Rug pulls, forks, and open-source feudalism

> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

But what about GNU their projects require signing a CLA and I don't think they will do a rug pull

I think there are two differences there:

FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.

FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.

My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.

>> My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.

As this stuff keeps happening I think the GPL will regain popularity.

For a long while I was using MIT a lot, these days I have started switching to GPL especially for anything significant.

All because of the nonsense and all the rugpulls.

In my experience, the usefulness of any particular license is only as good as your ability to enforce it in court.

It's also a risk for the other side. Big companies wouldn't take the risk to go in court, they'd rather not use your project.

That has not been my experience... instead, they realize that struggling individual developers cannot and do not want to fight for their rights, so they openly abuse them knowing nothing will happen.