WEBVTT 00:00.000 --> 00:27.000 I think we should just go into it and you don't need anything to do, I think we should just go into it and you don't need anything to do, I think we should just go into it and you don't need anything to do, I think we should just go into it. 00:27.000 --> 00:43.000 Yeah, so hello, let's start. I'm afraid to have such a big audience. I'm actually sort of shavage licensing and compliance manager at the e-free software foundation. I will facilitate the panel about managing copyrights in free software projects. 00:43.000 --> 00:57.000 Apologize for everyone who needed some kind of introduction will just dive quickly deep into a very detailed issue of copyright assignments and the developer certificate of origins. 00:57.000 --> 01:09.000 We don't have much time, but I hope we can focus on really important details. Thanks for having this panel to the organizers and thanks for the panelists that you found time to join us. 01:09.000 --> 01:19.000 I'd like to start with a short round of introductions, so like can you just tell a few words about yourselves? Would like to start? 01:19.000 --> 01:32.000 Okay, hi everyone, so I'm Ludovic, I'm Co-Maintainer of Gall, which is an implementation of this game programming language and founder of Geeks, which is a package manager and this tool. 01:32.000 --> 01:44.000 My name is Craig Topman, I'm the Copyright and Licensing Associate for the Free Software Foundation and one of my many duties is the copyright clerk, which handles the copyright assignments for the FSF and Genew. 01:44.000 --> 01:51.000 Hello, my name is Andrea Coralla, I'm a new contributor for the genital chain, so GCCB News is well-lapped. 01:51.000 --> 01:57.000 I must contribute to it, and I must maintain it, during my daily job, I must see if you will architect it. 01:57.000 --> 02:09.000 Hi, my name is James Baltimore, I'm a Linux kernel maintainer, and back in 2005 when the DCA was first invented, my job was to evangelize it throughout the industry, so it became industry standard. 02:09.000 --> 02:20.000 Hi, I'm Karen Sandler, I'm the executive director of Software Freedom Conservancy, I am also a lawyer and lecturer in law at Columbia Law School. 02:20.000 --> 02:27.000 And I'm really excited to be here, I was going to say more, but we should keep the shirts, so we can talk about the stuff. 02:27.000 --> 02:34.000 Yes, thanks a lot, I hope we can add a bit later, so I'd like to start with Andrea. 02:34.000 --> 02:53.000 So you are an entertainer in a project that chose to accept copyright assignments, require assignments, so maybe you could tell you from your own practical perspective, how does it work, what are the questions that you get from contributors, what's the workload? 02:53.000 --> 03:08.000 Yes, typically it works like that, say we receive a patch from a name which is not familiar to us, so one of the maintainers has to look in the copyright file to see if this contributor has assigned copyright. 03:08.000 --> 03:14.000 If it's not the case and the patch is not trivial, then we ask the contributor if it likes to assign the copyright. 03:14.000 --> 03:27.000 Typically it says yes, if it's a case we send him a questionnaire with a few questions to be filled, which I believe has to send to be sent back to usignet.org, whatever. 03:27.000 --> 03:39.000 Then he gets in contact with FSF, he gets, I believe, two paper works to be signed, one is for him to send the copyright, the other of it is from the employer, if he has one. 03:39.000 --> 03:48.000 When all this paper work is done, we get a feedback from FSF that the copyright file is okay, and then we can accept the patch. 03:48.000 --> 03:54.000 So in terms of workload, that's essentially what we have to do. 03:55.000 --> 04:10.000 I think general is speaking from my perspective, it works quite well, because in my experience the vast majority of people who discover how to send a patch for renewing max, they are willing to do the copyright paperwork. 04:10.000 --> 04:22.000 What I find that perhaps is not optimal and we should work on it is that only the containers from the group perspective can access the copyright file. 04:22.000 --> 04:30.000 So all the people that are maintaining subsystem in the max don't know who are official the people who are on copyright file. 04:30.000 --> 04:41.000 And so for this we cannot delegate all of that. So there are only three people in the max project as to handle all this workload, which I think it's a bit suboptimal. 