Contributor license agreement
see-ell-AY
A legal agreement that contributors sign before submitting code to a project, granting the project certain rights over their contributions.
A CLA is a legal document that open source contributors sign before their code can be accepted. It grants the project maintainers specific rights over the contribution, typically a broad license to use, modify, and relicense the code.
Companies use CLAs for two reasons. First, it confirms that the contributor actually has the right to submit the code (they did not copy it from a proprietary codebase). Second, it gives the project maintainer flexibility to relicense in the future without tracking down every contributor for permission. This is how some projects later switch from MIT or Apache to a BSL.
CLAs are controversial in the open source community. Some developers refuse to sign them because they feel like a power grab. Others see them as necessary legal hygiene for large projects. Google, Microsoft, and Apache all require CLAs. Many smaller projects skip them and rely on the "inbound = outbound" convention: contributions are assumed to be under the project's existing license.
Examples
A developer submits a pull request to a major open source project.
The CI bot posts a comment: 'Please sign our CLA before we can merge this.' The developer signs it electronically through a web form. Future PRs do not require signing again.
A company open sources an internal tool.
The legal team sets up a CLA to protect the company if it later wants to offer a commercial version of the project. Contributors grant a broad enough license to allow dual licensing.
An open source project debates adding a CLA requirement.
Some maintainers argue it discourages contributions. Others argue it protects the project legally. They compromise by using a Developer Certificate of Origin (DCO) instead, which is lighter weight.
Frequently asked questions
What is the difference between a CLA and a DCO?
A CLA is a legal agreement granting broad rights to the project. A DCO (Developer Certificate of Origin) is a simpler attestation that the contributor has the right to submit the code. DCOs are lighter and less controversial.
Do I have to sign a CLA for every contribution?
Usually not. Most CLAs are signed once and cover all future contributions to that project. The first PR triggers the signing process; subsequent PRs do not.
Related terms
The practice of tracking and fulfilling the legal obligations of all open source software used in a product.
A permissive open source license that allows anyone to use, modify, and distribute the software with minimal restrictions.
A permissive open source license that includes an explicit patent grant and requires attribution for modifications.
A copyleft open source license that requires derivative works to also be distributed under the GPL.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.