Missing open-source contributor presents a dilemma when accepting their PR

&quot;Whenever you add Content to a repository containing notice of a license, you license that Content under the same terms, and you agree that you have the right to license that Content under those terms. If you have a separate agreement to license that Content under different terms, such as a contributor license agreement, that agreement will supersede.&quot;<p><a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;site-policy&#x2F;github-terms&#x2F;github-terms-of-service#6-contributions-under-repository-license" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;site-policy&#x2F;github-terms&#x2F;github-t...</a>

&gt; The contribution bot asks for confirmation the code change is copyright-free<p>A confirmation is simply unnecessary. Can&#x27;t it work like, writing this somewhere that says, by creating a pull request, you agree all your code and the discussions around the pull request is now copyright free? Saves everybody time and avoid hassles like this.<p>The other side of this is I get very annoyed by CLAs -- there have been a number of times I want to contribute to Google and Microsoft&#x27;s open source projects, but they all require CLAs which require me to get explicit permissions from my employer to contribute to those projects. It is possible, but is a slow and complicated process that nobody wants to go through at my company. So instead of creating a pull request to address the problem, I open an issue and mention how it can be addressed. Which may or may not be picked up by someone else who wants to work on this. This is just frustrating.

&quot; and I find it hard to see how damages could be levied in this situation.&quot;<p>Unfortunately, this would be intentional copyright infringement (assuming the code is copyrightable, blah blah blah), since you are doing it on purpose with knowledge that it is copyrighted.<p>In a number of countries, copyright infringement is also strict liability - it doesn&#x27;t matter if you had any intent to commit it, but if you did, the damages often start much much higher. So the former case you&#x27;d probably have some nominal statutory damages, assuming you can&#x27;t prove any actual loss. But in the later case, those damages get quite high.<p>In the US, for example, statutory damages for intentional copyright infringement (IE you don&#x27;t have to prove any actual damage) are 150k per infringement.<p>I make no claims any of this makes sense, or someone will actually sue you, or that you should do anything different than &quot;nothing&quot;.<p>My only claim is that &quot;and I find it hard to see how damages could be levied in this situation.&quot; is totally the wrong view in a lot of countries - you should expect, if it did get to that point, you would have plenty of damages levied against you.<p>The author appears to be in the UK, where statutory damages for infringement were historically not available. but post-brexit, they were actually doing consultation&#x2F;blah blah blah on making them available. I have no idea what happened.<p>But even if they have no statutory damages, it won&#x27;t prevent you from being sued wherever the contributor is, and having that law apply rather than your home law :)<p>It just makes it harder to collect.

In order to open a PR to a repository, you need to push the commit somewhere, usually your own fork. And since that fork already contains the same LICENSE as the upstream project (your project), the author of the PR has essentially already licensed the code under the same LICENSE you use.<p>So I&#x27;d get rid of the bot asking people to confirm the change is copyright-free (since it&#x27;s already implicitly copyright-free, they&#x27;ve pushed it to GitHub already), and merge the PRs without making contributors jump through additional hoops.<p>But it seems like when corps like Microsoft et al does open source, they like to sprinkle in a bit of bureaucracy to the process for the sake of bureaucracy, should hardly come as a surprise to anyone.

The author didn&#x27;t link to the actual PR so I can&#x27;t see the full context, but I don&#x27;t see the point in setting up a bot to make contributors agree to copyright terms if the maintainers just ignore it when someone does a PR and then doesn&#x27;t engage with the bot. It seems like a waste of time for all parties.

I’m not a lawyer at all. What i feel is that the existence of the copyright assignment bot makes this decision worse.<p>I think it is perfectly reasonable to say “you contributed to the project knowing that the project is licensed X, therefore we can assume that you are ok with your contribution being under the same license and we just merge it”. Not saying that it is wise legally, but it feels to be a coherent theory at least. (Again not a lawyer.)<p>But if you have a “copyright-assignment” nagging robot that kinda reveals that you think one needs to jump that extra hoop. After that if you ignore that the robot’s question went unanswered it is harder to argue that you just went with the default assumption. Since if you feel it is worth asking the question that means you did not believe that the implied agreement is enough.