04:41.000 --> 04:58.000 For the rest, I don't think it's a big problem, the patch typically has to be on all the processes finished, which is typically one to weeks, whatever, you tell me. 04:58.000 --> 05:02.000 People are happy to send a copyright, that's my experience. 05:02.000 --> 05:04.000 Okay, thanks a lot. 05:04.000 --> 05:06.000 Could you pass the mic to Ludovic? 05:06.000 --> 05:20.000 Because I wanted to also ask for a different perspective, so you're a maintainer or a commentator and projects that have assignments optional. 05:20.000 --> 05:30.000 So maybe could you tell us more how this option works and why did you decide to step away from the assignment? 05:30.000 --> 05:38.000 Right, so I'm a co-entainer of a guy and a guy historically always required copyright assignment for contributions. 05:38.000 --> 05:48.000 This is a decision that was made in the early days of the project before and then we go on myself became co-mentainers, so we just followed that process. 05:48.000 --> 05:56.000 And three years ago, I think we decided that copyright assignment was a barrier to entry. 05:56.000 --> 06:06.000 It's not the only one we have other problems in the project that we, when it comes to accepting patches, etc., like any free software project. 06:06.000 --> 06:16.000 But still, this was a barrier to entry and we felt like the cost-benefit ratio was becoming too low, too bad. 06:16.000 --> 06:26.000 And so we thought maybe we could just keep everything in change for existing contributors, people committed to developing the project. 06:26.000 --> 06:40.000 But allow newcomers to contribute without having to go through the copyright assignment process, which can take, you know, some time depending, you know, some time it can take quite a bit of time, sometimes less. 06:40.000 --> 06:48.000 But still, a guy is a project where people can make easy contributions, so it's becoming quite large. 06:48.000 --> 06:58.000 So some contributions typically come from people committed to work for a long time, but others can be made by people who might send just one patch to the project. 06:58.000 --> 07:04.000 And we want to be able to accept those contributions without having this extra barrier, essentially. 07:04.000 --> 07:10.000 And so what we chose was to allow contributors to choose what they're going to do. 07:10.000 --> 07:18.000 So if someone committed, can say, well, I prefer to assign copyright to the FSF, and in that case that's what happening. 07:18.000 --> 07:24.000 But others can say, well, no, I just want to fix this particular problem and get my patch applied, and that's it. 07:24.000 --> 07:26.000 Okay, thanks a lot. 07:26.000 --> 07:30.000 Could you pass the mic to Karen? 07:30.000 --> 07:47.000 So your perspective is, I think, yet one more different perspective, because the SFC, you have your own assignment policy, but you also, as a lawyer, I assume you have a lot of thoughts about this process. 07:47.000 --> 07:59.000 So how would you like to comment on these two approaches, or maybe given the illegal ramifications, you have some comments, what's your. 07:59.000 --> 08:07.000 So for freedom, conservancy, copyright assignment is optional for remember projects, and then we take assignments for non-member projects. 08:07.000 --> 08:13.000 And it's very easy, we have an online assignment form, and you can just go ahead and do that and that's very helpful. 08:13.000 --> 08:22.000 I would want to say, like, you know, generally speaking, when you have a strong copyright license, having diversity held copyrights, has a real advantage. 08:22.000 --> 08:28.000 And so when we do copyright assignments, we're aggregating those copyrights in single entities potentially. 08:28.000 --> 08:32.000 When those entities are companies, that can be a real problem. 08:32.000 --> 08:41.000 But even with nonprofits, when you aggregate those copyrights together, making sure that those nonprofits have good governance is a really critical piece of that. 08:41.000 --> 08:49.000 And having some of the copyrights assigned, so you have a weight of aggregation means that you can do something with those copyright assignments. 08:49.000 --> 09:00.000 You can take action, like we have done at software freedom, conservancy, and so making sure that you have those actions that they're done in principal ways and that they're, you know, 09:00.000 --> 09:07.000 brings weight to that copyright left licensing that otherwise simply doesn't exist. 