CyaLAter

Can you hold a company hostage using their own CLA?

CLAs — “contributor license agreements” — have become a toxic part of modern corporate non-compensated creativity-extracting development practices, but could we weaponize them against their creators?

Oh, you want to contribute to our project? Here, you must agree to legally binding paperwork (which we won’t provide any consideration for you to execute) or else you can’t participate in our world. We can’t possibly pay for contributions because we’ve spent $20 billion over the past 5 years on combinations of government fines for our illegal business practices combined with constantly losing money on all our internal hyperscale ego projects which eventually won’t pan out. Sorry you spent 300 hours of your personal time fixing our code, but we’re not paying for any of your work (also, of no import, our CEO values his own personal time at $200,000 per hour, ymmv). We’ll accept it for free though (if you agree to legally binding terms benefiting us at your expense you worthless little code goblin!)

Here’s the trick — github allows you to post PRs against any repo, then, only after your code is posted to the company, does the repo authoritarian automation check if you have a CLA on file. If your CLA isn’t on file, they refuse to accept your contributions until you agree to their terms, but they still look at your potential contributions. Your patches aren’t blocked or masked off from the repo-owning company reading your contributions even though your patches are “not acceptable” until you legally submit to the company’s conditions.

But, what if you provide contributions then refuse their CLA? Wouldn’t the company be legally prohibited from ever including your changes? If their employees read your contribution, but you never agree to a CLA, you’ve, in a GPL-sense, virally contaminated their employees with code they must never implement or else their legal protection framework fails. You could essentially spam companies with fixes, improvements, and features they then can never implement because there’s proof you did it first and you don’t agree to “license” your work to the company.

Of course in reality and practically, CLAs are just CYAs and if a multi-hundred-billion-dollar company wants your work they just steal it anyway, but it seems every company with “post-submission CLA requirements” didn’t think through their entire process, thus leaving them wide open to huge adversarial legal vulnerabilities.

Either companies can say “all contributions implicitly grant us usage rights under Apache-2.0 when submitted” or companies can say “you own all contributions and we can’t use them until you agree to our proprietary uncompensated CLA,” but they can’t have “if you don’t agree to the CLA we can still copy or outright steal your work anyway, so sue us?”

A probable future includes companies putting up login walls where you can’t even view their “open source” code until you agree to a CLA to avoid adversarial commit issues (similar to having to sign visitor NDAs as guests to corporate campuses). We look forward to github continuing to enable their full-on automated authoritarian code practices by creating a new option “Reject Viewing or Cloning by Logged Out and Non-CLA-Approved Viewers” any day now.

anyway, as of last week we are officially in a recession, but at the same time big tech companies still reported over $200 billion in revenue over the past 3 months, so i’ll happily sign your CLA for a small one time $5 million USD fee per company. inquire within.

this has been: code for thought