The question is: WHO are you signing the CLA over to?
If it's a for-profit company, well, then do you trust that company to follow through?
If it's a non-profit, then look to see (in the US) if they're a 501(c)(3) public charity, which have legal restrictions on their governance, which typically require serving some larger public good. Also look at their history of past governance. I certainly hope (as an ASF peep) that we've shown who we are to be who we plan to be in the future; namely producing software for the public good.
Key reasons the ASF uses a CLA are protecting the org from future IP issues, and partly simply to be able to fix some future typo or legal issue in our license if one ever comes up. But the ASF will always provide all of it's released software under a similar style permissive license to Apache-2.0, as long as the organization is around.
If they're a 501(c)(6), then they're a business league, and might act more like a for-profit corporation, so...
Signing legal documents requires disclosure of personal information. Most CLAs require full legal names and often the names of employers. While Elric is my legal name, I prefer not to disclose my last name for a variety of reasons. Being able to commit to FOSS on a pseudonymous basis is impossible when CLAs are involved, which I think is a real shame.
I understand that orgs want to protect themselves, but CLAs only protect orgs, and can potentially harm contributors. Now, I happen to trust the ASF, and I hope my personal information is safe with them.
There is a solution to that in many jurisdictions: register your pseudonym as an "alternate name".
What makes you think that? What stops a few "evil" people from getting on the board and changing the mission in some way and then changing the license so that it is no longer permissive?
I've never been clear on what stops the above attack. Many people have setup foundations on their death that are now promoting things the person was clearly against in their life. Martin Luther King Jr's "I have a dream" speech is now property of his heirs who milk that copyright for all the dollars they can get - I believe this is not what he would have wanted. There are plenty of other examples.
Practically, I know it because the ASF is a Membership organization, meaning there are hundreds of individual Members who have been elected by their peers inside the ASF. The Membership is the group who elects the board. The ASF has only individuals as Members (never corporations), and quite a lot of folks have made their careers about their ASF project work, while hopping between multiple jobs at various vendors.
So to mount an attack like that, you'd need to "evil-ise" a over a hundred Members to get them to vote for your hand-picked candidates who would be shunned by basically everyone else involved in the ASF.
https://apache.org/foundation/governance/members.html
Vendor neutrality and our permissive license are baked very, very deeply into everything the ASF does.
A fair number of 501(c)(3) foundations are similarly membership corporations, where the board is elected from the set of people who've been volunteering there for years, so they are unlikely to change direction like that. Some (c)(3)s are not, but still have a good track history. (c)(6) organizations are a mixed bag, since some explicitly allow sponsors to pay for board seats - a very different world.
