[zeromq-dev] [ANN] zmq.rs - native stack of ØMQ in Rust

Robert Kern robert.kern at gmail.com
Thu Jul 3 17:43:30 CEST 2014


On 2014-07-03 12:57, Pieter Hintjens wrote:
> Our process bans patches delivered any way except via the GitHub
> fork/merge process. That can only happen from public forks, thus any
> patch is published (and optionally licensed) before the author can
> start making a pull request.
>
> We simply don't accept patches provided any other way. So the question
> is, what's the license on a derived work published on GitHub? IANAL
> and TINLA however it seems clear that with a share-alike license, the
> derived work is by definition published under the same license,

This is not correct. The act of publishing a derivative work does not 
automatically license the derivative work in any particular way even when the 
original license is share-alike. You don't have *permission* to publish it any 
other way, certainly, but that doesn't stop one from doing it in error. They can 
still fix their error by removing the derivative work. They do not have to 
license it to you under any given license. Violating the upstream license just 
means that you lose the ability to distribute the derivative work.

Consider the case of a developer employed by a company. As is typical, the 
company owns the copyright to whatever code he writes in the course of his job. 
Suppose he forks 0MQ to submit a patch needed for work, but he doesn't get the 
appropriate permissions from his superiors to do so. The contents of his PR are 
still owned by the company, and no one else has a license to use it until they 
decide so (of course, no one outside knows this because the developer goofed). 
The fact that the forked project is licensed under a share-alike license doesn't 
force the company to retroactively license their IP under that license. If you 
merged that PR, they can still force you to remove it.

> whereas with a "permissive" license, you can't make that assumption.
> It may be, and it may not be.
>
> Which puts the onus of verification on the person clicking "Merge",
> which brings us back to "maintainers as experts", which we have
> learned is not good for community growth.

I think that you can reasonably take the act of publishing a forked repo without 
changing its attached license indicates agreement to apply that license to the 
modifications in the repo. Similarly, the act of submitting a PR to a project 
that declares that it will only accept PRs under the project's license is 
sufficient in my book.

If you don't think that this is sufficient for the MIT/BSD license, then it is 
also insufficient for share-alike licenses. The share-alike nature of the 
license does not provide any more protection. If someone comes along claiming 
that they own code that was committed by someone else or if they say that they 
contributed it in error and didn't intend to contribute it under the project's 
license, you have exactly the same problem.

Karl Fogel's book _Producing Open Source Software_ covers this issue:

   http://producingoss.com/en/contributor-agreements.html

Note that there is no discussion of share-alike licenses providing extra protection.

-- 
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
  that is made terrible by our own mad attempt to interpret it as though it had
  an underlying truth."
   -- Umberto Eco




More information about the zeromq-dev mailing list