I faced the following situation recently as a maintainer of a popular open-source project, and I wondered what to do.
Situation
A first-time contributor submits a PR to Spectre.Console, a Microsoft .Net Foundation open-source project. It’s a small, but important change to guard against a null input parameter on a public method.
The contribution bot asks for confirmation the code change is copyright-free, but the contributor doesn’t respond. The bot proceeded to remind the contributor several times, and I even attempted to make contact through other channels, but the contributor didn’t respond.
I wish to merge the contribution, I wish to behave in a legally compliant manner, and I wish to encourage other first-time contributors.
Question
What is the ‘proper’ open source etiquette regarding this PR?
- Leave it open, wait indefinitely
- Close it with a comment
- Close it with a comment, then submit my own PR with exactly the same code
- Merge it anyway
Answer
‘4. Merge it anyway’ is probably the right course of action, for the reasons that follow.
The repository is MIT-licensed, and clearly advertised as such, so it’s reasonable to expect all contributions are made under that license, even before the bot comes along. Additionally, the change is trivial and widely considered industry best practice, so it’s hard to see how anyone could enforce a copyright claim. Anyhow, code change could easily be reversed, and I find it hard to see how damages could be levied in this situation.
However, a more extensive contribution could prove to be problematic. So, I’ll consider an update to the PR template (and contributing guidelines) to explicitly state that all contributions are MIT-licensed and not to proceed otherwise.
If your developers are struggling, perhaps they need better guidance?
Our Software Requirements can help with that.