Ask HN: Are GitHub pull-requests governed by the original repository license?

45 点作者 dmulholl大约 3 年前

This is a question for our legal friends here on HN. Imagine this scenario: I have an open source project on Github with an MIT license. I've cargo-culted the<pre><code> Copyright (C) 2022 My Name </code></pre> line from every MIT-licensed project I've ever seen.A random contributor forks my repository and sends me a pull-request. They haven't altered the license file in any way.So, Question 1: are their contributions automatically licensed under the same MIT license as the original repository? (Note that their fork, which I'm being asked to merge, contains the identical license file.)Question 2: have they (almost certainly inadvertently) assigned copyright over their changes to me? (They're asking me to merge changes from a repository which contains a copyright declaration in my name.)Question 3: if one, why not the other?Disclaimer -- personally I hate even having to think about these kinds of questions, which is why I try to make most of my open-source code available under the Unlicense [1]. I've recently discovered the Zero-Clause BSD licence [2] which may be a better alternative as it avoids the potentially problematic concept of a 'public domain' -- I'd love to hear an informed legal analysis of their differences.[1]: https://unlicense.org[2]: https://opensource.org/licenses/0BSD

10 条评论

rectang大约 3 年前

> So, Question 1: are their contributions automatically licensed under the same MIT license as the original repository? (Note that their fork, which I'm being asked to merge, contains the identical license file.)Yes — that is the common understanding, a foundation upon which vast amounts of collaborative Open Source projects are built.> Question 2: have they (almost certainly inadvertently) assigned copyright over their changes to me? (They're asking me to merge changes from a repository which contains a copyright declaration in my name.)No. Copyright assignment is involved and needs more than that incidental quirk of that copyright notice in the MIT license template (which is confusing).> I'd love to hear an informed legal analysis of their differences.Go with a standard, popular FOSS license. Avoid "crayon licenses" which are poorly drafted, because they lead to legally ambiguous situations which serve both users and contributors poorly. Resist the urge to cut your nose off to spite your face by adopting a purposefully rebellious license.The original JSON license is the crayon license whose flaws are easiest to understand. It contains the phrase "shall be used for Good, not Evil", which begs the question "who decides what's evil?" and opens up any user to a potential lawsuit.The OSI ultimately approved the Unlicense, but with a critique. It's flaws are not as easy to understand as those of the JSON license, but here you go:<a href="https://lists.opensource.org/pipermail/license-review_lists.opensource.org/2020-June/004890.html" rel="nofollow">https://lists.opensource.org/pipermail/license-review_lists....</a>> There is general agreement that the document is poorly drafted. It is an attempt to dedicate a work to the public domain (which, taken alone, would not be approved as an open source license) but it also has wording commonly used for license grants. There was some discussion about the legal effectiveness of the document, in particular how it would operate in a jurisdiction where one cannot dedicate a work to the public domain. The lawyers who opined on the issue, both US and non-US, agreed that the document would most likely be interpreted as a license and that the license met the OSD. It is therefore recommended for approval.

评论 #30554080 未加载

评论 #30555620 未加载

评论 #30557326 未加载

评论 #30555880 未加载

matthews2大约 3 年前

> are their contributions automatically licensed under the same MIT license as the original repository?Yes. GitHub clarify this in their terms of service: <a href="https://docs.github.com/en/github/site-policy/github-terms-of-service#6-contributions-under-repository-license" rel="nofollow">https://docs.github.com/en/github/site-policy/github-terms-o...</a>> have they (almost certainly inadvertently) assigned copyright over their changes to me? (They're asking me to merge changes from a repository which contains a copyright declaration in my name.)No. They still own the copyright to their change (unless it's a trivial, un-copyrightable change).It's not uncommon to require contributors to reassign copyright.

评论 #30553647 未加载

bregma大约 3 年前

(1) If you accept their contributions and distribute your project under the MIT license, your project is distributed under the MIT license.(2) There is no implicit copyright assignment. The author of the change retains copyright in that code, and you retain copyright in your code. You may want to look in to copyright license agreements in which you get your contributors to agree to allow you to use their code in your project and maybe agree not to revoke that permission.Boilerplate headers have no real legal standing: copyright applies the minute you type the text of the source code and is only worth what you can prove in a court of law. Should you wish to change the distribution licensing at some point in the future, you will need to secure the permission of all copyright holders. In the absence of copyright assignment or copyright license agreements that means everyone who has ever contributed a line of code.

评论 #30557294 未加载

评论 #30553902 未加载

ageitgey大约 3 年前

In the US, you automatically have copyright over code you create yourself (assuming there's 'authorship' to make it something deserving of copyright). Sending someone a PR doesn't mean you lose your copyright. You end up in a murky area where the norms of OSS are that your contribution is now part of the package, but they don't have clear ownership over the copyright of all the code in the repo.This is exactly why most big companies require new contributors to sign a copyright assignment before any of their PRs can be merged. Gray areas don't work when lots of money is at stake.