09:07.000 --> 09:13.000 Just because you license your code under a copyright left license, doesn't mean that someone will actually do it. 09:13.000 --> 09:16.000 They're supposed to make it the secret. 09:16.000 --> 09:25.000 And making sure that there is enforcement out there is extremely important in having those copyright that copyright aggregation is a tool to be able to do that. 09:25.000 --> 09:36.000 And so, you know, we at software freedom, conservancy, have used that aggregation and I think it's incredibly important in seeing the different ways in which different projects do it. 09:36.000 --> 09:38.000 You know, I think is notable too. 09:38.000 --> 09:41.000 I mean, I'm not sure what to add from a legal perspective really. 09:41.000 --> 09:46.000 But you know, if people had questions, I would be happy, did you have anything specific about the legal or ramification? 09:46.000 --> 09:52.000 Well, okay, so maybe let's leave it for now. I hope we can still have some time for questions, maybe you can add. 09:52.000 --> 10:02.000 Yeah, okay, so could you pass Mike to James? So James, when we emailed about the panel, you described yourself as a DCO advocate, well known DCO advocate. 10:02.000 --> 10:07.000 So I wanted to ask you as the strong proponent of DCOs. 10:07.000 --> 10:16.000 What are the benefits of DCOs? And if there are any drawbacks, you can name maybe you could also tell us how DCOs works. 10:16.000 --> 10:30.000 Yeah, sure, so the main different, well, to go back historically, the reason why the Linux kernel has a DCO is because we saw copyright assignment, which was then the preferred model of the FSF as a significant barrier to contribution. 10:30.000 --> 10:39.000 One, and two, Linus Tuvels just was not prepared to run the admin required to do it, even though the OSDL is that then was would have helped him. 10:39.000 --> 10:48.000 So we insisted that the OSDL design a new process that helps us. So the DCO is effectively a representation on behalf of a developer. 10:48.000 --> 11:00.000 This is actually has legal force because it's a promise that a developer made that they, you know, they have the right to contribute or they know the person who wrote the code and he has the right to contribute and so on. 11:00.000 --> 11:06.000 So it provides that legal framework, but all of this came out of the school lawsuit against Linux. 11:06.000 --> 11:11.000 And the primary problem we had was that we needed to trace the origin of every patch in the tree. 11:11.000 --> 11:17.000 So if you gave me a line of code, I would be able to say who effectively was the final sign off on that. 11:17.000 --> 11:23.000 So if we have a problem with that code rather than getting sued over it, we can simply remove it. 11:23.000 --> 11:39.000 And so there are two things that underpin the DCO. One is the representation, but the other is tracking through the source tree of exactly how that code got into Linux kernel, which allows us to do something about it if there's a problem. 11:39.000 --> 11:49.000 And we believe thanks to evangelization throughout the industry that the strengths provided by DCO, particularly as Karen says, the distributed copyright ecosystem, 11:49.000 --> 11:54.000 I equal to the strengths that you would get if you did just did ordinary copyright assignment. 11:54.000 --> 12:06.000 When I first started this, that wasn't true because the DCO was largely an unknown process, but by making that process standard the industry, everybody knows how to do it, everybody knows what it is. 12:06.000 --> 12:19.000 It's incumbent on company's contribution to the Linux kernel to find out what the DCO means to them, rather than us having to prove that we explained it to them, which is a great strength within the industry. 12:19.000 --> 12:20.000 Okay, thanks. 12:20.000 --> 12:30.000 I just wanted to add one other piece that I should have probably said, which is that the assignments are very, very helpful when you have when people die and their copyrights are inherited by their errors. 