Zope contributor agreement process

Hello all,

As part of the move to having the Plone Foundation manage the legal aspects of the Zope codebase we're working on unifying the contributor agreement processes.

To do so, we're going to start using the Plone contributor agreement to grant access to the Zope codebase. This will result in a few changes:

1. A reference committer will no longer be required to sign the contributor agreement. This will reduce the barrier to entry for new contributors. We're no longer on SVN, the advent of Pull Requests has removed the need for this reference process.
2. The assignment of copyright will be 100%, not 50%. There will be a reciprocal, royalty free licence to ensure you have the same rights. The reason for this is based on legal advice that it improves the enforcability of the licence in many countries.

Thanks, please do follow up with any questions or comments

Hi Matthew,

Is there any visible documentation about the status of the takeover process? I'm just asking because I'm trying to gauge how "watertight" it is to bind new contributors to the Plone Foundation.

If it is legally watertight, can you point me to the PF documentation for new contributors? I can then point people to that from e.g. the re-done www.zope.org that we finally have full access to again.

jens

Hi Jens,

I actually already committed some updated instructions to the new website repo yesterday, but I've got some WIP documentation on plone.org that I'm having the board review to make sure its watertight, as you say. The agreements definitely are from a legal perspective, there's been a lot of work there which @polyester knows in detail.

If you can let me know your plone.org username I'll be happy to add you to that doc to give feedback.

There's no real documentation on the status of the takeover project, it's been quite ad-hoc until now, but I really want to make it more structured. Would you be willing to be part od that?

Matt

I expect all existing ZF committers will have to sign the new agreement if they want to continue contributing?

The assignment of copyright will be 100%, not 50%.

Psychologically, the 50% bit made it easier for me to decide to sign the ZF agreement. I don't know how I feel about the 100%.

I googled up the Plone CA, and I'm a bit unclear on some of its terms. Specifically, the Contributor’s Agreement for Plone Explained page says

Can I grant the Plone foundation a non-exclusive license to my contributions rather than an exclusive license, so that I can contribute the same code to other projects under different terms or use the contribution for other commercial endeavors?

Not under the current version of the contributors agreement.

but the agreement itself says

When you assign to the Plone Foundation the copyright in the code you wrote, we automatically grant back to you a royalty-free non-exclusive license to use or license the code you assigned to us any way you see fit.

which seems like it means exactly the opposite?

Hi Matthew,

I just noticed the updates and saw you replaced every mention of the ZF with the PF, which is fine, but which will inevitably lead to constant questions about what happened with the ZF. I will add some of that back in today or tomorrow and then publish the latest version.

My plone.org username is dataflake.

Even during my time as the ZF board secretary I had stayed away from anything regarding legal aspects of the ZF. I wasn't on site in the US and I am not firm on the laws governing such foundations. So I don't think if there's anything I can contribute.

jens

@mgedmin I totally understand what you mean about the 50% thing psychologically, but the idea of a contributor agreement is to make sure that everyone's on the same page, no matter where they live. And, it's only really useful when there's a disagreement of some sort. For example, if someone violates the licence agreement.

For example, many countries have a concept of both moral rights and exploitation rights, but the boundaries between them varies significantly, as does the terminology used. In the UK, at least, assigning the copyright would assign the exploitation rights but not the moral rights, and assigning 50% of copyright isn't a thing. It might be interpreted as meaningful by a court, but it doesn't have an inherent meaning. In other countries, assigning 50% of copyright can be viewed as assigning the exploitation but not the moral rights, or as not assigning anything as it's not a strong enough intention to assign rights. It's actually worse than that, because much of the way the law is practiced is in looking at probabilities. If we have an unclear ownership situation because of the contributor agreement the foundation might be advised not to pursue someone who broke the licence agreement because they could argue that the foundation doesn't own the code, changing the case from proving infringement to proving ownership.

The Plone contributor agreement is the result of lots of consultation with lawyers over the years, and I know there's been more consultation since to try and improve it that didn't result in a concrete update to the agreement precisely because of these thorny issues (but I wasn't involved in them and can't give more detail).

So, contributors will have to sign an agreement, the Zope agreement contains clauses that Plone has previously been advised are not enforceable, or are less enforceable, so the natural one to use is the one we've had legal advice signing off on.

As for the specific licence question, I can see why it's confusing, but it's not actually contradictory. The way it works right now for Plone is that contributors assign copyright to the foundation, and the foundation gives a licence back to the contributor that grants more rights than the GPL (or ZPL, or any other open source licence). That allows the author to do anything they want with the code without actually owning it. What it doesn't allow is for them to give or sell the ownership of the code to someone else. So, you can contribute it to an open source project under a different licence if that project doesn't require copyright assignment (and there are some, but for complex legal reasons it's less preferable; it's effectively a bet against the future that you won't want/need to do some things). You remain the author of the code, but not the copyright holder.

The FAQ entry was asking if this can be done the other way around, can the author remain the copyright holder and give a similar licence to the Plone Foundation. That's what the agreement doesn't allow right now. There are a few rights that rest only with the copyright holder, mainly the right to sue people for copyright infringement. If the foundation didn't have that right it would be hard (but not impossible) to enforce that Plone stays open source.

All that said, the whole point of an open source foundation is that it does what the community wants. If this is a super big deal for people (or for one person who wants to spend time on it) then we can direct the foundation to go back to consult more lawyers, and we can have a discussion as a community about precisely what we want the licence to cover.

@dataflake The draft is at https://plone.org/foundation/contributors-agreement/zope-transfer but please bear in mind that it's only a draft. I'd really welcome any suggestions.

I didn't expand on the ZF stuff in the website, no. I did leave a reference to it in the about the foundation section, but I am all in favour of adding more context in. Thanks for looking at that, and for getting zope.org back up and running.

At some point soon we're going to have to go over a lot of the details of transfer, including things like domain names and hosting. I don't know who's currently paying for those, but it should be the Plone foundation from now on. Also, it would be good to have you in contact with the infrastructure and docs teams. I don't know if you enjoy doing website admin things or not, but if we get the Zope websites integrated into the Plone teams then you can either join those teams and focus on the Zope things or forget about the bits you don't enjoy doing and focus on the things you do. Whatever you like.

Hi Matthew,

First of all, is the Plone Foundation not the legal successor to the Zope Foundation? The requirement for every contributor to explicitly sign a new agreeement appears to suggest otherwise.

Secondly, I'm surprised this requirement has not been communicated, yet at the bottom I see a deadline of 6/30. When were you planning on telling existing contributors about it?

Last but not least, I'm surprised that the contributor agreement requires filling in a program name. How does saying "Zope" here cover everything else in the zopefoundation GitHub organization?

Oh, and I'm just noticing, what is all that stuff on page 3? The instructions don't mention what to do with those questions. If it's not required it should be communicated clearly in the instructions.

jens

@dataflake Yes, the Plone foundation is the successor to the Zope foundation. If it hadn't been we would have had to shut down contributions on the day of the meeting that did the transfer until we got new agreements sorted out. If that had been the case then the ZF would have started accruing copyright again.

In my mind, the reasons to get everyone to re-sign goes back to enforcability, it's easier to enforce an open-source licence if documentation on ownership is thorough. It'll be much harder to enforce the licence with respect to contributions only covered by the Zope Foundation contributor agreement as the Plone Foundation would not only have to prove infringement but also prove the assignment of rights is legally valid and that the legal successor status is legally valid. We all believe it is, but if we ever have to go to court we'd have to prove it and that takes time, money and effort. That also adds in additional relevant legal jurisdictions, as the court has to consider the laws of the place the infringement happened, the laws of the places the code authors live and Delaware corporate law.

Again, as I say above, if people are enthusiastic about working on better legal agreements that are binding and enforcable in all the many countries we have contributors from, I'm sure that the Plone Foundation will absolutely be up for working on this more. Right now that is a long and involved project that currently has no volunteers. It doesn't make sense to me that we hold up incremental improvement that we can do immediately waiting for a better incremental improvement that has no ETA.

As to the second point, I apologise. I re-read my original message and it's unclear. I think @mgedmin read it the way I intended, but that's not sufficient. The intention of this thread was to communicate the suggestion that we do this. I think I must have assumed that re-doing the existing agreements was clear from context, but obviously it wasn't.

