On 29 November 2016 at 14:50, Thomas Monjalon wrote: > 2016-11-29 14:20, Francois Ozog: > > Hi Matt, > > > > I coy/paste Mike Dolan's comment on CLA: > > > > "Most of our projects use the Apache CCLA if a CLA is required. We have a > > fully automated e-signature management system for CLA signings. You can > see > > the CCLA for Kubernetes for example here: > > https://identity.linuxfoundation.org/content/cncf-corporate-contributor- > license-agreement > > linuxfoundation.org/content/cncf-corporate-contributor- > license-agreement&sa=D&ust=1480344167438000&usg= > AFQjCNEbhgdm3M7dTLB1Xxwp8af7LJcC-A> > > " > > > > I had Linaro member companie lawyers have a look at it and they said it > is > > fine. > > > > So it should be nice to have such CCLA in place in DPDK. > > Why? > In an early mail I said: "I am not a lawyer and I am out of my league here. That said, we all know that NDA's cannot be executed by any employee of a company. So, the DPDK signoff is nice, but why implement a policy that is less binding for something that may be involving very high liability issues? DPDK says precisely "The purpose of the signoff is explained in the Developer’s Certificate of Origin section of the Linux kernel guidelines.". The following note says the contributor has to "understand" DCO... So unless I have missed something, nothing says that a contributor SHALL COMPLY to anything. And even if you change the sentences to include the word comply: - their should be a DPDK DCO not a pointer to some external project - do you have properly recorded in your books a paer signed by an authorized representative of a company ? - the DCO itslef is somewhat loose: "The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license". It does not say it is: . free from patents . free to use in large scale production by an end customer (not a developper). Or more precisely, the developper (say the NEP) has the right to sell and the customer (the operator) has been transfered the right to use. Bottom line, it is desirable that companies properly engage their responsability for licence, patents and copyright aspects. The CLA should be signed by each contributor company at the moment of joining: the company liability is engaged, not just the employee when submitting patches. There is probably some additional statement to be done for already contributed code." -- [image: Linaro] François-Frédéric Ozog | *Director Linaro Networking Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog