Adopting a CLA for Blender contributions

I have update the text of the proposal to address some comments. In particular:

  • the personal information will be kept private (no changes will happen to the existing day-to-day contribution process)
  • it’s a common practice in large open source projects to formally check with all contributors that they are indeed entitled to offer their contribution

@josephhansen I feel like I have answered your questions, if you have more remarks, please reach out directly.

6 Likes

While CLA/DCO is probably acceptable and not a big deal for many contributors, it is good to ask a question, what exactly is gained by having it, vs what are the possible disadvantages.

“What are the upsides?” is hard to understand, since as it is phrased is fairly vague/nebulous. “Because big boys who are mostly large commercial corporations from USA do it” is maybe not a good guiding star for a non-profit entity incorporated in Europe.

CLA/DCO requirement has a potential of being “just enough” to scare away some potential contributors. A data point of exactly one, but I think I would have not started contributing to Blender if CLA requirement was in place. Why? Not because I’m terribly opposed to it, but because I started contributing merely because I was curious, not because I needed to do something. If it were the latter, signing CLA for me would not have been a problem, but for mere curiosity, I would have gone “ehh maybe not”.

It is also not clear how the “real name and real email” would be validated and enforced. Ok, someone submits a PR with "Name Namey <[email protected]>", the PR is fine and gets accepted, and is merged into the blender main repository. Since name “validation” is supposedly done by “admins” at some point somehow, they go “welp that’s not a real name”. Then what? The PR is already baked into the git repository. Is it backed out?

18 Likes

The goal of this whole proposal is to setup a formal process (which has been historically more informal) for contributors to:

  • Clearly define who owns the copyright of a contribution
  • Agree to share the contribution under the relevant license (GPL/Apache/CC/ect.)

While this might sound scary, it helps and protects current developers and maintainers, enabling them to accept first-time contributions with less legal risks. This also helps to provide direct commit access to contributors, without requiring as much personal information as currently.


The question is: as a first time contributor, creating your first PR, would you be ok to state that your contribution is your own, and that you are sharing it with the Blender project under GPL/Apache?

PS: i’ve added some of this text to the initial proposal as well.

Yes, if phrased like that then it’s fine. But once/if it goes into “we need your ID” or even “real name” then the answer becomes more complex.

3 Likes

Just double checking. Is the real name required to make it a legally binding agreement? Or can this agreement be made without the requirement for a real name?

1 Like

And if real name is required, how can it possibly be verified?

Yes. But I would not be willing to permanently commit my real name to this contribution

If i had to summarize this thread sofar, i’ve learned

  • 1 - That I personally and/or the foundation is somehow exposed to some unarticulated legal risk by submitting contributions
  • 2 - That I personally and/or the foundation is somehow exposed to some unarticulated legal risk by accepting contributions
  • 3 - The only fix is for everyone to give up personal information.

I think i’ve had Nigerian scammers in my inbox that have put more effort into obtaining my personal information.

I get the foundation wants to keep their legal exposure under wraps as to not give anyone ideas but i gotta say at the same time, you have gotta admit, it’s not a very compelling story for everyone else that has to give up their personal information to mitigate this unarticulated risk.

In all honesty, kinda feels if they just introduced the CLA without community discussion, going “listen guys we don’t like it either but the lawyers are making us do this”, i would have respected the decision more, the attempt of shining up of this turd is making me feel shenanigans are afoot, which is not a feeling i’m fond of, not one bit.

3 Likes

I should probably have made the “Feedback on this proposal is welcome” text in the proposal more visible. This is still a proposal, so please consider adjusting your feedback accordingly.

I believe there’s a worry that it will not be kept private; I’ve personally already had my legal name exposed/publicly displayed by the foundation, when the Extension website was being built.

1 Like

This is still a proposal, so please consider adjusting your feedback accordingly

I’m not sure that’s possible, we don’t have all the facts, the foundation is unwilling to articulate so having an informed enough opinion to give any feedback beyond “I don’t like it, because, feelings” which is as easily dismissed as it should be.

Many people have pointed out various pitfalls and problems with obtaining/recording/validating personal information, arguments which i may or may not agree with, but at least were articulated, I may not understand COPPA as well as @josephhansen but he’s given enough information to go dig up and read up on the problems he is trying to draw attention to.

What the foundation has given us sofar is (and i’ll admit heavily paraphrasing here), “hey soo we’re trying to mitigate a… risk… yeah… and this thing we’re doing, it’ll protect… you… and us… and everyone… anyhow, sooo…everybody has to give up some personal information, we’d like some feedback on the exact wording on this thing we are proposing.”

To which i (and others in this thread) say, hold on to your horses there, do we ? (have to give up PII?)

We may as well be arguing about the exact wording to keep the boogeyman from hiding under my bed, unless we answer things like is the boogie man real, if he is can he even read? Will he sign legal documents if presented to him? does he pose an actual risk? first It all seems a bit … pointless.

I appreciate the attempt to get us to argue over the letter of the thing, but again it feels like I’m being misdirected as we’re not being presented with the full picture, different solutions may be possible, we don’t know. There may not even be a problem, we’re 30+ years in without this risk rearing it’s ugly head? (or maybe it did, we again do not know)

The foundation either has to accept that it knows more than the average joe and just plow ahead with it since it’s in the best interest of the project, or decide to make the case for having it and have the community give feedback on the plan. You can’t not inform us and still expects us to have an opinion worth sharing.

3 Likes

Just to add my 2 cents to the discussion:

  • If I was asked on my first contribution: " did you write this yourself and are you willing to share it under the GPL" I would not have had any problem with that.
  • If I was asked ‘please sign this CLA’ I would have thought ‘oh, nevermind, then’. Because I don’t really know what a CLA is and I don’t really care to find out. For my first contribution I wasn’t really invested in blender yet (it was just a small bugfix).

