Consider replacing the CLA with a DCO for this MIT-licensed project #14175
Description
Summary
Quarto's Contributor License Agreement imposes obligations that are disproportionate for an MIT-licensed project and create unnecessary friction for community contributions. I'd like to suggest replacing it with a Developer Certificate of Origin (DCO), which is the industry standard for projects with permissive licenses.
What the CLA requires
| Clause | Requirement |
|---|---|
| 3 | Full copyright assignment to Posit — not a license, a transfer of ownership |
| 5 | Open-ended obligation to "execute any documents and perform any acts" Posit requests to enforce their rights, with no scope or time limit |
| 6 | No guarantee contributions remain open source — Posit "ordinarily" uses an OSI license but reserves the right to use "other license terms" |
| 7 | Blanket patent non-assertion against Posit and all users of the Software — not scoped to the contributor's own contribution |
| 8 | Affirmative duty to monitor and report any IP that may be infringed by the Software (the entire project, not just your contribution) |
Why this doesn't fit an MIT project
Quarto is MIT-licensed (COPYING.md). MIT already grants Posit and everyone else the right to use, modify, distribute, sublicense, and sell the software. There is no copyleft compliance concern that would require copyright consolidation.
The only right that copyright assignment provides beyond what MIT already grants is the ability to relicense the project away from MIT without contributor consent. Every other protection the CLA seeks is either already covered by the license or goes beyond what is standard practice.
What comparable projects do
MIT-licensed projects of similar or greater scale:
| Project | License | Contribution model |
|---|---|---|
| VS Code | MIT | DCO sign-off |
| Electron | MIT | No CLA |
| Next.js | MIT | No CLA |
| Node.js | MIT | DCO sign-off |
| Deno | MIT | No CLA |
The DCO is a lightweight sign-off (Signed-off-by: line in commits) certifying the contributor has the right to submit the code. It provides the legal clarity projects need without requiring copyright transfer, patent waivers, or open-ended obligations.
Concrete impact
I recently submitted two bug fix PRs (#14112, #14136) with tests and documentation. I withdrew both after reviewing the CLA because the legal obligations were disproportionate to a community bug fix. The bugs remain documented in the issue tracker (#14099, #14122) for the team to address.
I'd imagine other potential contributors have made similar calculations silently.
Suggestion
Replace the CLA with a DCO, or at minimum revise the CLA to:
- Use a license grant instead of copyright assignment (as the Apache ICLA does)
- Scope the patent clause to the contributor's own contributions
- Remove the open-ended obligation to perform future acts (clause 5)
- Remove the IP monitoring duty (clause 8)
- Guarantee contributions remain under an OSI-approved license
Happy to discuss further. I'd love to contribute to Quarto — the barrier is legal, not technical.