. If anyone has major oppositions to that use case, please share them. Maybe I’m missing something.

As of right now, community contributors already agree to a “contract” when making a contribution. (Whenever you make a pull request there is a part explaining that you “agree that the code is compatible with GPL v2 or later”, and things like that)

The current proposal is changing that “contract”.

  • It clarifies some aspects (The Contribution was created in whole or in part by You...). This is a good thing. Clearer contracts are better.
  • And asks you to provide personal information. The main point of concern?

One of the points of concern with sharing personal information is “Who will see it”?
I think some clarification needs to be had here?

  • Will the personal information I share on this contract show up publically (E.g. In the commit author section which can be seen when you run git log)? Or is it all private?
9 Likes

Who will see it, yes, but also- how will it be handled when someone requests that their personal information be retracted? As I’ve said, there is a legal requirement to allow this, but if this personal information is permanently baked into the git history, now the Foundation is in serious trouble.

Let me provide a concrete example. Let’s say a contributor signs the CLA on a patch that is approved and incorporated into Blender. It is later revealed that this contributor is 12 years old. The Foundation now has a legal requirement to immediately purge all the information they have related to this contributor. Can they? Is it even possible? I’m not sure it is, which is why I continue to stress that this needs more thought. A single COPPA lawsuit would permanently shut the Blender Foundation down, and I don’t want to see that happen

4 Likes