RFC: Add a CLA assistant

[sminnee]

Currently contributors who provide a pull request don't sign into any kind of contributor license agreement. We should do this in order to ensure that the licensing / ownership of the resulting code is clear.

In particular, we license our modules "Copyright SilverStripe Ltd" released under the BSD license. We need to contributors to agree that they assign copyright to SilverStripe Ltd who, in turn, commits to licensing that change under the BSD license.

We currently state this in our CONTRIBUTING.md, which is a start, but we don't any step where people agree to this.

There are github plugins that can manage this process for us:

• https://cla-assistant.io (from SAP)
• https://www.clahub.com/ (from Jason Morrison)

It would be once per contributor rather than once per PR.

Here's a blog post explaining why a CLA isa a good thing: https://julien.ponge.org/blog/in-defense-of-contributor-license-agreements/

[chillu]

Good stuff. Been raised a few years ago, but back then my problem with CLAs was the friction involved for dev, as well as as the maintenance overhead for the core team. It looks like with these services it's no longer an issue.

[sminnee]

My expectation would be that the SAP one is more likely to be maintained in the long term than the Jason Morrison one; it's also the one that GitHub recommends themselves.

So shall we look into that one and see what the UX is like?

[chillu]

The only potential issue is if we need people to sign a CLA for each core repo, that'd be 11 "signatures" per person - ideally we can pool those somehow. cla-assistant.io can link to an org, which solves that.

[sminnee]

The only potential issue is if we need people to sign a CLA for each core repo, that'd be 11 "signatures" per person

Note that this would be the case only if someone had raised a PR against all 11 repos, which is pretty rare for casual contributors.

[sminnee]

OK I've attached the CLA assistant to https://github.com/sminnee/silverstripe-tagmanager as a PoC, using this first cut of a CLA. Although I think the terms included make sense, it could be given more of a plain-english treatment.

https://gist.github.com/sminnee/32488fe82ede8bd30741e0ee6339dbe9

[chillu]

I didn't get a CLA on https://github.com/sminnee/silverstripe-tagmanager/pull/2.

[chillu]

Oh there we go, it comes as a comment

Yeah, that flow works really well. Happy with the wording as well. I assume that you've copied the CLA text from somewhere, meaning it's got some legal backing?

The purpose of this Agreement is to ensure tha SilverStripe is able to provide a clear and unambiguous open-source license to SilverStripe source code, so that community involvement doesn't stop us from being able to continue supporting these projects. This Contributor License Agerement won't limit the way that you can use your Contributions.

This sentence is essential - maybe worth highlighting more? People's eyes tend to glaze over when they see a wall of terms-style text, so might be turning off people before they even bother to read to the second paragraph.

[chillu]

Gitlab just announced they're changing from a CLA to a Developer Certificate of Origin (https://developercertificate.org), citing too much legalese in the former which could harm contributions.

GitLab’s move away from a CLA is meant to modernize its code hosting and collaborative development infrastructure for all open source projects. Additionally, requiring a CLA became problematic for developers who didn’t want to enter into legal terms; they weren’t reviewing the CLA contract and they effectively gave up their rights to own and contribute to open source code.

https://about.gitlab.com/press/releases/2017-11-01-gitlab-transitions-contributor-license.html

The DCO does make for a bit lighter reading overall. Thoughts?

[sminnee]

We could potentially paste that DCO text into the license that the CLA bot uses?

[robbieaverill]

I think a GitHub status check would be ideal rather than a comment, but both would work

[GuySartorelli]

@maxime-rainville we should either do this or close the issue