Adopting a CLA for Blender contributions

This text is a simplified version to make sure Joseph understands what we are asking, and why. The full version of the text is in the initial post.

my bad, missed that.

I’m not worried about that part, and I’ve never expressed concern about it. I’m concerned about either requiring real names, with the legal baggage that comes with that, or allowing nicknames, in which case there’s no point in signing anything, regardless of intent.

Say for instance a Bad Actor who doesn’t like Blender decides to submit a patch of proprietary code from Software A and claim it’s GPL, using the “real name” Gordon Matthew Thomas. Then, Software A sends a legal notice to the Foundation demanding that the proprietary code be removed and damages paid.

If the real name policy stands, the BF will go after “Gordon Matthew”, who doesn’t exist, and will be up a creek without a paddle. If the nickname policy is used, the BF can’t go after anyone, so they are… up a creek without a paddle. So, the CLA contributed exactly 0 legal protection.

If the real name policy is enforced with verification, this situation couldn’t happen, but now you have all the problems that come with that PII, which I’ve beat to death already, so I won’t reiterate. In that case, the CLA still offers 0 legal protection but has also introduced new legal problems.

So if the CLA doesn’t offer any protection- what’s the point? To verify that code is GPL? The current process already does that. Except it doesn’t- the Bad Actor scenario above could still happen right now, tomorrow, and nothing would be different with or without the CLA.

So it doesn’t stop bad actors. It doesn’t verify code integrity. It doesn’t provide any security or relevant information different from what is already there. What am I missing?

I have five middle names and a typo on my birth certificate, if the name requirements you’re suggesting were actual law in the united states, I’d be unbound by almost every contract I’ve ever signed. Legal names aren’t a requirement for binding contracts in many, if not most, jurisdictions.

Not to mention the ability to change your legal name: Just because you do that, all the contracts signed with your old name don’t suddenly become null and void either.

To play the devil’s advocate here, it is probably at least partially a symbolic act to that people who submit something are also aware that they need to adhere to a certain standard - in this case being Open Source Compliant. And some form of legal documentation for that is still better than none for Blender’s side of things. If you have something, at least you can argue that it has been made obvious to the submitter and that it was not wilful malpractice on Blender’s side of things. Especially now that Blender has gained so much popularity and reach over the last few years.

But personally I would also probably not contribute anything small if I had to sign a more or less legal document with my real name or any verification of it. I am registered with way too many sites already and as soon as I have to register with more than just an email, I’d probably say “screw it” before I submitted anything, as well. But don’t take my input for too much weight for code contribution, since I am not a programmer, anyways. This is also very generally speaking from my personal subjective view on any registration process.

A one time checkbox and mail verification like this would probably be the farthest I’d be willing to agree to, if I am someone who is just getting their feet wet:
“I am aware that the code submitted has to be compliant with [code standard] and that I am the author of this code. I guarantee, that I am legally allowed and willing to transfer the rights to the submitted code to this project in [scope of things].”

I hope the foundation recognizes that disclosing contributors’ true identities may discourage individuals from embargoed countries from participating, which could be harmful to Blender’s development. Anonymity is crucial in such situations. Moreover, the BF might be prohibited from collaborating with developers from those countries legally. Blender has contributors from all around the world. It would be unfortunate if some of these valued individuals were inadvertently caught up in any conflicts.

From my understanding (and please correctly me if I’m wrong), the information you put on your Blender ID is the only information that should show up publically. The information you put into this CLA can only be seen by the Blender foundation (and presumably only when neccesary).

Stored data is never safe, despite best intentions.
Data breaches happen all the time, no matter the amount of percautions.

Yes, by knowing the identity might lead to needing to comply with international sanctions and related laws. I’m just speculating about potential edge cases and considering if alternative trust paths might be more effective.

Requiring contributors to submit their legal name is hostile to transgender contributors, as changing your name is often a long and tedious process, and it is not uncommon for many people to put it off assuming it’s possible in their jurisdiction at all. If a person has not been able to change their name, requiring that they submit it to contribute to the project is a requirement of self humiliation.

I brought this point up earlier and it was, sadly, completely ignored. It would be nice to see any kind of acknowledgment of even thinking about the impact this might have on people. Maybe more voices can bring that about

After further researching regulations around the PII topic, and consulting with a lawyer, I confirm that the requirement for a name can be made optional, and the name can also be a nickname. The “name” will effectively be a voluntary piece of information that a contributor can provide to make identification easier in case of a copyright related dispute.

I believe this addresses most of the concerns raised regarding personal identification, including the last few posts. Let me know what you think!

Thank you for listening to community feedback. I still have lingering questions about the utility of all this, and I’m fairly sure I always will, but you’ve done a fantastic job clearing up the concerns about PII and communicating about this effectively

I believe this addresses most of the concerns raised regarding personal identification, including the last few posts. Let me know what you think!

That resolves my concerns, provided it is well communicated to contributors that the name is entirely optional and does not have to be a legal name.

Thank you for hearing me out <3

Thanks, Francesco. If (especially real) names are optional, then this should be totally fine.

Thank you for the positive reactions! I’ll share an update with next steps in the future, as we look into designing and prototyping the integration in projects.blender.org.

Thank you for the positive reactions!

The positive reactions? AFAIK, the majority of reactions have been mostly negative, even on the BlenderArtists forum.

I’ll share an update with next steps in the future, as we look into designing and prototyping the integration in projects.blender.org.

Yet, you continue to move forward to implementing it.

This upcoming CLA requirement will certainly make some volunteering contributors hesitate before participating to the Blender development (resulting in less PRs from external developers).

You likely missed this post?

Like some others, I just question of the usefulness of adding this CLA, especially now that it has been clarified that providing a real name is optional and contributors can simply use a nickname.

I also have some fears about the process itself of filling these informations (not about its implementation but that this step could be seen as a constraint), that it could make some contributors not want to participate in the Blender development because of this extra requirement.