As it happens, I have actually submitted PRs to projects with CLA "requirements" before--if I recall correctly, the first time was by accident because I didn't realise there was a CLA requirement (projects that don't clearly state that upfront... have room for improvement).
Subsequent such occurrences were intentional.
And I've had a non-zero number of the PRs merged.
Despite stating that I did not intend to sign the CLA.
Because, guess what, there's no legal requirement for a CLA in order to accept a one word comment or documentation fix--it wouldn't even qualify for copyright protection. And, BTW, I'm definitely still not a lawyer.
Why did I intentionally submit a PR to a project I knew required a CLA? Just to be an asshole? Well, I'd prefer "smart-arse", but either way, no.
The purpose was to actually provide visibility into the cost of requiring a CLA.
Instead of letting the cost stay invisible and thus continuing to ensure a lack of evidence to which project maintainers might point as the motivation for change.
A one word doc fix? Who cares, that's practically worthless, right? Well, at least one project decided it was worth at least enough to "break the rules" and merge it without a CLA...
But that's not really the point because it's not just one word fixes that projects are missing out on because of CLA requirements. Its all the multi-line PRs fixing bugs, adding features, fixing security vulnerabilities, reverting tabs-to-spaces format changes, reverting spaces-to-tabs format changes, and reverting reverting spaces-to-tabs format changes--all those PRs that never get written so the cost is entirely invisible.
----
But what kind of person would care enough about CLA requirements to not want to sign one and yet still put effort into submitting a multi-line PR significant enough for a project to want while knowing it would unlikely to ever be accepted?
*cough*
No idea, I've never followed through on that particular action. :)
(In part because projects started either ditching CLA requirements entirely or changing them to a DCO requirement which at least in comparison I have less of an issue with for the moment.)
But how many people submitting useful PRs but not signing CLAs would it take before a project might start asking (themselves or whoever might be imposing the requirement): "Why are we requiring a signed CLA when it has this cost?".
It also turns out there's actually another potentially really interesting nuance of CLAs that I didn't consider until after the fad died down which I've not seen mentioned.
----
The negative impact of a PR without a signed CLA primarily affects the organisation requiring the CLA.
It's only the organisation requiring the CLA who cannot (by their own rules) benefit from a PR without a signed CLA. Any other member of the project can freely merge the PR into their own (or community) fork under the terms of the license by which it was contributed.
Now, some might object to contributions being "weaponized" in this manner but:
(a) Would you still complain if an AI instead of a human came up with the idea to "weaponize" in this manner? :D
(b) What other leverage do communities have against companies that some might describe as "holding community projects hostage"; or, at a minimum damaging the project, with a CLA requirement?
(c) Oh, that's not a weaponized contribution, this is a weaponized contribution: once a PR has been written to, say, add a feature to a project, a contribution that is, say, of sufficient size & creativity to be eligible for copyright protection... Now, if that were to happen...
BTW did I mention that I'm definitely not a lawyer? If I haven't previously, well, to remove any potential doubt: I'm not a lawyer. Just one of those developers who apparently seem to think the law is like code[13].
Anyway, the thought that occurred to me one day was: if there was a PR of contributed, licensed, copyrighted code for a feature but no signed CLA... could, that, perhaps, maybe, poison the well in relation to anyone else developing an alternative PR for the same feature but with a signed CLA?
And, if so, would that create some potential legal liability, for, say, a company like Google, if the project were to, say, merge such an alternate PR?
Because, like, wouldn't they have to be able to prove that the alternate PR isn't actually based on the PR without a signed CLA in order to avoid potential liability for, I dunno, copyright infringement or something?
Now, I may have mentioned this before but I'm not a lawyer.
With that in mind, the answer is: No!
Potential liability? Now, now, there's no need to be silly, Google has a signed CLA stating that the contributor totally represented that they could grant whatever the CLA grants. No legal liability for them, woo!
Well, unless it was an employee who wrote the alternate PR, I guess? But I assume there's processes for that...
But it turns out I'm the silly one because there actually seems to be a straight-forward "solution" which literally only just occurred to me as I was writing this up--and it seemingly doesn't require anything other than lawyering silliness!
Let me quote here Point 7 (see 7.) of the "Google Individual Contributor License Agreement" for the purposes of review & criticism in a manner hopefully compliant with the concept of "Fair Use" in some jurisdiction:
"7. Should You wish to submit work that is not Your original creation, You may submit it to Google separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as 'Submitted on behalf of a third-party: [named here]'."
So, umm, that's certainly... a thing.
BRB, off to submit a new "Audio GIF"-based backend for Jujutsu without signing a CLA!
(You know, so someone who has signed a CLA can seemingly totally submit it in a manner consistent with the project CLA as long as they don't misrepresent my code's source and mention any "Audio GIF"-related patents. GIF-related patents? LOL Zero Worries there! As if. My butt's patented[15].)
----[epilogue]---
There were a couple of other things I'd thought to mention but I'm going to leave things here---particularly given Point 7.
And, as some additional context, in case anyone happens to be interested: Yes, this is a ridiculously long comment containing a lot of content seemingly written to primarily amuse the author. Well, yes, that's an accurate observation. I have attempted to at least make its content semi-navigable by section out of respect for the time of those who wish to glean its content without its... other content.
Maybe one day I'll... write more about the context of that. :)
[Update: Okay, admittedly, that was way longer than even I had realised. :D ]
[1] A document which I note has no associated date or revision information.
[2] But at least now I know why I kept seeing "Not a Contribution." in issue comments on GH, I guess.
[3] Or, you know, to at least not to be evi... oh.
[4] But, in actuality, even then.
[5] A situation I would posit exists between a corporate entity with a market cap of over $USD2.20[6] and over 80%[7] of typical individual contributors to FLOSS projects.
[6] Oh! Actually over $USD2.20 Trillion? Assuming my source is accurate[6.5].
[6.5] I'd encourage everyone to: independently verify my claims; consult your financial advisor; seek legal advice from your attorney licensed to operate in relevant jurisdictions; and, ask your doctor if any treatment plan, financial statement, legal claim, or, punctuation contained in this comment is accurate and/or right for you.
[7] Maybe even 99%[8].
[8] But as a sub-100x Developer I'm not privy to details of TC packages at the higher end of the SV scale, so might even be closer to 99.5% of typical individual contributors but wouldn't want to overstate my claims.
[9] A statement I'll readily admit I was extremely surprised to see in the Google CLA. You know, given I would've thought such a claim would leave the company open to some sort of legal liability or risk of agreement invalidation if it turned out the document didn't fully and completely protect a contributor (& I assume their heirs?) in every situation & jurisdiction in perpetuity. But as I may have mentioned I'm not a lawyer and definitely not qualified or licensed to practice law in whatever jurisdiction applies in this situation, so... *shrug*
[10] The fact the CLA doesn't seem to state anywhere from what nor how the contributor is protected; nor, for that matter, from what, if anything, they will not be protected[11]. Which to me seems to make it difficult for any contributor (or their legal counsel) to evaluate whether signing the agreement is a good idea.
[11] The best I could come up with is maybe Google's reasoning is that by "requiring" contributors to interact with their employer they will be "protected" from unintentionally contributing something to which only their employer actually has the rights. But that seems pretty weak. And, as I say, I can only make a guess because Google doesn't actually specify any of it anywhere.
[12] Chorus: sotto voce "Because let's be honest here, is there even a single person at Google who is prepared to swear under oath that there is data to support the idea that there is even a simple majority of people who have signed the CLA that read it, understood it, obtained legal advice about it and are thus in a position to provide 'informed consent' by even the low standard of the law let alone morality?"
[13] Well, you know, clearly with the exception of global copyright infringement (oh, sorry, "training material hoovering") without such minimal courtesy as attribution because while apparently individuals have to abide by copyright law and wait until material enters the public domain after a term of close enough to one hundred years or more after publishing--a term demanded by multi-billion dollar corporations--apparently other multi-billion-dollar are too important to have to wait or brib... lobby for law change or license material or *gasp* pay for the creation of new works.
I'm not that naive and stupid even as a sub-100x Developer.
[14] [redacted]
[15] This joke is patented.
[16] Wait, what if I actually am a lawyer, licensed to practice law in some relevant jurisdiction? That seems like it would be super awkward.
Subsequent such occurrences were intentional.
And I've had a non-zero number of the PRs merged.
Despite stating that I did not intend to sign the CLA.
Because, guess what, there's no legal requirement for a CLA in order to accept a one word comment or documentation fix--it wouldn't even qualify for copyright protection. And, BTW, I'm definitely still not a lawyer.
Why did I intentionally submit a PR to a project I knew required a CLA? Just to be an asshole? Well, I'd prefer "smart-arse", but either way, no.
The purpose was to actually provide visibility into the cost of requiring a CLA.
Instead of letting the cost stay invisible and thus continuing to ensure a lack of evidence to which project maintainers might point as the motivation for change.
A one word doc fix? Who cares, that's practically worthless, right? Well, at least one project decided it was worth at least enough to "break the rules" and merge it without a CLA...
But that's not really the point because it's not just one word fixes that projects are missing out on because of CLA requirements. Its all the multi-line PRs fixing bugs, adding features, fixing security vulnerabilities, reverting tabs-to-spaces format changes, reverting spaces-to-tabs format changes, and reverting reverting spaces-to-tabs format changes--all those PRs that never get written so the cost is entirely invisible.
----
But what kind of person would care enough about CLA requirements to not want to sign one and yet still put effort into submitting a multi-line PR significant enough for a project to want while knowing it would unlikely to ever be accepted?
*cough*
No idea, I've never followed through on that particular action. :)
(In part because projects started either ditching CLA requirements entirely or changing them to a DCO requirement which at least in comparison I have less of an issue with for the moment.)
But how many people submitting useful PRs but not signing CLAs would it take before a project might start asking (themselves or whoever might be imposing the requirement): "Why are we requiring a signed CLA when it has this cost?".
It also turns out there's actually another potentially really interesting nuance of CLAs that I didn't consider until after the fad died down which I've not seen mentioned.
----
The negative impact of a PR without a signed CLA primarily affects the organisation requiring the CLA.
It's only the organisation requiring the CLA who cannot (by their own rules) benefit from a PR without a signed CLA. Any other member of the project can freely merge the PR into their own (or community) fork under the terms of the license by which it was contributed.
Now, some might object to contributions being "weaponized" in this manner but:
(a) Would you still complain if an AI instead of a human came up with the idea to "weaponize" in this manner? :D
(b) What other leverage do communities have against companies that some might describe as "holding community projects hostage"; or, at a minimum damaging the project, with a CLA requirement?
(c) Oh, that's not a weaponized contribution, this is a weaponized contribution: once a PR has been written to, say, add a feature to a project, a contribution that is, say, of sufficient size & creativity to be eligible for copyright protection... Now, if that were to happen...
BTW did I mention that I'm definitely not a lawyer? If I haven't previously, well, to remove any potential doubt: I'm not a lawyer. Just one of those developers who apparently seem to think the law is like code[13].
Anyway, the thought that occurred to me one day was: if there was a PR of contributed, licensed, copyrighted code for a feature but no signed CLA... could, that, perhaps, maybe, poison the well in relation to anyone else developing an alternative PR for the same feature but with a signed CLA?
And, if so, would that create some potential legal liability, for, say, a company like Google, if the project were to, say, merge such an alternate PR?
Because, like, wouldn't they have to be able to prove that the alternate PR isn't actually based on the PR without a signed CLA in order to avoid potential liability for, I dunno, copyright infringement or something?
Now, I may have mentioned this before but I'm not a lawyer.
With that in mind, the answer is: No!
Potential liability? Now, now, there's no need to be silly, Google has a signed CLA stating that the contributor totally represented that they could grant whatever the CLA grants. No legal liability for them, woo!
Well, unless it was an employee who wrote the alternate PR, I guess? But I assume there's processes for that...
But it turns out I'm the silly one because there actually seems to be a straight-forward "solution" which literally only just occurred to me as I was writing this up--and it seemingly doesn't require anything other than lawyering silliness!
----
[...continued...]
----
[-1] Comment too long footnotes to follow...