I agree, to some extent, that the risk is fairly small, but it's real - UCLA's lawyers aren't being dumb to consider it. Were I advising an institution, in most cases I'd say it was an acceptable risk, but for large institutions like UCLA or my own university defensive measures such as you mentioned wuld be very wise.
It's actually very much like a cross-site-scripting attack. Permissions granted in one context can inappropriately extend to other contexts, either trough mistake or malfeasance. Call it a cross-site-patent attack.
In 1998 we could only think of rather contrived examples of cross-site-scripting attacks, so some people concluding it was rather unlikely to ever be a problem. Others saw the hole and warned that bad scenarios would end up happening unless the problem was addressed via the same-origin policy and other mitigations. Today examples of cross-site patent attacks may be a little contrived, but they do demonstrate the potential exists.
Not only would some unscrupulous person have to submit code which infringes your (unrelated) patent, but Moodle HQ would have to integrate it into the official HQ repository. Unless HQ were in on it ... the contribution would simply be rejected as irrelevant
Consider for example the biometric authentication I mentioned. It's plausible that someone could contribute an authentication module for Moodle and it could be committed without any need for HQ to be "in on it". That may be a bit contrived, but it's no more contrived than the cross-site attack scenarios we predicted in 1990s and we know cross-site-scripting has caused billions of dollars of total damage in the last fifteen years.
GPLv3 specifically refers to the "contributor version" - so as long as you're careful about what you include in the version which you make available, you shouldn't be at risk of exposing any unrelated patents.
"Contributor version" is NOT the "the version you make available". If it were defined as such, that would certainly help. That's one of many problems with with that section actually says as opposed to what it should say. In the GPL3, "contributor version" has a far wider definition. It is a) "the work" (Moodle) and any other work Moodle has code derived from (such as ADODB). "The work" under GPL3 is Moodle and the contributor version as any version which includes code we've contributed. The actual wording is it's a version in which we a contributor "authorizes use" of our code.
So, somone conributes something which infringes a patent developed by some other part of the university, 600 miles away. A week a later I fix in typo in the default theme. My contribution authorizes use for that version of Moodle, which also happens to contain infringing code in some other module.
There are two types of overreach happening - the clause extends to all 1.1 million lines of Moodle, to modules I may have never seen before, much less contributed, and it extends to all patents owned OR CONTROLLED by my organization. So it overreaches in the code it requires me to bless all of Moodle, not just the modules I work on or even modules I've heard of, and it overreaches on the other side by going at all patents controlled by the organization, including patents I've never heard of.
Although the real world doesn't always work exactly as it ideally should, incorporating code into your build without knowing what it is or does isn't a good idea.
You read and understood all 1.1 million lines of Moodle before you contributed anything? If you had, you still would know what all was in there because WHILE you were reading, more code was being contributed and code was being changed. By the time you read and understood the SCORM module, it had already been changed while you were reading it. Therefore it's smply not possible for any one human to know every bit of Moodle.
The whole situation also depends on one key point: ownership of the IP. Is the legal entity which holds the IP that UCLA (in this case) is worried about the same legal entity which is contributing code to Moodle?
One can, if you do it carefully. Specifically, the legal entity who owns and therefore contributes the copyright to the code must not have right to license the patent. Going the opposite direction won't work, the GPL3 tries to prevent that defense. Remember splitting ownership is not enough. Under GPL3, you automatically license any patents which you can license, whether you own them or not.
Ray, are you willing to share your source for the bit about the kernel developers? The "28 of 29 principal kernel developers said no to GPLv3" thing seems to be related to a survey conducted based on the then-current draft of GPLv3;
I don't believe the fial version "fixed" the problems with the patent clause in any significant way since this was written:
You can of course see the devel list for full discussion at each stage, including after the final draft was approved. The ultimate final statement as to kernel's position on GPL3 is:
They, the kernel developers, ultimately decided against GPL3. Peruse the discussion list of you want to see how much of a landslide it was against GPL3.
The last few paragraphs of Linus' statement here also sum up nicely how many developers feel about it:
it may be that their concerns regarding the patent section have actually been addressed since then, but they're just too stubborn (and/or lazy)
Any position predicated on the kernel development team being lazy, stupid, or stubborn is rather tenuous. With about 25 - 30 commits per day, I can assure you they (we) are not lazy. As a (tiny) contributor to the kernel, I am offended by that suggestion.
No, it has much more to do with the fact that they feel it is morally wrong to take someone else's code and their rights to it, which they contributed to an open source project for your enjoyment, and misappropriate it to fight content DRM, patents, secured systems and other issues entirely unrelated to the stated goals of the project they contribted to, Moodle.
For example, YOU may feel that that all content should free and that after spending over a million dollars developing coursework a school should not use anti-circumvetion measures to protect their investment. I might even agree with you. However, other people who have contributed to Moodle may disagree. They may well feed their families by producing such content. To take their which they contributed code and use their contributions to prevent them from protecting their content is wrong and that' what GPLv3 does. It prevents them from protecting their work using anti-circumvention measures. I can decide to use MY code license in that way, but I have no moral standing to use SOMEONE ELSE'S contributions to club them or a third party over the head in regards the content the present via Moodle. No, it's not laziness, it' that tey actually have a valid concern their. You may disagree. You may think that you have a right to take my code and use it to attack other people's patents. They simply don't think that's right.