Tux

...making Linux just a little more fun!

Introducing Open Solutions Alliance

Rick Moen [rick at linuxmafia.com]
Mon, 5 Feb 2007 14:29:46 -0800

Today's volleys in the licensing war. Note that Timothy McIntyre is corporate counsel for one of the "Exhibit B" firms. Earlier I "outed" him as a paid flack for one of the interested parties (a fact he nowhere mentioned, at the time) when he posted his ostensibly personal opinion that Socialtext's GAP licence [sic] should get OSI approval because Attribution Assurance License had, earlier -- a non-sequitur argument, and one that ignored AAL's clear violation of OSD#10, adopted after AAL's approval.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 5 Feb 2007 14:16:27 -0800
To: license-discuss at opensource.org
From: Rick Moen <rick@linuxmafia.com>
To: TAG <tag@lists.linuxgazette.net>
Subject: Introducing Open Solutions Alliance
Back in mid-December, when discussion of Socialtext's Generic Attribution Provision and "Exhibit B" clauses got going and I'd posted a couple of initial comments (e.g., that the wording of Exhibit B clauses seemed to stand in the way of code reuse), I was surprised to find Brian Behlendorf querying me in offlist mail about my reaction to such clauses. Brian's a good guy, and I was glad to give my assessment (that there was nothing inherently wrong with forced advertising clauses per se, that the OSD#10 gaffe needed to be fixed, and that intrusion on reuse in commerce has to be minor enough not to violate OSD#3&6) -- but found the experience odd. For what reason was I being so promptly sounded out in private?

Brian was of course one of OSI's founding Board members. Lately, I'm pretty sure his main concern has been Collab.net.

I noticed recently that on February 15, at a panel discussion at the OpenSolutions Summit in NYC, Brian, representing Collab.net, is going to be introducing to the world a new "trade association", the Open Solutions Alliance (OSA), about which curiously little is being said except that it will be "focusing on business use of open source apps", and "not as a standards body, but more like a Good Housekeeping Seal of Approval thing.". Robin Miller has an interesting article about it: http://www.linux.com/article.pl?sid=07/02/03/1737253

Business use of open source apps is of course a very good thing. However, somewhat disturbingly, the main backer of the OSA, and owner of its OpenSolutionsAlliance.org domain, appears to be yet another proprietary Web 2.0 company posing to the public as an open source firm: Dark Horse Ventures, LLC of Norfolk, Virginia, DBA CentricCRM.

CentricCRM publishes a "Community Edition" that is professed to be open source, but after you download it (which is possible only after registering and logging into their site), key code turns out to be under the "Centric Public License" (CPL), which is of course proprietary and used as an inducement to get people to buy separate commercial-use licences.

CPL itself can be viewed here: http://www.centriccrm.com/ProjectManagementFiles.do?command=Download&pid=56&fid=344&view=true

I note that the "Exhibit B" firms make a habit of using the concept of open source as "a Good Housekeeping Seal of Approval thing", and have seemed allergic to the concept of submitting their in-use licences to the applicable standards body. Coincidence, or the upcoming vehicle for further circumvention of OSI scrutiny?

-- 
"Superpolylogarithmic subexponential functions! / Faster than a polylog but slower
than exponential. / Even though they're hard to say, they're truly quintessential.
 / Superpolylogarithmic subexponential functions! / Um diddle diddle diddle, um 
diddle ay! / Um diddle diddle diddle, um diddle ay!"       -- John S. Novak, III
----- Forwarded message from Timothy McIntyre <tmcintyre at terracottatech.com> -----

Date: Mon, 05 Feb 2007 12:02:04 -0800
From: Timothy McIntyre <tmcintyre@terracottatech.com>
To: TAG <tag@lists.linuxgazette.net>
To: license-discuss at opensource.org
Subject: Attribution & the Adaptive Public License
As the OSI community considers approving a new "attribution" license, there's a key point that I think has been lost in the shuffle. In 2005, the OSI approved the Adaptive Public License as satisfying all 10 requirements of the OSD. The APL includes a specific attribution provision. It says:

"As a modest attribution to the Initial Contributor, in the hope that its promotional value may help justify the time, money and effort invested in writing the Initial Work, the Initial Contributor may include in *Part 2 of the Supplement File* a requirement that each time an executable program resulting from the Initial Work or any Subsequent Work, or a program dependent thereon, is launched or run, a prominent display of the Initial Contributor's attribution information must occur (the "*ATTRIBUTION INFORMATION*"). The Attribution Information must be included at the beginning of each Source Code file. For greater certainty, the Initial Contributor may specify in the Supplement File that the above attribution requirement only applies to an executable program resulting from the Initial Work or any Subsequent Work, but not a program dependent thereon. The intent is to provide for reasonably modest attribution, therefore the Initial Contributor may not require Recipients to display, at any time, more than the following Attribution Information: (a) a copyright notice including the name of the Initial Contributor; (b) a word or one phrase (not exceeding 10 words); (c) one digital image or graphic provided with the Initial Work; and (d) a URL (collectively, the "*ATTRIBUTION LIMITS*")."

--APL, section 3.10(a).

This OSI-approved attribution provision is quite broad. It can apply to every executable program that results from the Initial Work or any Subsequent Work, regardless of whether such work is distributed or not. In addition, it can be applied to a program that is dependent upon the Initial or Subsequent Work. Finally, it necessarily complies with OSD section 10, because the APL was approved in 2005, after section 10 was added to the OSD in 2002.

I bring this up because I've seen a lot of discussion / debate on this mailing list about which flavor(s) of attribution should be considered OSD-compliant, and I think the APL is a useful point of common reference and can help light the way. To ignore the APL when deciding whether to approve any "attribution" license would risk muddying the water even further, IMHO. What's that Bob Marley line? "If you don't know your past, you don't know your future?"

Tim

-- 
__________________________________________________
Timothy McIntyre // Corporate Counsel
Terracotta // Open Source Clustering for Java
web: www.terracotta.org
tel: 415.738.4014
fax: 415.738.4099
This email incorporates Terracotta's confidentiality policy, which is online 
at http://www.terracottatech.com/emailconfidentiality.shtml
----- Forwarded message from "Andrew C. Oliver" <acoliver at buni.org> -----

Date: Mon, 05 Feb 2007 16:34:16 -0500
From: "Andrew C. Oliver" <acoliver@buni.org>
To: TAG <tag@lists.linuxgazette.net>
To: license-discuss at opensource.org
Subject: Re: Attribution & the Adaptive Public License
It is a good point. One thing about the wording is that it says it may not require more than... One could argue that an attached provision could de-open source it. Though the license is approved and allows exactly this kind of adware provision.

Do you think SocialText would be willing to add this to their GAP supporting arguments page? If not I again suggest that I'd be happy to help organize a paper on our wiki supporting the provision (even though I am not for the last version that was submitted and this form of adware generally).

-Andy

[snip Andy quoting Timothy McIntyre's entire message.]

-- 
No PST Files Ever Again
Buni Meldware Communication Suite
Email, Calendaring, ease of configuration/administration
http://buni.org
----- End forwarded message -----

----- Forwarded message from Matthew Flaschen <matthew.flaschen at gatech.edu> -----

Date: Mon, 05 Feb 2007 16:44:13 -0500
From: Matthew Flaschen <matthew.flaschen@gatech.edu>
To: TAG <tag@lists.linuxgazette.net>
To: Timothy McIntyre <tmcintyre at terracottatech.com>
Cc: license-discuss at opensource.org
Subject: Re: Attribution & the Adaptive Public License
Timothy McIntyre wrote:

> As the OSI community considers approving a new "attribution" license,
> there's a key point that I think has been lost in the shuffle.  In 2005,
> the OSI approved the Adaptive Public License as satisfying all 10
> requirements of the OSD.  The APL includes a specific attribution
> provision.

Thanks for bringing this up. I now recall the initial SocialText email briefly mentioning it. Interestingly, it seems APL itself was lost in the shuffle when originally under consideration. Russ said (http://www.mail-archive.com/license-discuss at opensource.org/msg07431.html), "Unfortunately, even after two tries there have been insufficient comments on the Adaptive Public License. Maybe the third's the charm?"

Later, it was forgotten for a year or so before Russ reported that the committee recommended approval (http://www.crynwr.com/cgi-bin/ezmlm-cgi?3:mss:9268:apdpdalipapaedpgofih).

I may be wrong, but in all that time it never seemed that anyone considered the OSD #10 implications, so it seems a hazardous precedent.

It says:

> <snip text>
> This OSI-approved attribution provision is quite broad.  It can apply to
> every executable program that results from the Initial Work or any
> Subsequent Work, regardless of whether such work is distributed or not. 
> In addition, it can be applied to a program that is dependent upon the
> Initial or Subsequent Work.  Finally, it necessarily complies with OSD
> section 10, because the APL was approved in 2005, after section 10 was
> added to the OSD in 2002.

However, it is not so broad as GAP was in other ways. Most importantly, it didn't require keeping the same size.

Anyway, I'm afraid you're putting a bit too much faith in OSI. It necessarily was approved after OSD #10; that should mean it complies but may not. I don't think it does for much the same reasons I've explained elsewhere. It doesn't allow for headless applications and presents problems with command-line applications and such.

> I bring this up because I've seen a lot of discussion / debate on this
> mailing list about which flavor(s) of attribution should be considered
> OSD-compliant

I don't know about everyone else, but I've been discussing whether GAP is compliant, not whether it should be.

To ignore the APL when deciding whether to

> approve any "attribution" license would risk muddying the water even
> further, IMHO.  What's that Bob Marley line?  "If you don't know your
> past, you don't know your future?"

A valid point, and thank you for bringing APL up. However, OSI doesn't have stare decisis. It can certainly learn a lesson occasionally.

Matthew

----- End forwarded message -----


Top    Back


Rick Moen [rick at linuxmafia.com]
Mon, 5 Feb 2007 22:23:34 -0800

I certainly wasn't trying to offend Brian Behlendorf. However, I confess I'm not bothered by the notion of slightly tweaking attorney Timothy McIntyre.

----- Forwarded message from Brian Behlendorf <brian at collab.net> -----

Date: Mon, 5 Feb 2007 21:12:21 -0800 (PST)
From: Brian Behlendorf <brian@collab.net>
To: TAG <tag@lists.linuxgazette.net>
To: license-discuss at opensource.org
Subject: Re: Introducing Open Solutions Alliance
On Mon, 5 Feb 2007, Danese Cooper wrote:

>Brian has been in India this past week.  Not sure when he's coming back to 
>the States.

More relevant is when I'm online, which is a cycle 10.5 to 13.5 hours different than most others on this list. :) I'll go "on the record" here, and while I realize this list is publicly archived, I don't see that it's worth reporting more widely until next week when it's launched.

The Kremlinology around this is no doubt entertaining, but there's less here than might meet the eye. I'll be moderating a panel on it next week, and by then CollabNet might be a member. But I'm neither driving this nor introducing it personally. I'd prefer to be able to name those who I know are involved, but since they've clearly wanted to wait until next week for the launch, I want to respect their wishes. The only reason to keep that list secret is to be able to launch a set of names at once rather than dribble them out piecemeal as that might imply that the project is owned by one outfit or another.

The linux.com article got it right as far as I know - the focus is both promotion of open source business apps (as distinct from most of the rest of the advocacy today, which is around operating systems or developer tools & frameworks) and on interoperability between them. The first one is important - lots of us are gonna get creamed by the Sharepoint steamroller unless there's a message that makes sense for a certain kind of IT purchaser. The second one is more important to me, though - it's just too hard, today, to get different web-based applications to work side-by-side for a single organization, unified in permissions management, search, user interface, avoiding duplication of function, and all that. Without the independents trying to standardize on a few things, only the monolithic players will win, which would suck.

The topic of not-OSI-approved-licenses hasn't yet come up in conversations I've been a part of, but I've only been a part of a few. I would expect it to be a major topic after it's launched, though, as it directly relates to both purposes for the organization. I've been very vocal in other settings (including here on this list) that one shouldn't even use little-o little-s "open source" to describe your software or initiative unless you're talking about an OSI-approved license - let alone Big-O Big-S "Open Source". I don't see this outfit as being a trademark as enforcement organization the way that OSI should be, but nor do I see it condoning the kinds of behavior that have been mentioned on this list.

So don't expect "dazzling plans and a knock-your-socks-off marketing program on February 15". Expect an exhibition of a list of companies interested in addressing the kinds of problems and willing to put a few coins and person-hours towards that. Where it goes from there is anyone's guess.

Brian

p.s. - I asked Rick an off-list question back when the attribution thread started because I wasn't sure about my own line of legal reasoning for something, and wanted to avoid public embarrassment, since Rick can be pretty devastating in his replies. Looks like that didn't work!

----- End forwarded message -----

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 5 Feb 2007 21:49:33 -0800
To: license-discuss at opensource.org
From: Rick Moen <rick@linuxmafia.com>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: Introducing Open Solutions Alliance
Quoting Brian Behlendorf (brian at collab.net):

> p.s. - I asked Rick an off-list question back when the attribution thread 
> started because I wasn't sure about my own line of legal reasoning for 
> something, and wanted to avoid public embarrassment, since Rick can be 
> pretty devastating in his replies.  Looks like that didn't work!

I'm sorry you feel that way, and certainly meant no offence: I mostly noted the primary OSA backing (and presumable founding membership) from Dark Horse Ventures DBA CentricCRM, whose supposedly "open source" licensing is extremely and categorically proprietary by basically anyone's standards, including (say) John Roberts / SugarCRM. You say you don't approve of that sort of behaviour, and I certainly believe you -- and yet you're running the panel discussion that announces the trade group's existence to the world? I don't quite get that -- but look forward to learning more on the 15th.

I was flattered that Brian asked me my feedback offlist, and was of course glad to provide it.

-- 
Cheers,       "Curiosity is the very basis of education and if you tell me 
Rick Moen     that curiosity killed the cat, I say only that the cat died nobly." 
rick at linuxmafia.com                                   -- Arnold Edinborough
----- Forwarded message from rick -----

Date: Mon, 5 Feb 2007 22:08:01 -0800
To: license-discuss at opensource.org
Subject: Re: Attribution & the Adaptive Public License
Quoting Timothy McIntyre (tmcintyre at terracottatech.com):

> [Adaptive Public License] necessarily complies with OSD section 10,
> because the APL was approved in 2005, after section 10 was added to
^^^^^^^

> the OSD in 2002.

My wife has a standard old joke about the Non Sequitur Society. (Their motto: "We don't make much sense, but we do like pizza.") If there is such a group, just wave a printout of the above reasoning; I think you just aced their entrance exam.

Seriously, it's not difficult to make a fair case for existence of a legitimate need for some, properly drafted "attribution" (mandatory runtime credits) licence for Web apps and similar hosted code. Here, please let me show you how it's done:

Whether you as the creator of a Web application think there's a problem _at all_ depends on whether you merely want credit (attribution) included in the program output of works you create and distribute, or whether you also wish to require all subsequent derivative works to display that same output. If the former, rejoice! Just put insert your copyright notice and publish using your choice of simple permissive licence (BSD, etc.). Anyone wanting to know who wrote Web app Foo need only look closely at it, from that point forward.

(So, please, folks, spare us the bafflegab rhetoric about how your badgeware clauses are supposedly necessary for "attribution". They're clearly not.)

The hitch comes when you're interested in shaping how derivatives behave but find yourself having no leverage -- a problem known among copyleft partisans as the "ASP Loophole". Let's say you're SugarCRM, and your biggest concern is proprietary competitor Salesforce.com. If you publish your CRM app's source code under any of the OSI-approved open source licences (either permissive or copyleft), Salesforce.com could lawfully scoop up your source code, modify and extend it to suit that firm's needs, and use it to compete with the SugarCRM company, without the displayed program output even revealing to customers and other outsiders that it's re-using SugarCRM's work.