I don't speak for the Plone Foundation, I'm a volunteer trying to fix problems and seeking feedback from the community. The whole point of posting this was to make the suggestion public and hear reactions from people. There's a lot of flexibility in this, but it's all trade-offs. If you feel strongly that it's a bad idea to redo the agreements then it would be great if you could explain the specific reasoning.

Regarding communicating the deadline, remember that you're looking at an unpublished bit of guidance. There isn't a deadline, there's a placeholder for one. Do you think that 6 weeks or so is too short a period? I'm not sure about the third page, I'd forgotten it was there. I'll have to get advice on that.

The use of "Zope" as the name of the program is based on what we do for Plone, which again is the product of advice over the years. If there are any things in the Zope Foundation github that could not be considered to be Zope then that's an important thing for us to consider, but AIUI a lot of this is based on showing clear intention.

By the way, I also pinged everyone who has access to the git organisation over on Github pointing to this thread. I would have sent an email to the dev mailing list but it appears I stopped receiving the emails back in 2013 and although I've re-subscribed I've not been approved yet.

Anyway, as of yesterday we've formed a new team to handle the Zope transition in a more orderly way, as I mentioned above was my desire. Next week we're going to be trying to convince people they want to help with that and your name is literally at the top of the list of people to speak to. I'm travelling at the moment and in a non-European timezone, which makes it hard to have discussions about planning out work.

Hi Matthew,

I really appreciate the long explanation. I am sure you've been getting the same kinds of questions over and over again.

I personally don't mind signing a new agreement. I just wanted clarification why it was needed if the PF is the legal successor. Your points are valid and I agree. It's a matter of reducing risk all around. Now I can explain that if someone asks me.

Thanks for clarifying the deadline. I noticed in your new message to the zopefoundation developer group you left that open. To me, the 6 weeks felt short for the type of contributor that's touching any of this very infrequently. I personally would set a 3 month deadline and publish that wherever possible. I can get you into those Zope mailing lists again if you send me the email address you used to subscribe back in the days, the Mailman server is on the machine I have access to.

About the "program" field on the agreement, if the lawyers say that's OK then I won't disagree. It just feels odd. I would classify "program" as a single software package. Unless they mean something like a "development program" that encompasses a range of activities. There's nothing in the zopefoundation organization that needs to be excluded for some reason.

I'm open for helping. Most of the time I'm also in a non-European time zone, I'm on US/Central.

jens

Thank you for clarifying this!

The ability to contribute the same code to multiple FOSS projects is why I was concerned about the 100%.

Thanks, @MatthewWilkes, for the clear explanations, and your active role in the process!

About that "program" field on the agreement: of course it would be better to change that to a more generic catch-all description along the lines of "all software owned by the Plone Foundation".
But all changes to the CLA take time, as they have to be checked with legal advice in various jurisdictions. And since we rely a lot on the goodwill of people in the FSF and FSFE (the European counterpart) who are very busy people, we will need an interim solution.

Re-signing is a hassle, we know, but it does reduce risk overall. The 50% clause simply is not valid in many jurisdictions, including some where the most active contributors are. And as Matthew explained earlier, it will make it easier for the PF to ensure that Zope remains open source and that we can stand our ground on that if needed.

There is also other work to be done: domains, servers, infrastructure. There will be a team formed to guide that, in which we hope active members of the Zope community will participate. And in future there should a team to steer the technical direction of Zope.

As Board of the PF we will do our best to make the transfer as easy as possible. Yet there will be some friction points, such as re-signing CLA's. Undoubtedly there will also be some disruption like DNS changes, and discussions on how to best integrate the Zope infrastructure so as to minimize the load on the volunteers that run the Plone infrastructure.
With a bit of patience and pragmatism from everybody, that should all be doable, though it may take some time.

Lastly, we do hope that active members of the Zope community will also become official Members of the Plone Foundation. We're still working out what would be the simplest and most expedited process to get that done for those who want to become members. It may take a little while, but be assured we're working on it - so we can also officially extend the welcome.

Paul Roeland