Saturday, September 7, 2024

Ubuntu, Canonical Wallow in Muddy Waters with Contributors’ Agreements

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

If you believe everything you read on the Internet, then Canonical, the company behind the Ubuntu distribution, can’t do anything right.

Part of the reason for this attitude is that, because of Ubuntu’s popularity, Canonical is under a scrutiny so intense that every fault is magnified. Another part of the reason is that Canonical is visibly struggling with balancing its commercial efforts with being a corporate citizen of free and open source software (FOSS).

However, whatever the reasons, no sooner has the controversy over Ubuntu’s contributions to GNOME and other FOSS projects quieted than people are questioning Canonical’s contributor agreement, condemning it as a flawed document that misses the spirit of FOSS.

Under the Canonical Contributor Agreement, participants in Ubuntu’s development agree to transfer the copyright in their work to Canonical. The controversy is not over the mere fact of the copyright assignment, which is common enough in FOSS development. It’s been been used by — among others — the GNU Project, OpenOffice.org, and the Free Software Foundation Europe’s (FSFE) Fiduciary License Agreement.

In projects in which everyone is a volunteer, assigning copyright to a larger organization, rather than to individuals can make sense.

As FSFE’s Shane M Coughlan told me several years ago, as projects grow in size, “it becomes more difficult to manage the copyright. Some authors might vanish due to accidents, death, or other factors. When it comes to making decisions about protecting the code, upgrading license, or other legal factors, it can become important to talk with copyright holders.”

By contrast, in projects like the Linux kernel, in which there is no copyright assignment, managing copyright can potentially become difficult. For instance, even if Linus Torvalds had been willing to relicense the kernel under the third version of the GNU General Public License (and he most vocally was not), tracking down all contributors and obtaining their consent would have next to impossible.

As Simon Phipps points out, copyright assignment remains popular among companies involved with FOSS. In particular, it can make dual-licensing — the practice of releasing software with two different licenses, usually one FOSS and one proprietary — and aggregate copyright — the terms of use for bundled software, such as in a commercial box — easier to manage.

Not everyone agrees with copyright assignment. Some prefer to keep the copyright for their own work, and some argue that the legal requirements for copyright assignment can scare away potential contributors. Others support the idea for umbrella organizations like FSFE, but are more reluctant to transfer copyright to for-profit companies, suspecting that copyright assignment benefits the company more than the project.

In addition, when copyright is assigned to a company, rival companies may refuse to allow their employees to contribute, a position that undermines the co-operation fundamental to FOSS development.

Copyright assignment gone wild

Against this background, requiring contributors to sign a copyright assignment is risky at the best of times, and with the best of agreements. Significantly, the new contributor agreement being developed by Fedora avoids copyright assignment altogether, and simply tries to guarantee that contributions will use one of several free licenses that are compatible with the rest of the project.

In comparison, the Canonical Contributor Agreement is riddled with difficulties. To start with, it assigns copyright to Canonical “now and in the future” with no provisions for termination, two conditions which can be legally dubious.

Equally questionable are the first two paragraphs, in which Canonical and the contributor signing the agreement exchange rights that should be already granted by a free license, such as the rights to copy, modify, and distribute. At best, these paragraphs are redundant, while at worst they might be seen as an effort to make the agreement take priority over the licenses. The paragraphs read as though Canonical, not the licenses, control how the software, interfaces, and documentation are to be used, although it might be said that the whole point of free licenses is to prevent such control.

In fact, for most potential contributors, what makes the agreement objectionable is the degree of control that Canonical asserts. In paragraph 5, contributors promise to “execute any documents and perform any acts that Canonical requests from time to time to enable Canonical to protect, perfect, enforce or enjoy the rights assigned and/or granted to it.” That language sounds as though, having volunteered once, contributors are legally compelled to do what Canonical tells them to do, even though they are not Canonical employees.

Furthermore, the agreement gives Canonical the right to change unilaterally what the agreement applies to (Paragraph 3), and “in its discretion [to] make the Assigned Contributions available to the public under other license terms” (Paragraph 5). This second condition is probably included to allow dual-licensing, but, as worded, would allow Canonical to change from a free license to a proprietary one.

Contributors also agree that “If I am or become aware of any patent or other intellectual property right which is, or is likely to be infringed by the use of the Assigned Contributions, I will promptly notify Canonical.” Never mind that most contributors would agree with KDE’s Aaron Seigo, who comments in a blog entry entitled, “Copyright assignment gone wild, or why I cannot join Canonical’s contributor agreement program,” “That is highly onerous, and I do not have the time or financial resources to be able to commit to such an absurd burden.”

Seigo goes on to comment, “The only thing worse than risk management is bungled risk management as it creates new and unintended risk (which often means it’s also undefined in scope!) . . . . It’s a great way of unintentionally damaging your allies and partners.”

In other words, by proposing that contributors sign such an agreement, Canonical strengthens the impression that its only interest is its own advancement, and that it has no interest in interacting with the FOSS community except on terms that it dictates — even if those terms undermine the community.

No sooner was Canonical’s Mark Shuttleworth answering criticism about his company’s community contributions with some high-level and largely irrelevant rhetoric, then Seigo’s blog on the copyright assignment was being used by critics like Jef Spaleta as additional proof of such attitudes.

In fact, Spaleta’s comments came in the comments to Shuttleworth’s posting. Unfortunately, so far, Shuttleworth has not responded.

Self-inflicted wounds

The kindest — and most likely — interpretation of the Canonical Contributor Agreement is that it was drafted by lawyers with no experience of FOSS. Eager to protect Canonical’s rights, these lawyers have either overlooked or are unaware of community expectations.

Nor has anyone with decision-making powers at Canonical apparently noticed that a poor reputation in the FOSS community can amount to a specialized form of public relations meltdown. Or perhaps, given that many people continue to praise Ubuntu uncritically, Canonical executives assume that the company can weather such a reputation.

Whatever the reason, a pattern seems to be emerging all too clearly. Increasingly, Canonical is not balancing corporate concerns and community expectations with any grace or skill, and this oversight may eventually harm the company’s chances of success.

Instead, it seems to prefer to ignore the expectations, even when they are voiced politely by people like Seigo, whose experience and expertise are beyond question, and who voice their concerns reasonably and with every sign of concern. Instead of addressing criticisms and working with the greater FOSS community, Canonical seems to prefer to go on the defensive or to answer with evasions. Such responses may be only human, especially considering the idealism and hard work that has gone into Canonical. But it is not sound business.

At this stage, the damage that Canonical is doing to itself is not irreparable. But, given a few more incidents like this one, that could change. Strange to say, perhaps what Canonical needs is a PR strategy crafted by people who understand the importance of community relations to its corporate success.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles