Adopt a Contributor License Agreement

[ssoloff]

Following up on a suggestion made in #2764.

It seems to be recommended for OSS projects to create a Contributor License Agreement (CLA) so that there are no ambiguous copyright issues for project owners to deal with.

A case in point is the re-licensing issue raised in #2764. It can be extremely difficult for a project owner to get all contributors to agree to a re-licensing effort simply because it may be impossible to track down all contributors due to the age of the project (TripleA is a good example of this). Having all contributors "sign" a CLA would ease the burden of such an effort.

It still may be impossible to retroactively get all past contributors to sign a CLA, but we could at least have the current set of devs sign one and have a process in place for future contributors. One possible workflow is:

• Have all current Members sign the CLA. This could be as simple as opening an issue with each Member giving a thumbs up to the statement "I hereby agree to the terms of the TripleA Contributor License Agreement."
• When a new Member is added to the organization, a new issue would be opened for that member to sign the CLA as above.
• When a Contributor submits a PR, they must include the statement "I hereby agree to the terms of the TripleA Contributor License Agreement." Such a statement could be added to our PR template as an unchecked task list item, and the Contributor would have to explicitly change it to a checked task list item. Otherwise, the PR won't be accepted.

The idea of the above workflow is that Members wouldn't have to keep checking the "I agree..." box because they have a CLA on file in the issue tracker. Contributors would have to do it on each PR, which could be a pain for regular contributors. However, it is presumed that regular contributors would eventually be promoted to Members, and would then sign a CLA in the issue tracker. (Or just let anyone who wants to sign a CLA regardless of organization status.)

However, there are some open issues with the above workflow:

• How are cross-repo issues handled? Do we need one CLA per repo? Do we track a CLA in one repo (probably triplea-game/triplea) and just state that it applies to the triplea-game organization as a whole?

Questions:

1. Is a CLA overkill for TripleA?
2. If not, what is the best process for adopting a CLA?

[RoiEXLab]

@ssoloff I actually thought about using a service with that integrates with github, like https://cla-assistant.io/ that a lot of other open source repos use. This keeps track of who signed the CLA and who didn't. People are automatically reminded of stuff with no need for us to worry about anything. The cla assistant needs to be configured per repo, but it shouldn't be too difficult to set everything up.

[ssoloff]

@RoiEXLab Excellent suggestion. That will cut the logistics burden on our side down to almost nothing.

[DanVanAtta]

We've got triplea_maps.yaml in the repo, does that mean any map maker will need to go through the CLA signing process to update that file?

[ron-murhammer]

Yeah, I think this would be a good step though its unlikely we can get all past contributors to sign it.

@DanVanAtta Technically, I believe so though if we use a fairly automated way then it might not be a big deal.

One other thing to consider is the entire org vs each repo.

[ssoloff]

One other thing to consider is the entire org vs each repo.

A CLA is probably only useful for repos that actually have a governing license, since most CLAs (at least that I've seen) reference the "Project License." Right now, just over half of the triplea-game repos have a license:

Repo	License
assets	GPL-2.0-or-later
dice-server	AGPL-3.0-or-later
dice-server-js	MIT
lobby	none
triplea	~GPL-2.0-or-later~ GPL-3.0-or-later
triplea-game.github.io	none
tripleawarclub.org	none

We probably want to apply some kind of license to every repo, just to be safe. (Also, @RoiEXLab, we may want to change the license for dice-server-js to something more in the spirit of TripleA.)

CLA Assistant appears to work at both the repo and organization levels. For organizations:

If you link an organization with your CLA, CLA assistant sets a web hook on your organization and listens to Pull Requests of all repositories in the organization. That means that your CLA becomes active for each existing and future repositories of your organization.

@ron-murhammer If we want to evaluate CLA Assistant, we could apply it to a secondary repo, like dice-server, and see how it feels.

In the meantime, I'll do some more research to see if I can find a suitable CLA for our purposes.

[prastle]

I don't believe any past member would bother to be worried about this. That being said we do need to dot our i's and cross our t's for the future. We don't want to have to do this again. Just my 2 cents.

[ssoloff]

Here's another interesting read by Brad Kuhn. It's basically a Devil's Advocate view of CLAs. However, Kuhn does encourage having contributors explicitly assent to the project's license via what he terms a Developer Certificate of Origin (DCO). If you read Kuhn's explanation of a DCO, that's basically what we're talking about here.

Here are some examples of CLAs:

• JUnit 5
• SAP

And an example of a DCO written explicitly for GPL-2.0-or-later:

• phpMyAdmin

The JUnit CLA is short and sweet. I think the SAP CLA is what Kuhn is talking about when he argues against CLAs (i.e. a lawyer's dream document). The phpMyAdmin DCO seems to capture the same spirit of the JUnit CLA, but with slightly more verbage.

[prastle]

The Main purpose of a Non Profit Organization or NPO is to assume we are doing this for fun as a recreational thing ( club ) pool league etc... thus it will never make any money for the signees. That being said ... I think you all need to decide whether ya all ever want to incorporate or enjoy ...

BUT legally the signees are responsible for anything legal

[ssoloff]

@ron-murhammer Now that we've completed the license upgrade, I'm bumping this issue to see if we want to proceed with adopting a CLA/DCO.

After re-reviewing all of the information above, it would seem that using CLA Assistant at the organization level is the simplest way forward. I put together a DCO for TripleA based on those of the phpMyAdmin and Samba projects:

TripleA Developer's Certificate of Origin. Version 1.0

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the appropriate
    version of the GNU General Public License; or

(b) The contribution is based upon previous work that, to the best of
    my knowledge, is covered under an appropriate open source license
    and I have the right under that license to submit that work with
    modifications, whether created in whole or in part by me, under
    the GNU General Public License, in the appropriate version; or

(c) The contribution was provided directly to me by some other
    person who certified (a) or (b) and I have not modified it.

