To be fair, though, every project of a certain size requires you to sign away your rights via CLA, so I don't think that can be held against them. (Though I admit, dispensing with a CLA would be an amazing gesture of good will.)

This is not at all true. Only projects that have the intention of wanting to be able to screw over their users have a CLA.

The obvious counter example is Linux which has no CLA.

On the other hand, the Apache foundation asks for a CLA.

OpenSearch only requires DCO.

https://github.com/opensearch-project/.github/blob/main/CONT...