评论 #30566596 未加载

评论 #30554179 未加载

pcthrowaway大约 3 年前

Other people have already answered your questions, and I agree with them:(1): probably, but not necessarily; they could choose a different license for their contributions, though it would be unlikely to get merged(2): no, they still have copyright on their changes unless they reassign itBut if the repo was GPL then their contributions would automatically be GPL also

评论 #30555813 未加载

brudgers大约 3 年前

My standard answer: if it matters, hire a lawyer and if it doesn't matter, it doesn't matter.However, I believe this is exactly the scenario the GPL and Apache address. The GPL by copyleft and Apache by contributor agreements.Neither is a free lunch. Then again neither are lawyers.

gls2ro大约 3 年前

I think you should look at Apache License that is explicitly talking about contributions.

jitendrac大约 3 年前

Add contributor.md file and put the criterias for a suitable pull request there.

charcircuit大约 3 年前

(1) Not necessarily. The other person may license it under multiple licenses or even under a proprietary one.(2) No, unless they have stated that they have transferred ownership to you they own the copyright of their changes.

Jach大约 3 年前

IANAL and I don't have much of value to add to what's already been said, just some rambling thoughts... First I want to reiterate that broad sentiments somewhat resembling "can't we just get along and get on with real work" underpins so much, both in open source and proprietary software, run directly by the user or via server proxy. Take just the question of Stack Overflow. There is a ton of code out there (open source and proprietary) that is directly copied from (or sometimes "inspired by", perhaps with a language change or trivial variable renames) SO posts. This is not really legally allowed except in limited circumstances (see <a href="https://stackoverflow.com/legal/terms-of-service#licensing" rel="nofollow">https://stackoverflow.com/legal/terms-of-service#licensing</a>) yet it's done anyway, even at big multi-billion/multi-trillion dollar companies you've heard of. Sometimes a comment will helpfully link to the source (and it really can be helpful, even if only in the crude way of identifying it to lawyers/linters as something to rip out, but usually more by way of providing context and discussion) yet it has all the legal significance of "no copyright infringement intended" on copies of videos or music on youtube. If SO had an all-seeing eye and actually went after all prohibited uses out there, it might take down the whole industry. When you add all the other sources of code people copy or reference in various ways (other fora, blogs, different countries, books, papers, code/etc predating the 70s/80s decisions making code copyrightable at all in the US, code that is directly mathematical in nature and not copyrightable, totally anonymous authors, and so on) it's clear this is all built on a house of cards.It may be worth thinking of "the work" as the code + the revision history. Historically this was done by actually embedding something like a changelog with different author information in the code itself, so that there's version A of the work with just you and your code, and other version B of the work with you and someone else and their changes with their changes called out explicitly. With version control we don't usually bother with such embedding because it's part of the history, but you still have version A of the work with just you and version B with you + the other author, even if nothing in the source code itself (or the license file) indicates the presence of another author. The revision history alone is enough to establish their partial authorship and any copyright claim. And probably implicit agreement to the original license, barring any signs to the contrary, per your question 1 and github's official doc on the matter -- adding something to your readme for a public domain project like "contributions implicitly agree to relinquish their copyright and dedicate changes to the public domain" seems like it'd be in the realm of weird EULA clauses that may or may not be enforceable.I like the Unlicense too since I learned of it. I mean, I like the public domain and screwing thinking more about this license stuff, but I also like putting in a "don't sue me if something bad happens while using this" disclaimer, and even if it's "clumsily worded" as others have said when it comes to countries that don't recognize the public domain, it seems less clumsy than some of my prior attempts at "this is public domain or MIT if your country doesn't recognize such a thing". The CC0 is also acceptable as public-domain-unless-your-country-sucks-then-as-close-as-possible, even if it's not exactly meant for software. In a recent Unlicensed library of mine that I think has a slightly-greater-than-epsilon chance of ever seeing a pull request someday, I decided in the readme to call out a request that contributions include a blurb explicitly relinquishing to the public domain (Unlicense's site itself has a copy-pasteable blurb) since technically in the US where I am it shouldn't really serve as a 'license' and thus the license-in=license-out standard for other things doesn't quite apply. So I'd ask a PR that didn't include it to comment with it before merging, or if there's disagreement either convince me to release a new version of "the work" with a real license, or refactor their change as an external library dependency. Still, house of cards.youtube-dl is maybe the biggest Unlicensed project and solves this with a pull request template that includes a checkbox they ask contributors to check (see randomly <a href="https://github.com/ytdl-org/youtube-dl/pull/30690" rel="nofollow">https://github.com/ytdl-org/youtube-dl/pull/30690</a>) and this is probably a good model to follow if you expect a lot of contributions. (youtube-dl has 768, its better fork yt-dlp is at 925.) On the other hand, sqlite is just released straight into the public domain, not even with a "no warranty don't sue me" clause, and is used worldwide by countless things. There are other widely used purely public domain projects too. All of our fretting with trying to pin down more legally certain edge cases with these alternate 'licenses' and agreements and so on is probably just a big waste of time.For important software to yourself or one's company or contributor group (financial, social credit, control (including possibly control to relicense/dual license everything in the future), belief in weaponizing copyright to forbid taking away the 4 freedoms via the GPL) I'm basically in agreement with others about minimizing legal risk and just going with something popular and not "crayon" and to consider getting CLAs, it can legitimately not be a waste of time to think about all this. Though for other cases I also think it's important to remember how fragile this house of cards is, and weird 'licenses' like WTFPL or extra clauses like "prohibited to use this for evil" or "prohibited to use this if your name is [person I don't like]" or even a more normalized weird in the AGPL's "prohibited to have users using this by server proxy and not share your changes" all serve as a reminder as well as in some cases injecting a bit of light-hearted "don't be so serious, let's try to play nice" sentiment into the matter which is important long-term for any common culture among those calling themselves programmers.