This is presumably exactly what Dave Rosenberg (MuleSource) had in mind when he said

   We have run into multiple issues with public and private companies 
   who have made attempts to skirt the MPL/MSPL/maybe anything and
   essentially take Mule as their own with no recognition of the author,
   copyrights, license agreements etc. Forking is one thing, stealing is
   another.
Just to stress that I do try to listen fairly: I do agree, Dave. It's a real concern.

Without something like MuleSource Public License 1.1.4's Exhibit B, third parties could take downloadable copies of Mule ESB and run it or a derivative behind closed doors but usable over the Web, and not only never publish their changes but also conceal completely their use of MuleSource code.

Web apps and similar ASP (application service provider) software (AKA "SaaS" = Software as a Service) are characteristically subject to this problem, as re-users neither incur copyleft obligations nor need distribute code at all: Their model entails private code use only, with only the output of execution displayed in public, rather than redistribution of code itself.

Notice that copyleft provisions, if present, tend to have no traction for lack of code redistribution. Several new licences, none yet OSI approved, have attempted to retrofit that traction. One is Funambol's (Fabrizio Capobianco's) Honest Public License = HPL [1]. Similar and slightly gentler is the Affero Public License = APL[2]. And last, there are the still-unfinished GPLv3 drafts.[3]

Aside: It strikes me as very odd that all 20-odd "Exhibit B" badgeware companies (MuleSource and others) elected to hang their clauses off a copyleft licence (Mozilla Public License) whose copyleft provisions inherently have _zero force_ in their (and their competitors') no-distribution ASP usage model. Isn't that a bit like requiring spelunkers to wear sunscreen? Don't they realise that about 3/4 of their chosen licence is a NO-OP for their entire market segment?

In sharp contrast to the MPL + "Exhibit B" licences with their ASP Loophole-disabled copyleft provisions, HPL, APL, and the GPLv3 drafts have, by design, copyleft features that remain functional in ASP markets.

But getting back to the point, the "Exhibit B" clauses do address the entirely real ASP Loophole concern for Web apps -- but do so in a clumsy fashion that impairs reuse; in particular, commercial reuse. For the most part, this seems to be quite deliberate, for reasons already cited. Add to those the trademark clauses of most Exhibit B sections, e.g.:

   This License does not grant any rights to use the trademarks
   "MuleSource", "Mule" and the "MuleSource", "Mule" logos even if such
   marks are included in the Original Code or Modifications.
Aside from Larry Rosen's point in this space, that "forking is always allowed for open source software regardless of the trademarks it bears, but the licensor should fear that his trademark will become useless [RM: i.e., generic] if he requires it to be displayed on those forks"[4], don't trademark clauses such as the one quoted above look a whole lot like efforts to curtail third-party use in commerce?

Anyway, closing the ASP Loophole if you don't care about functional copyleft obligations is pretty easy, and doesn't require mandating a bunch of graphical advertising shoved into every user's face, each and every time the application is launched. The alternative has been mentioned here before: It's a simple About screen, that is required to be available from the main display. To ease OSD#10 technological-neutrality concerns, make it be required only where the derivative has program output and be in whatever supported format best approximates the desired name + logo + URL display. E.g., for a derivative with only spoken-word output for the blind, that "About" information could then reasonably be the spoken name of the firm + URL.

We've not yet seen such a licence. If these 20-odd firms really care about "attribution" and aren't after mandatory advertising, I'd suggest that we really should.

I'd be glad to write one, as a substitute Exhibit B. The above almost qualifies by itself, I'd imagine. (Unlike the ones we've seen thus far, with the honorable exception of GAP, mine would aspire to be templated and usable by anyone.)

[1] http://www.funambol.com/blog/capo/2006/08/honest-public-license.html
[2] http://www.affero.org/oagpl.html   http://www.affero.org/oagf.html
[3] http://gplv3.fsf.org/
[4] http://www.nabble.com/RE%3A--Fwd%3A-FW%3A-For-Approval%3A-Generic-Attribution-Provision--p7847787.html
-- 
Cheers,             "The seminar on Spam Canceling has been canceled again.  The 
Rick Moen           person who supposedly canceled it says it wasn't him." 
rick at linuxmafia.com - Znqr Lbhybbx, Usenet Cabal J.D. Falk jdfalk at cybernothing.org

Top    Back