OSI weighs in on open-source licensing conflict

Published: January 29th, 2019

Open-source companies are taking a “closed” approach to licensing options as a way to fight off what they see as threats to their projects. The first approach to make waves in the open-source community was the Commons Clause initiative, which aimed to add restrictions to existing open-source licenses. Following Commons Clause, MongoDB set out to create its own license to be applied to its open-source projects, and since then a number of other companies have followed suit.

The problem these open-source businesses are finding is that technology giants and cloud providers are taking advantage of their work for monetary gain without contributing back to these projects. However, the issue with creating and applying new licenses or clauses to existing open-source licenses is that it the projects become technically no longer open source, unless the licenses are approved by the Open Source Initiative (OSI), an organization dedicated to promoting and protecting open-source software, projects and communities.

OSI’s definition of open source states that source code must meet the following criteria:

Free redistribution
Source code
Allow derived works
Integrity of the author’s source code
No discrimination against persons or groups
No discrimination against fields of endeavor
Distribution of license
License must not be specific to a product
License must not restrict other software
License must be technology-neutral

MongoDB’s Server Side Public License is currently under the review of the OSI, but has not yet gained approval. In addition, the other licenses and clauses being applied to projects by open-source companies are not OSI-approved.

SD Times had the opportunity to talk with Vicky “VM” Brasseur, vice president of the Open Source Initiative, on the state of open-source projects and the ongoing “battle” businesses feel like they are having with technology giants and cloud providers.

SD Times: Open-source companies are applying new licenses to their projects because they believe projects are being taken advantage of. Do you believe this is a real issue the community should be worried about?

Brasseur: There are dozens and dozens of companies that identify as “open-source companies.” What we have are very few that have relicensed the open-sourced software on which they based their companies, taking that software out of the open-source communities. A couple of these projects happen to have a lot users who aren’t customers of these companies, and that leads to an inordinate amount of press coverage as the relicensing ripples to affect the entire community.

As far as the matter of companies taking advantage of free and open-source projects for financial gain: We at OSI are all for it! Free and open-source software comprises the rising technological tide that lifts all boats. Much like the fundamental science that provides life-saving breakthroughs in medicine, the fundamental development and release of free and open-source software projects provide the building blocks of software innovation the world over. I challenge anyone to find a successful software company that does not rely on open source in some way. Billions of dollars of revenue and millions of jobs exist now thanks to free and open-source software solutions. This is wonderful and OSI wholeheartedly supports it.

We also, however, support all of these companies contributing back to the free and open-source projects on which they rely. These contributions could be in the form of code, community management, security, design, technical writing, or they could simply be monetary. The type of contribution that makes the most sense will vary by company and project. OSI encourages all companies to look at those projects that contribute to their success and then give back to those communities and projects.

Why do you think projects and companies are having an issue, and how do you suggest the open-source community can address this?

It’s important here not to conflate “project” and “company.” The issues each face are completely different. Projects face issues of community and resource management: how does the project plan its roadmap based upon the contributors it expects to have, and how does it bring in new users and contributors? Companies face issues of profitability: how does the company create a product offering that provides value to its market, and how does it price that offering to attract and retain enough paying customers to cover its costs and provide an acceptable profit margin?

The widely publicized instances of relicensing have all been initiated and driven by the companies involved, not by the projects. Despite that, the relicensing rationalizations have been couched in terms of the projects: a relicensing is necessary because tech giants aren’t contributing back to the community, the tech giants are gaining benefit but not giving back, and therefore the company is suffering and must relicense the open-source project.

This is disingenuously mixing project interests with company interests. If the reason for the relicensing is that tech giants were not contributing back to the projects, why are these companies not detailing how the project reached out to the giants asking them to contribute, or asking those giants why they don’t contribute and how the project might improve its contribution processes to improve the contributor process? None of the “open-source” companies that have relicensed have yet discussed this. Showing how they attempted to engage the giants in contribution but were rebuffed would have won these companies more support from the community, but that is not what happened.

Instead, these companies have discovered that in order to run a successful business they must do what every other successful business does: provide a more compelling product offering than their competitors. Their competitors were beating them out on that front, so rather than admitting this and adjusting their product offering and business operations to adjust to the market, these companies are relicensing open-source projects, causing irreparable harm to the community that had made those projects successful enough that others wished to use them. Personally, I don’t think it makes a lot of business sense.

What sort of impact does the implementation of new (non-OSI approved) licenses being applied to traditional open-source projects have on the community and ecosystem as a whole?

Generally speaking, while we would naturally prefer all software to be under free and open-source software licenses, we recognize and respect that sometimes proprietary licenses are necessary. There’s no problem with that, if it’s what’s required by your business.

What’s happened here though, is locking up things that used to be free and open behind proprietary licenses. There is nothing good, helpful, or empowering about that action. It takes the efforts of individuals, who contributed believing that their work would be freely and openly available for all to benefit from, and reserves it solely for the benefit of a single company. Who from the community would ever contribute to such a project again? In one disrespectful stroke these companies have therefore decimated their communities and, ironically, done precisely what they claim the relicensing was intended to prevent: taken the freely contributed work of others for their own benefit.

Companies and individuals who support this sort of community-busting action show themselves to be unworthy of the contributions of others. They’re almost doing the open source community a favor by making themselves so evident. By thus branding themselves as disrespectful of the tenets and essence of open source, people now know to avoid these companies and the projects they release.

Not only have these companies thumbed their noses at the communities and contributors of the projects that they have relicensed, in taking this nuclear option of defensively relicensing to “thwart” the tech giants they have created an immense amount of collateral damage in the smaller companies that relied upon those projects in order to operate. These companies now must either re-architect their software to remove their dependency on those projects or they must pay for enterprise licenses. Both of these options are very expensive, but as the choice is literally extortionate it wouldn’t surprise me if most of them opt to re-architect rather than pay a company that has shown it violates the trust of the contributors of an open-source project and those who use it.

What misconception or misunderstanding do you believe these projects have with cloud providers and vice versa?

Again, this question conflates project with company.

It was not the projects that took these relicensing actions. It was the companies that held majority copyright interests in the projects that took these actions. Any project would be proud to be used by a large profitable software [company] and would have no need to relicense. The only problem the project may have with the tech giants is that they aren’t contributing back, and through community management and outreach that’s a fixable issue.

The companies, on the other hand, saw that their competitors had developed more compelling product offerings than they, so instead of resolving that issue they’re trying to remove a variable from the product offering equation. As we’re now seeing, that’s not working as they expected. The misconception here is that companies with valuations several, several, several times more than their own would just roll over and take this relicensing rather than simply forking the projects or creating their own solutions, which is what we’re now seeing.

Article Tags

open source

About Christina Cardoza

Christina Cardoza is the News Editor of SD Times. She is responsible for the oversight of the daily news published to the website as well as the company's weekly newsletter, News on Monday. She covers agile, DevOps, AI, machine learning, mixed reality and software security. She is an undeniable nerd who loves Marvel comics and Star Wars. On Follow her on Twitter at @chriscatdoza!

View all posts by Christina Cardoza

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

OSI weighs in on open-source licensing conflict

Article Tags

Subscribe to SDTimes

About Christina Cardoza

Related Articles

SD Times Open-Source Project of the Week: STORM

OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs

Open source in 2024: Tackling challenges related to security, AI, and long-term sustainability

SD Times Open-Source Project of the Week: Guac