(d) I understand and agree that this project and the contribution are
    public and that a record of the contribution (including all
    metadata and personal information I submit with it, including my
    sign-off) is maintained indefinitely and may be redistributed
    consistent with the TripleA Team's policies and the requirements
    of the GNU GPL where they are relevant.

(e) I am granting this work to this project under the terms of both the
    GNU General Public License and the GNU Affero General Public License
    as published by the Free Software Foundation; either version 3 of
    these Licenses, or (at the option of the project) any later version

    https://www.gnu.org/licenses/gpl-3.0.html
    https://www.gnu.org/licenses/agpl.html

I chose to require a grant under both GPL-3.0 and AGPL-3.0 because, if this is an organization-wide DCO, those are probably the two licenses we'll use across all repos for the foreseeable future. (I plan on submitting PRs to the other repos to get everything licensed consistently.)

[DanVanAtta]

@ssoloff would you mind if I assigned this to you for next steps? Seems like we are just waiting for instructions on what to do next. No objections reported so far, I suspect silence is consent. Or we could assign this to everyone and let everyone accept/object and unasssign as they do so.

[ssoloff]

@DanVanAtta The next step would be for @ron-murhammer to register the CLA for the triplea-game organization at CLA Assistant. The process appears to be pretty straightforward:

1. Create a Gist with the above CLA. Since Gists apparently cannot be created under an organization, it should probably be created under @ron-murhammer's account.
2. Link the CLA to the triplea-game organization.

@ron-murhammer: Assigning to you, as this should be your call if you want to register with CLA Assistant. The alternative, as discussed above, is to just place the CLA as a file in this repo, and to modify the GitHub PR template with a checkbox (whose text links to the CLA) that would have to be selected by the contributor on every PR.

[ron-murhammer]

So I don't really have a strong opinion one way or the other on a CLA. I guess I'd like to see a vote from our core developers on whether they think its worth doing.

@veqryn @ssoloff @DanVanAtta @RoiEXLab Can each of you reply with yes, no, or neutral on this? Then we can either move forward or close this for now. Feel free to provide justification for your vote as well.

[veqryn]

I am between yes and neutral on this. I'm fine signing a CLA and making others do so as well. Just please make it as easy and simple as including a comment to that effect on their first PR, or something. We don't want to dissuade people from contributing because they have to sign and fax paperwork in triplicate... ;)

[RoiEXLab]

I'd say let's go the safe way and adopt a CLA. Using CLA-Assistant it's really just clicking on a link and checking the I agree checkbox to accept the CLA.

[prastle]

Not that I am a dev but it has my vote to assign a CLA.

[ssoloff]

:+1:

Looking through the history on this issue, I believe I originally brought it up due to the concerns that were raised when we switched to GPL-3.0. The idea is the CLA gives the current project owner a strong copyright claim (e.g. to make significant licensing changes in the future) without having to track down past contributors.

[ssoloff]

It appears there were only neutral or up votes for adopting a CLA, so this issue was on the cusp of being resolved (probably just got lost in noise). @ron-murhammer Assigning to you to decide if you want to simply close this issue or register the CLA per this comment.

[DanVanAtta]

@ron-murhammer bump; seems we need a no-go/go decision on this.

[DanVanAtta]

Revisiting this a bit: https://cla-assistant.io/ looks like a good way to go, seems it could automate a lot of the agreement flow and help avoid overhead. @ssoloff thank you for the clean summary and proposal for this issue.

[ron-murhammer]

Ok. I'll try to review this and decide this weekend as I'm about to head out.

[RoiEXLab]

@ron-murhammer Any update on this?

@DanVanAtta Also has the rights for this by now, so that would work too

[DanVanAtta]

Configured CLA assistant against my fork to demo: https://github.com/DanVanAtta/triplea/pull/8

@ron-murhammer / @RoiEXLab move forward with CLA assistant?

The CLA text provided by @ssoloff LGTM: https://github.com/triplea-game/triplea/issues/2880#issuecomment-365323389

[DanVanAtta]

PS: the process can be demo'd by submitting PRs to my fork: https://github.com/DanVanAtta/triplea

[RoiEXLab]

Thanks for looking into this @DanVanAtta 👍

[DanVanAtta]

We passed the 2 year anniversary of this issue. @ron-murhammer , please give a yea or nay. If yea, I can probably take this forward (or you can too if you'd like , CLA assistant seems pretty straight forward to configure).

[ron-murhammer]

Yea. Feel free to take a shot at this. Its just never bubbled up to the top of my list.

[DanVanAtta]

Potentially now done, be on the lookout for CLA on next PRs and secondly that the CLA text looks good.

[DanVanAtta]

Hmm, the webook for the triplea-game/triplea repo is oddly not being created.

@ron-murhammer could you open: https://cla-assistant.io/, click 'configure CLA, and see if it offers an option to configure the repository 'triplea-game/triplea'

[DanVanAtta]

Belay that @ron-murhammer , I was wondering why a repo config had a webhook but the org did not. CLA reports that there is no webhook on the Triple org, but it seems to be immaterial and works anyways.

This is working:

:clinking_glasses:

[DanVanAtta]

I added dependabot and tripleabuilderbot to the CLA whitelist to avoid CLA comments for PRs from those bot users: https://github.com/triplea-game/dice-server-js/pull/24

It is easy to configure in CLA assistant: https://cla-assistant.io/

Click the pencil icon next to our org to bring up an edit menu that gives access to the setting: