Legally Ignoring The License

Perhaps the biggest current challenge to open source software is companies which ignore open source software licenses. That sounds so “yesterday” from an era of license scanners and compliance scares. But the issue is as relevant today as it was 20 years ago – just not the way you think!

Contributor agreements have been a controversial topic throughout their history. The choices by Elastic (and others before them) to relicense previously open source software under a licensing arrangement that discriminates against certain users threw the use of contributor agreements into sharp relief. But the controversy around them focused too much on the wrong problem. The main problem with a copyright-assigning agreement is not it giving the right to the aggregator to relicense the work (although that is a problem as it enables the end game of a rights ratchet). The main problem is it allows the aggregator, uniquely in the community, to ignore the license altogether.

A Brief History Of Scareware

All Open Source licenses grant unconditional permission in advance to those who comply with their terms to use, improve and share the software in any way and for any purpose. At a stroke, scope for artificially making the (inherently non-rivalrous) software scarce are eliminated. Of course, that’s a serious problem if you’re an entrepreneur whose imagination only extends to directly monetising access to the software.

Right from the start wily entrepreneurs realised that Copyleft licenses scared and confused some people, especially lawyers. So they sold customers the right to replace the open source license with a proprietary one – for some reason something customers’ lawyers found less scary. The pioneer of this approach was probably Sleepycat Software Inc whose BerkeleyDB embeddable database came under a source-available arrangement that left their users in no doubt that they had to make their own private work available to the public. Sleepycat sold a “commercial use” license that didn’t have the same requirement but which also left the user with none of the four freedoms. Selling indulgences had been profitable in the middle ages and it also worked for Sleepycat, all the way to acquisition.

Inspired by that success, many other companies sold indulgences. As the market wised up to the GPL and corporate counsel was no longer scared by it, companies transitioned to using other scareware licenses such as AGPL as well as to using “open core” approaches where the commercially valuable functions were not in the open source code at all. By using the no-charge availability of the software to gain adoption, free adoptors could be converted to paying customers and ultimately to lock-in. Some users of this strategy – notably SugarCRM – were able to ratchet back the freedom over time until they had an old-style proprietary software business.

Controlling The “Community”

However, there was an inconvenience. For much software, gaining adoption meant persuading cautious, picky developers to use the code — hand-waving to the boss was no longer enough. Once they were using the source, developers might well improve it. Inspired by the likes of Apache and Mozilla they then might well share their improvements, thus forming a community to produce better code than you. So it was smart to invite and use their improvements and thus keep control of the community.

But then the presence of these contributions under the GPL would make you subject to the GPL yourself and unable to sell indulgences or ignore the license. The fix to this was to speak to the sense of fairness and desire for an easy life (and pleasure of recognition) and claim it was in everyone’s interests for the core company to own all the copyrights. Apache and the FSF helped things along by socialising the idea of copyright assignments1. All these factors led developers to agree to gift the IP rights to their work to the core company. The name of such a document is a contributor license agreement or CLA.

Once they have a CLA, a company is able to aggregate all the rights to the software as if they own it. This has several consequences for the project:

  • They can sell indulgences, so that some community members are able to ignore the license.
  • They can ignore the license as well, enabling open core models that could otherwise be impossible.
  • They can do secret deals with other companies to treat the code as their own or even sell the complete rights, including to a company that actually wants to end the project. Because they can act secretly they can potentially preempt forks.
  • They can make releases without community consensus, making it impossible for peers to join in.
  • They can change the license by fiat, including to one that harms bona fides contributors they want to disadvantage
  • They can end the public project completely, as SugarCRM did.

Socially Unacceptable

An open source licence is a multi-lateral constitution of a community, setting norms that apply equally to all. Having every developer and user subject to the same terms is one of the pillars of community. A copyright assignment provides unqualified and unappealable immunity to all that. The presence of one in a commercially-backed project is almost certain to mean someone doesn’t want to be subject to the rules and norms everyone else must abide by, usually as part of a rights ratchet. They and their sham freedoms should no longer be tolerated by open source contributors.


Footnote 1: In both cases the CLA is – at best – marginal to the community. At Apache, the CLA is redundant with section 5 of the Apache License which many people believe grants all the rights the community needs. Folklore at Apache says that IBM’s lawyers were not sure of that and just to be certain insisted there be a CLA as well. At the FSF, the CLA is also redundant with GPLv3 (and likely with GPLv2 as well) but it has long argued that the FSF needs to own the copyrights in the USA in order to pursue license compliance — even though they don’t do so much and the surrender of copyright reduces the ability of the actual developers to choose to enforce.

Rights Ratchet Talk

Simon delivered a talk for the new Tidelift conference “Upstream”. In it he drew together the threads of several earlier posts about the rights ratchet model (“bait & switch meets boiling frogs”) using the history of the now-defunct Sugar CRM open source project as an initial case study and then examining the various ratchets that remove rights from open source project participants, ways to detect that a project is actually a rights ratchet and steps to mitigate the consequences including promoting permission in advance.

Don’t Call It Relicensing!

Using open source elsewhere is not relicensing, it’s overlaying a second license.

So you’re considering taking some open source code under a minimal, non-reciprocal OSI-approved license and putting it under a different open source license, hopefully in combination with your original code (or another form of larger project). 

Don’t call this “relicensing” – it is not! The original license will continue to apply and you remain responsible for complying with its requirements. Only the copyright holder can change the license. You’re not relicensing – instead you are using the rights the license has given you and applying an additional license to the combination of the earlier work and your work. 

Continue reading

An End To API Gaslighting?

The Supreme Court decision in Oracle vs Google ends a decade-long nightmare for open source developers.

Sunlight or gaslight?*

The decision of the US Supreme Court (SCOTUS) to reverse the erroneous conclusion of the US Federal Circuit appeals court (CAFC) that Google’s use of the Java SE API in Android was a copyright infringement comes as a great relief to open source programmers everywhere. Software developers have always assumed that merely including a function prototype in their code does not require copyright permission as it’s just a fact about the implementation.

Continue reading

Supporting AlmaLinux

We are pleased to be supporting the AlmaLinux OS Foundation as it starts its work as steward of the community around the new AlmaLinux distribution. Meshed’s founder Simon Phipps is joining the newly-incorporated non-profit as a director. In this role he will be building on his experience with many other open source Foundations to ensure that the governance is fair, stable, independent and transparent while also serving the needs of the AlmaLinux user community.

With the unexpected switch of CentOS to become an experimental upstream of RHEL, it was inevitable that candidates would emerge to replace it in its role of an unaffiliated downstream binary-compatible distribution of RHEL. The existence of a reliable downstream distribution is good for everyone, offering a low-friction on-ramp for newcomers and a long-term home for those capable of self-support. It builds the market so that commercial players also benefit from the ever-growing user base in a classic adoption-led model.

So it’s good that the need is being met by a distro anchored in an independent Foundation. AlmaLinux aims to leverage the existing build processes of a contributor company, CloudLinux, to produce a reliable, stable, binary-compatible distribution within the context of a community-administered non-profit Foundation. This US 501(c)(6) will hold all the trademarks, keys and other assets of AlmaLinux on behalf of the community. We’re pleased to be able to help make the initiative succeed. Congratulations on the first release!

FLOSS Weekly 622: Keith Packard

Simon joined Doc Searls to host episode 622 of FLOSS Weekly featuring Keith Packard, one of the key figures of the open source software movement. They talked about Keith’s involvement in the X System and Freedesktop.org and strayed into related topics including the many projects Keith has helped and his interest in rocketry!

One significant discussion considered the thread joining the fork of XFree86, the recent vote to change the board of Nominet in the UK and the controversy over the reinstatement of Richard M Stallman to the board of the Free Software Foundation this week. Each represents a significant entity to the open movement which has leadership that was established as a “club” between activists and failed to progress into a well-governed organisation representing and controlled by the community.

Our focus this week has been the Open Source Program Office (OSPO). While at Sun Microsystems, Simon led their OSPO and this week he got the team back together, including original founder Danese Cooper, to write about what they all did during the decade the Sun Open Source Program Office existed. This was a very popular article and it’s been read thousands of times this week. There’s scope to zoom in on specific topics mentioned in this article – let us know which would interest you.

Continue reading

The Week In Review: OSPOs

A Rights Ratchet Score Card

A draft scorecard for determining if a software project is open as bait for a business pivot or genuinely keeping your freedoms protected.

Open or closed? You decide.

The seven signs a project is following the rights-ratchet route to riches and the framework for going beyond licensing can be augmented by some straightforward indicators of an issue. None of these alone is necessarily a cause for concern, but the more clicks, the more risks. Here’s a rough-and-ready first draft of a scorecard to check whether your software supplier considers you a community peer and will respect and protect your essential freedoms, or visualises you more like one of those pods in The Matrix. Just count the clicks; the more clicks, the higher the risk this is a rights-ratchet that will end up closed.

Continue reading

What Did Sun’s OSPO Do?

Started in 1999 and established as an official corporate function in 2005, Sun’s Open Source Program Office (OSPO) was among the first in the industry and maybe the first to use the name.

As I’ve discussed in earlier posts, corporations are the vehicle for the collective expression of many individuals. However, to the outside world they are a monolith, and are expected to be consistent as well as predictable in their actions.  With the many varied, implicit expectations and explicit obligations that different open source projects have, transforming a company’s reputation into that of a good actor in open source is a complex task.  It’s also a necessary one if you expect other actors to invest their time and work in your project, or to give you influence in steering a project together.

Continue reading

The theme this week at Meshed was standards and open source. A recent post explained how open source and open standards are essentially unrelated, almost contrasting concepts joined philosophically by some based on their application in some industries. Two posts this took look at the consequences of that reality. To summarise the contrast in this context:

Continue reading

The Week In Review: Standards