@ploum
It all really depends what you want a CLA for.

Some want it primarily to increase their own freedom over the project, like license changes.

Some want it primarily for assurance of provenance.

Some want it only from the maintainers (I know that exactly this has been argued for in Apache circles), which then essentially constitutes a permanent sign-off on everything they do.

@ploum
Personally, I've come to the conclusion that CLA are pretty much bullshit.

We have other tools for provenance, with the Sign-off trailer in commit messages. Maintainers need to pay attention either way, and in that respect, the Sign-off trailers in front of you are just as easy to deal with as any commit author.

As for increasing the freedom of the maintainers, the creates a power imbalance which isn't very palatable when you thinkg about it.

@ploum
On the subject of license changes, BTW... this is also something to carefully think about.

I'm coming from the perspective that there's a project license, and then there are licenses in each file. They do not have to be the same, all that's needed is that they are compatible.

@levitte : Indeed, you could technically change from GPL to AGPL without approval from contributors because there’s a one way compatibility (in fact, I did it myself by changing a project license from BSD to AGPL).

So my example doesn’t work. But does that mean that CLA are always bad?