OK, so twice before in 2008 and 2011 I’ve blogged on provenance as a problem that deserves a solution, and how it particularly affects open source.

So with Subsyncit, I’ve operationalized a “Contributor License Agreement” (CLA) mechanism for contributors to to consciously grant copyright to me see here. The workflow is simple enough - the contributor copies that file into Freds_Torrent_optimization.md (or whatever) and includes it in the pull request. GitHub’s SHA1s are provable, so I get a trail of consent and conscious action.

After I receive the pull request and consume it, I can rename/refactor any of it. That would include (most likely) the move of the signed CLA to a place for posterity, that also helps keep the clas/ directory tidy. I don’t lose anything as Git is still maintaining the trail, including SHA1s of actions - i.e. it’ll survive audits.

Sadly I’ve not closed down malicious contribution of code that the apparent author has no ownership but is prepared to lie in a claim that they do. An example is an employer who restrains their employees activities outside work, including the forbidding of open source participation.

Updates (Nov 16, 2017):

I missed it completely, but a similar idea is taking root in the Linux community since 2014: Developer Certificate of Origin versus Contributor License Agreements. The language is different as is the mechanism, but it is close enough.


October 22nd, 2017