[Owasp-board] CLA's for Open Source Projects

johanna curiel curiel johanna.curiel at owasp.org
Wed Sep 24 08:51:23 UTC 2014


This license is an agreement between the contributor and his company
,this seems to be the case for Apache.

I believe that by closing an agreement between contributors and himself or
his company, he wants to avoid issues with copyrights, because he wants to
hold the rights of his project. However, depending on what kind of open
source license he wants to use in his project, it will determine if this
fits with Owasp projects guidelines

How I see it, the agreement between he and his contributors is not coupled
to the open source license he wants to use in his project and releasing it
under owasp umbrella. This CLA applies only between his company  and his
potential contributors, owasp as an organization is not tied to this
agreement, but it will be the first time a project request this from his

"The purpose of a CLA is to ensure that the guardian of a project's outputs
has the necessary ownership or grants of rights over all contributions to
allow them to distribute under the chosen licence. In some cases this will
mean that the contributor will assign the copyright in all contributions to
the project owner; in other cases, they will grant an irrevocable licence
to allow the project maintainer to use the contribution"

I think the most important questions here are
Which open source license does he wants to use to release his project under
Owasp brand, as an Owasp project ? And
Does Owasp agree that a project leader requests a CLA from his/her

My 2 cents



On Tuesday, September 23, 2014, Jim Manico <jim.manico at owasp.org> wrote:

> Board and Johanna,
> A member of our community approached us with an interest of open sourcing
> a substantial project. He is asking that contributors sign *his* CLA before
> contributing to the project since he is about to open source what is the
> lifeblood of his company.
> I'm torn; I want the contribution but I have not faced CLA's before at
> OWASP. Apache and others do require these...
> My though is, we may want to consider a OWASP CLA someday, but if a
> company requires a CLA for commercial purposes, we politely pass.
> That aside, I do not have a solid opinion on this matter and I'm not sure
> how to respond....
> Aloha,
> Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140924/108d5518/attachment.html>

More information about the Owasp-board mailing list