Paul Hammant's Blog: Provenance and Code Grants
So with Subsyncit, I’ve operationalized a “Contributor License Agreement” (CLA) mechanism for contributors to to consciously grant copyright to me
see here. The workflow is simple enough -
the contributor copies that file into
Freds_Torrent_optimization.md (or whatever) and includes it in the pull request.
GitHub’s SHA1s are provable, so I get a trail of consent and conscious action.
After I receive the pull request and consume it, I can rename/refactor any of it. That would include (most likely) the
move of the signed CLA to a place for posterity, that also helps keep the
clas/ directory tidy. I don’t lose
anything as Git is still maintaining the trail, including SHA1s of actions - i.e. it’ll survive audits.
Sadly I’ve not closed down malicious contribution of code that the apparent author has no ownership but is prepared to lie in a claim that they do. An example is an employer who restrains their employees activities outside work, including the forbidding of open source participation.
Updates (Nov 16, 2017):
I missed it completely, but a similar idea is taking root in the Linux community since 2014: Developer Certificate of Origin versus Contributor License Agreements. The language is different as is the mechanism, but it is close enough.