12:30.000 --> 12:44.000 And we have had situations where we've had to do tricky kind of code relicence issues and having to go and find the the errors of the copyright holders and explain to them that we've got 15 minutes left by the way. 12:44.000 --> 12:55.000 You know, other than, you know, explaining to them why they would want to agree to a relicencing and sometimes the people who are the surviving errors don't understand free software at all. 12:55.000 --> 13:18.000 I do want to say that if you if you're not assigning your copyrights, please have a conversation with your loved ones who will inherit your copyrights to explain to them that you care a lot about software freedom that you care about the free licensing because we have had errors say my spouse care you know care I hear what you're saying that they cared about free software, but actually they cared about me more. 13:18.000 --> 13:34.000 And if you pay me a huge amount of money I will relicence my code and what happened in one of those instances was that code, you know, turned out to be not that important it was written around and that person's contributions are no longer a part of the code base, which is really just so heartbreaking. 13:35.000 --> 13:42.000 One point that Karen forgot there which is copyright assignment does not overcome something in the US called revocation. 13:42.000 --> 13:58.000 So the airs may still be able to claim copyrights even if you've been assigned. So it's important if you want to do this not only to assign your copyrights in your lifetime, but you also have to will them to whoever you gave them to in your will so that it actually is binding after your death. 13:59.000 --> 14:03.000 Yeah, well, these are these jurisdictions specific. 14:03.000 --> 14:06.000 Yeah, specific, but it's an important point to bear in mind. 14:06.000 --> 14:18.000 Okay, so I'd like to finish this first round by asking Craig, could you present the FSF's perspective on copyright assignments? 14:18.000 --> 14:21.000 How does the purpose, how does it work? 14:21.000 --> 14:31.000 Well, the purpose is for enforcement of the GPL for the GNU project and currently the optimal way of doing this is by the copyright holder. 14:31.000 --> 14:38.000 This may change in the near future, but currently globally copyright is something that can be enforced this way. 14:38.000 --> 14:48.000 Other advantages if we're going to have to rely on some of its works, the copyright holders and the person that can do that. 14:49.000 --> 14:58.000 So, I'm on a blind, sorry. 14:58.000 --> 15:16.000 Well, from let's say the bigger picture, so because that's the kind of procedure, but I think when we're talking about this, you said a lot about the world is kind of ideological perspective. 15:16.000 --> 15:21.000 Why the FSF is doing this, so maybe we wanted to elaborate. 15:21.000 --> 15:27.000 I did have more to say, but I just appealed times very limited, and I'm going to open it up for questions. 15:27.000 --> 15:28.000 Okay. 15:28.000 --> 15:36.000 All right, so I still have a question, a couple of questions, then we can maybe give it to the audience. 15:36.000 --> 16:04.000 So I also wanted to ask Karen, especially like we just had the presentation about enforcing the GPLs by user, the Sebastian, and so from the perspective of this so called third party rights, third party enforcement, which is a way that you can go after the GPL violation. 16:04.000 --> 16:10.000 How do you find assignments important given this third party rights enforcement? 16:10.000 --> 16:20.000 Right, so those are two completely different ways of getting to the same result of having the company be compelled to produce their complete and corresponding source code. 16:20.000 --> 16:33.000 But they're different legal mechanisms, and so within the free and open source software communities, we want to make sure we maintain all of our levers to be able to compel and compliance amongst companies. 16:33.000 --> 16:46.000 And so I think, you know, as there, there have been court cases and various rulings and different jurisdictions relating to copyright licenses and the GPLs in particular. 16:46.000 --> 16:58.000 So I think it's not quite as unsettled as maybe some people think, but at the same time, you know, different approaches will work differently in different jurisdictions. 16:58.000 --> 17:01.000 So we really need to maintain all of our options available. 17:01.000 --> 17:06.000 It's extremely important for these licenses to have meaning for them to be enforced and to have effect. 17:06.000 --> 17:15.000 So making sure that we have copyright assignment with organizations and groups of people that will actually be able to take action is incredibly important. 17:15.000 --> 17:26.000 And so copyright assignment making sure that we have good governance and organizations where we are aggregating copyrights and aggregating those copyrights to begin with means that we as a community have that power. 17:26.000 --> 17:33.000 Having copyright assignment is a compliment to also being able to enforce using third party beneficiary rights and purchasers rights. 17:33.000 --> 17:38.000 So I think we want to make sure we have every avenue and not limit ourselves to one. 17:38.000 --> 17:42.000 So just from the kernel's point of view since we have no copyright assignment. 17:42.000 --> 17:52.000 The kernel itself is a fiercely independent body of people, and part of the reason for not having assignment is they didn't really trust anybody else to act on their behalf. 17:52.000 --> 18:02.000 And so the mechanism for enforcement within the kernel is that all individual copyright holders as Harold Velter famously did in the initial instance are still able to enforce their copyrights. 18:02.000 --> 18:08.000 So this effectively gives us a community enforcement mechanism which we see as matching the values and philosophy of the kernel. 18:08.000 --> 18:11.000 It's not to say that signing to a foundation is wrong. 18:11.000 --> 18:16.000 It's just that if you're a fiercely independent community, you can use this as your sole mechanism. 18:16.000 --> 18:22.000 I completely agree and that's why we also have the Linux kernel copyright aggregation project. 18:22.000 --> 18:27.000 And so some Linux kernel developers have assigned their copyrights to suffer freedom conservancy. 18:27.000 --> 18:32.000 And so that works very well in conjunction with also having individual developers doing their enforcement. 18:32.000 --> 18:40.000 But we do see issues in terms of how successful that enforcement can be as individuals and so having aggregation also helps. 18:40.000 --> 18:44.000 So both of both approaches within the Linux kernel which is fascinating. 18:44.000 --> 18:58.000 So I think that the one of the important topics here is to protect project from violation claims, for example from the employers. 18:58.000 --> 19:12.000 And so maybe Craig could you tell us more how copyrights assignment process in the FSF is designed to protect the project against employer claims. 19:12.000 --> 19:20.000 So one of the mechanisms that we have is we require people that are employed to program to sign a have their employer sign a disclaimer, 19:20.000 --> 19:26.000 basically saying that they have no interest in this and they won't do anything to affect it into the future. 19:26.000 --> 19:35.000 This is important because both employers and universities can get really aggressive with lawsuits and making claim on their employees work. 19:35.000 --> 19:48.000 I've come across employees who their employment contract stipulates that the employer not only controls what they do it work, but also controls what they do in their free time and on their own equipment. 19:48.000 --> 19:51.000 That's pretty rare, but I've seen it more than once. 19:51.000 --> 19:56.000 And that's a little alarming in my opinion if that was my employer. 19:56.000 --> 20:02.000 But yeah, just a claim or so they won't turn around and say that this code belongs to them. 20:02.000 --> 20:06.000 Okay, thanks and I still want to ask Andrea and Ludovic. 20:06.000 --> 20:10.000 Again, from your perspective, your experience. 20:10.000 --> 20:19.000 Have you ever experienced some kind of issues coming up after the either this highman or the this year was delivered? 20:19.000 --> 20:23.000 Well, any basically legal problems or other issues? 20:23.000 --> 20:26.000 No, we've never had any such experience. 20:26.000 --> 20:31.000 The thing is, Guy and Geeks are two volunteer primarily volunteer driven projects. 20:31.000 --> 20:37.000 So they're, I guess, the whole class of problems that we are less likely to have at this in the situation. 20:37.000 --> 20:40.000 I mean, it's not Linux, it's not GCC, right? 20:40.000 --> 20:44.000 It's pretty different. So our priority was really to priority. 20:44.000 --> 20:48.000 Well, to make sure we can receive, you know, contributions from volunteers. 20:48.000 --> 20:54.000 In that case, for example, the employer claims are less likely to be a thing, I guess. 20:55.000 --> 21:01.000 Yeah, question for Gene. So with the DCO, let's say someone signs us on a work that used the DCO, 21:01.000 --> 21:07.000 what is stopping that contributor from turning around and asserting a patent right on their contribution? 21:07.000 --> 21:12.000 Well, the thing that stops a contributor asserting a patent they own on the contribution is the license. 21:12.000 --> 21:17.000 So we rely on the patent properties of the license to do this. 21:17.000 --> 21:22.000 Well, DCO is just a representation that you're contributing under the license. 