Also if the first question was phrased more like ‘can you guarantee that this code is legally yours’: I probably wouldn’t touch that with a ten foot pole. With the current legal situation of software patents that’s not a guarantee anybody can make. Even if you write something yourself there’s a nonzero chance it has been (frivolously) patented somewhere by someone sometime.

Moral of the story: phrasing matters a lot .

5 Likes

COPPA is probably the best possible example of why this is problematic, because it’s very simple and clear-cut (unlike the majority of privacy laws, which are extremely complicated). To summarize- a entity on the Internet that services the United States may not collect personally identifying information about any person or user under the age of 13 without prior written parental consent. It does not matter how this information is stored or whether it is presented privately or publicly. It may not be acquired in the first place without the aforementioned written consent.

Requiring a real name, then, requires any contributor to verify they are 13 years or older. However, this is where it gets fun (by which I mean, extremely dangerous for the Foundation, so not fun at all). If a contributor signs a CLA verifying they are 13 or older, and they’re actually 12, guess who’s still legally required to purge all of their PII? Y’all. Doesn’t matter that they “lied” on the CLA, because the CLA is not binding anyway, because they can’t sign a legally binding document without a legally aged guardian.

In short- if you don’t require a real name, anyone can contribute without any danger. If you do require a real name, if a 12 year old contributes and their parent gets mad about their PII, they can sue the Foundation for an essentially unlimited amount of damages, and the Foundation will lose. It does not matter if that PII is just being stored privately, the court will require you to purge that PII, and if you can’t (if it’s baked into Git history), you will pay more damages than you can possibly imagine. It will bankrupt the Foundation, permanently.

Important disclaimer- I am not a lawyer. I have, however, worked on dozens on sites for many different companies who are handling and processing PII data, ranging from small businesses to multimillion dollar companies to goverment agencies. The one thing in common with all these projects is a strongly and repeatedly expressed mandate to stay as far away from COPPA/FERPA/HIPPA violations. You do not mess with these three laws

3 Likes

Perhaps, but your objections are with the proposed solution, the case i’m (trying to) make is the problem being solved is unknown to me, therefore my opinion on the solution has no value.

For all i know you’re pointing out people could hurt them selves on the deckchairs of the titanic, and they definitely need to be placed elsewhere, or perhaps be painted red, you are likely right, and moving and/or painting them would objectively be better, you certainly have given enough information for me to educate my self on the subject if i wanted to, realistically however…maybe not the real issue on the titanic :slight_smile:

2 Likes

Personally, this CLA seems reasonable and it would not have deterred me from contributing.

That said, there seems to be mention of how this would deter others but not much discussion of why that is. The only result of the signing of this contract is to assume risk. The only way this “protects current developers and maintainers” is when this assumption of risk is real and substantial.

So this can possibly protect Blender from being sued only if the contributor’s CLA is fit enough that the contributor could be sued instead (either by a copyright holder or by Blender itself). If it is signed by someone with a made-up name and fake email then that contribution is not fit enough for this purpose and therefore provides no benefit for Blender.

So signing a CLA/DCO has risk and real potential consequence. As the linked document above states, signing one shifts “liability to the sender of the code in the case of any legal litigation”.

Therefore although I would sign such a thing, I can understand how it could cause pause to others.

2 Likes

I’ll try to answer to the main points raised in the last few comments:

  • There is no active legal threat
  • The proposal aims at making contribution handling more robust. Blender has grown a lot over the past few years, and is receiving an increasing amount contributions. On one hand, the “gain commit access” process is not very scalable (and not very privacy conscious), while on the other hand, the “first time PR” is completely free from accountability, making committers responsible for adding the code to Blender. The CLA, which is worded in a friendly and clear way, aims at evening those differences.
  • I’ve addressed many of the concerns about the collection of personal information. I’m aware of COPPA, GDPR, etc. Not sure what further statement is expect in that regard, besides the fact that the Blender project follows the law when encountering PII-related issues. Unless there are specific complaints or legal claims to be made, I’d like to consider this issue in parallel from this conversation.
  • In general, there has been a lot of focus on the collection of personal information, and I understand how important it is to phrase the request for such information correctly. Will make sure that this is reflected in the form, and check if email and nickname are sufficient info to consider the agreement “signed”. I haven’t heard direct concerns about the wording of the agreement, so I’m assuming that’s ok.

The next step for the proposal would be to work on a mockup of the project.blender.org integration.

Let me know if there are further comments.

After reading at least almost all the nearly universal negative feedback here, this last post appears to ignore the entirety of negative criticism and meet it with a “we’re going to do it anyway”, as if the point of sharing on here was to go through the formality of a feedback process without really caring what important community stakeholders actually think or letting their input have any real say. As a blender user who will likely never contribute code to Blender, I would not have to sign a CLA even if this were implemented, but it reflects a little poorly on Blender leadership.

3 Likes

The question I still don’t understand the answer is to is “why”? What is the point? Especially considering that you’ve brought up the idea of no longer needing real names, but nicknames being fine. If real names aren’t being used, there’s no point in any of this. Nicknames + legally binding contract = not legally binding contract. If you’re not collecting or verifying legal names, the CLA is not in anyway legally significant or binding. It’s just an extra hoop to jump through. What’s the point?

Try to think about it as a genuine question. We are asking a new contributor: “Before your work is reviewed by the Blender developers, can you confirm that you did write this yourself and that you are willing to share it under the GPL?”

Does that make sense?

We have a bit of a mix of licenses in our repository, this precise wording would complicate for instance accepting cycles patches.

1 Like