5. Remove the annoying bot and merge it anyway.<p>It&#x27;s already part of github TOS as quoted in another comment, so you&#x27;re just creating repetition hurdles (which won&#x27;t save you anyway in case of real trouble)

&gt; ... asks for confirmation the code change is copyright-free<p>Don&#x27;t you mean patent-free? Or maybe you are asking for copyright assignment?<p>Not sure what &quot;copyright-free&quot; means... Like do you only accept public domain code?

I don&#x27;t like them and won&#x27;t contribute to projects with them but isn&#x27;t this the exact point of a CLA[1]? A textfile in the repo seems a lot easier to track and audit than PR comments and a bot to chase people.<p>1. <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Contributor_License_Agreement" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Contributor_License_Agreemen...</a>

thought this would be a mystery about a coder who disappeared that surfaced via pull request

The proper thing to do in this situation is this: treat it as a bug report which was accompanied by a patch that was not used. Credit the bug finder, and acknowledge that the fix is very closely based on their proposed solution.<p>You <i>actually</i> don&#x27;t use their code. Understand what is being fixed and write it yourself.

It&#x27;s interesting that the workflow would allow submitting a PR without consenting to terms. Nearly every website or app today makes you agree to terms right at the start.

5. Digest&#x2F;understand the contribution, explain it to another dev who hasn&#x27;t seen contribution and have them implement the fix clean-room style.

Write your own if it is very simple. If he is gone it is just to just write your own version. The contributor agreement that requires signature is there for a reason.

If the change is small enough, it wouldn&#x27;t contain any original literary expression, as required to be copyrightable, and would be automatically in the public domain. Especially if there&#x27;s only one way to make the change, you can&#x27;t rewrite it some other way while preserving the intent.

From a logical standpoint, if someone makes a pull request to an open source project, it should be safe to assume they are ok with it being distributed under the current license of the project they are contributing to.<p>But copyright law isn&#x27;t always logical.

A simple NULL check on a MIT repo is no deal at all. You&#x27;ll also get it into a FSF project without any written forms.<p>The FSF prefers that a contributor files a copyright assignment for significant contributions, i.e. &gt; 15 lines of code or docs.<p>A null check is insignificant work. No dilemma

3 is the solution. Close, then rewrite it yourself (not an exact copy). It’s fairly common, I had this happening to me relatively often

The proper thing to do in this situation is this: treat it as a bug report which was accompanied by a patch that was not used. Credit the bug finder, and acknowledge that the fix is very closely based on their proposed solution.

Nice article, written by someone who IMO clearly has some first-hand experience in law, carefully considering multiple angles of what might be considered &quot;reasonable&quot; actions to make and their possible consequences.

The USA is overly litigious so I can understand why people might be worried about this, especially a large firm like Microsoft who has a lot to loose.

The actual problem here is the existence of &quot;intellectual property&quot;. It is corrupting all sorts of things and making plenty of simple things very hard, as in this case.<p>I do not think that getting rid of intellectual property entirely is the best solution, but it would be an improvement.<p>Surely we can do better?

This is why I can&#x27;t contribute to google projects, you need to sign their CLA, which requires a google account.<p>Maybe there is a way to do it without one, but I couldn&#x27;t figure it out.

In this particular case, I don&#x27;t think adding a null input guard would meet the minimum level of copyrightability (the same way you can&#x27;t actually copyright &quot;hello world&quot; or basic shapes).<p>The barrier for that sort of thing is <i>really</i> low, but copyright does have an exemption for stuff like that.<p>(Upd: Looked at the PR in other comments; yeah I don&#x27;t think the null guard meets copyrightability, but I Am Not A Lawyer. The attached test case might be more dubious.)

This problem is entirely self-imposed from the CLA bullshit they&#x27;re trying to pull off, which also defeats the point of FOSS. I bet they &quot;love Open Source&quot;.

this seems to be the most logical course of action taken.

To add on to the advice in TFA: Perhaps that bot is exactly the reason the contributor didn&#x27;t want to bother anymore. It&#x27;s just unnecessary. Why not remove it? Terms and licenses can be put in the PR template or something.

Idiot joined the DNF. A completely worthless foundation. First thing to do would be to leave.