21:22.000 --> 21:27.000 If the license has no patent clauses, then obviously, patents are not bound by it. 21:27.000 --> 21:29.000 And you need some other mechanism to do it. 21:29.000 --> 21:34.000 It was designed to work with GPL2, which has an implied patent license. 21:34.000 --> 21:43.000 So effectively, at least in the Linux kernel, everybody who signs off on a DCO is implicating patents 21:43.000 --> 21:47.000 their own, but it's actually also a fact that not a lot of developers own patents. 21:47.000 --> 21:54.000 So most of the patents we worry about are owned by third parties, and wouldn't be captured either by a contribution 21:54.000 --> 21:57.000 signing a contribution agreement or by the DCO. 21:57.000 --> 22:03.000 So, in effect, we actually have a very different mechanism called the open invention network 22:03.000 --> 22:09.000 that actually provides a patent shield around the Linux kernel and helps us with a lot of patent problems 22:09.000 --> 22:15.000 that you can't solve just with licensing and even contribution agreements or copyright assignments alone. 22:15.000 --> 22:24.000 So, I think we have less than three minutes left, so maybe we can start asking. 22:24.000 --> 22:27.000 I don't want to go one more. 22:27.000 --> 22:29.000 Oh, I'll be clear. 22:29.000 --> 22:34.000 Yeah, so I see a question here, maybe you can just start collecting them. 22:34.000 --> 22:44.000 Two simple questions. 22:44.000 --> 22:50.000 One, suggestions in academic work to be placed in open source. 22:50.000 --> 22:57.000 And two, how do you handle a tainted contributors that you have to take out of the code, 22:57.000 --> 23:04.000 because of legal status, blockades, whatever. 23:04.000 --> 23:06.000 Well, I can take that. 23:06.000 --> 23:12.000 And it's with both copyright assignments and the DCO you have to have record keeping. 23:12.000 --> 23:14.000 This is answering your second question. 23:14.000 --> 23:21.000 So, if somebody is a bad actor and they signed an agreement wrongly or they did a sign off by wrongly 23:21.000 --> 23:23.000 and you actually have to remove their code. 23:23.000 --> 23:29.000 In the DCO case, we have all the sign off by throughout the source code repository and the whole metadata 23:29.000 --> 23:30.000 of the get tree. 23:30.000 --> 23:35.000 So, I could identify every line that contributed to touched and it would be a decision of somebody 23:35.000 --> 23:37.000 in the project, what we do about that line. 23:37.000 --> 23:43.000 With copyright assignments, it's a slightly more manual process, because you've got the bad assignment. 23:43.000 --> 23:46.000 You then have to map that back to all of their contributions. 23:46.000 --> 23:49.000 But again, as long as you've got a strong source control system, 23:49.000 --> 23:53.000 even in the copyright assignment project, you can do this slightly more manual. 23:53.000 --> 23:58.000 But a script could do it for you, and you could again take out all of their code if you had to. 23:58.000 --> 24:04.000 But the point about this is, bad actors in both systems were not caught by the fact, 24:04.000 --> 24:08.000 just because they signed a copyright agreement, even though they're a bad actor, 24:08.000 --> 24:12.000 even if there's some penniless person, you can't really see them. 24:12.000 --> 24:17.000 You just have to remediate the problem, and the remediation is to take out the code in both cases. 24:17.000 --> 24:23.000 So, in neither case, did the DCO system score better or worse than the copyright assignment system? 24:23.000 --> 24:25.000 Anybody else want to? 24:25.000 --> 24:27.000 Hi, I'm Mark Prudemov from the App Fair Project. 24:27.000 --> 24:33.000 I run a project that does require copyright assignments or actually contribute to your license agreement. 24:33.000 --> 24:38.000 There was some talk about the amount of friction that can add to the goto project and why they don't do it. 24:38.000 --> 24:46.000 All we do is just have people edit a text file and add their username and add it as a full request to the geto repository. 24:46.000 --> 24:54.000 Is that considered sufficient or do you need a lot more legal ceremony in order to be able to obtain copyright assignment? 24:54.000 --> 25:01.000 So, I think that this is a little bit different from jurisdiction to jurisdiction, but it generally a copyright assignment has to be in writing. 25:01.000 --> 25:04.000 And so, just editing a file to add your name.