February 04, 2007
The trouble with source code and licenses
I'm sitting here frustrated, looking for a generic data structures algorithm that shall not be named. I tried searching the web for a version but those I found had either no license specified, apache 2.0 or gpl/lgpl licenses. No license is too ambiguous. Apache would mean I'd need to get the code through a commitee inside IBM to make sure it really was apache and not contaminated with any code from a viral license. I need to know where the code came from, each line of it. Apache 2.0 code must now be vetted by an independant committee to make sure we don't get sued by somebody who says he/she owns that line of code and it was stolen from him/her but someone else who used it and put it in an Apache 2.0 product.
GPL and LGPL are just non starters due to its restrictive license effectively making it useless for commercial use.
So basically, even though this particular algorithm is well known and has been implemented a million times, I'm going to have to implement it for the million and first time. So much for open source and the www improving developer productivity.
What we need is an algorithm respository on the web of clean Java code, i.e. no GPL or Apache references and an absolutely free license, no restrictions on use. Every line of code needs to be known to be safe. Otherwise, the world is doomed to reimplement these algorithms again and again and again. Why not make the algorithms purchaseable to fund this? 100 bucks for unlimited usage. Seems like a deal to me.
I guess the bottom line is that despite the wealth of stuff on the web, I can't use any of it because of the current licenses (GPL, LGPL, Apache etc) and the way lawyers view those licenses, even the commerically friendly ones such as Apache 2.0. I would gladly purchase this algorithm because it's brainless to implement it again but I couldn't even do that because, yep, you guessed, I'd need a lawyer to check the license and a committee to verify the code was what it was claimed to be from a license and origin point of view. That costs money and time and hassle. So, you know what? it's easier just to write it again. So much for productivity.
Did I say I was frustrated?
February 4, 2007 | Permalink
Extra scrutiny for ASL2.0 compared to what? Don't you have to prove the pedigree regardless of the license?
Posted by: | Feb 4, 2007 6:41:47 PM
Thats the problem. Until there is a trusted source of source code then it doesn't matter what the license is. We really need a web project that accepts common algorithms, scrutinizes them and then provides the source code at a charge. The process of vetting source needs to be public so that companies can trust it.
Posted by: Billy | Feb 4, 2007 6:46:35 PM
Let's get this straight.
You want to write some proprietary software and you're complaining that you can't find an Open Source implementation that will let you do that?
In other words, you expect other people to write code and just give it to you for free, without you having to contribute anything back.
On top of that, even if you DO find something with a usable license or that you can buy the rights to, your own company is the problem?
How exactly is anyone else supposed to be able to do anything about that?
This is not a problem with anything except your own company's backward practices, assuming what you say is even true -- IBM is a big supporter of and contributor to GPLed software.
Maybe it's a problem with the Java department there. That wouldn't surprise me as Java was proprietary for its entire existence until just recently, which probably infected the thinking of your Javalized managers.
Posted by: Pleut | Feb 5, 2007 2:40:07 AM
Vetting free software. A painful, circular problem. In three easy, repeating steps.
STEP 1 (FREEDOM): Everyone wants free software for common problems - from algorithms to applications. Free as in: cost, usage, *and* from liability. And, liability kills.
STEP 2 (LIABILITY): Pay someone else to accept liability under the auspices of vetting and validating. But, this only works economically if every user who profits from the work pays. Payment in the least to purchase legal services to fend off lawsuits.
STEP 3 (EVADE): Attempt to evade the problem by creating... free software! Repeat STEP 1.
In short, freedom once again trounced by law in the interests of money. A common theme in this modern era. Maybe ask for a faith based exception, no ;)?
Posted by: Matthew Lesko | Feb 5, 2007 2:53:09 AM
What a mess. Legal stuff is always like a ball and chains. Do you know these services:
Maybe they can be helpful?
Posted by: Fabrizio Giudici | Feb 5, 2007 5:10:38 AM
Thanks Fabrizio but one thing we're not short of is lawyers :)
Posted by: Billy | Feb 5, 2007 8:43:19 AM
Did you try searching the Eclipse code base? Eclipse is exactly what you are asking for: open-source under a commercially-friendly license where every line is vetted by lawyers before we release it.
- Dave Orme
Posted by: Dave Orme | Feb 5, 2007 9:23:40 AM
What is wrong with the LGPL? Even LGPL is commercial friendly, unless you want to modify the lib in question in such a way as to make it proprietary.
Sounds like you've got too much bureaucracy over there at IBM, and an out-of-touch paranoid legal dept. Maybe all that fighting with SCO gave 'em the fear?
How can you innovate in such a stifling environment?
Posted by: cmars | Feb 5, 2007 10:39:56 AM
We'd typically want to modify the code and thats the problem with GPL/LGPL. We hopefully add value and giving that away isn't the game plan because we need to make money for some strange reason. Innovating is live and well here but you just have to write it yourself or take it from a trusted source (like eclipse it seems) and modify from there. I just hate reinventing the wheel.
Posted by: Billy | Feb 5, 2007 10:57:28 AM
You wrote: We hopefully add value and giving that away isn't the game plan because we need to make money for some strange reason.
If you are going to take from open source and not give back, then I have a pile of shame for you. There is no reason that you cannot distribute the source and sell the binary (with support, configuration, documentation, etc.)
Most companies looking to buy software solutions aren't going to be satisfied with only the source code.
Posted by: Nwallins | Feb 5, 2007 12:47:52 PM
On second thought, replace "The trouble with ..." with "The reason we have ..." w.r.t. the GPL.
The F/OSS community does not exist for your sake -- it's for the code's sake. If you are truly against reinventing the wheel, then you should contribute your own wheel innovations, regardless of whether they began as GPL'd code or not.
But it's not about reinventing the wheel, is it? It's about you and your sense of entitlement.
Posted by: Nwallins | Feb 5, 2007 12:55:23 PM
Give me a break. I already said I'm willing to pay my own money to avoid having to write a basic algorithm thats well known for 30 years if that code came with an indemnity which is THE problem with open source. There is no sense of entitlement here, I just want some source code as a starting point to avoid reinventing the wheel and I don't mind paying for it.
As for not contributing, I believe IBM is a significant contributor of source code to the OSS movement. Look else where to throw that dart...
Posted by: Billy | Feb 5, 2007 1:15:56 PM
Oh dear, that kind of sw-bureaucracy scares me! I honestly think, I'd quit a company like that
Posted by: Marcus | Feb 5, 2007 1:31:57 PM
I really don't think we're that unusual. It's a question of what does the company do? Stick its head in the sand and hope for the best or try to put processes in place to avoid an possible future injunction stopping it shipping a piece of software worth hundreds of millions a year in revenue.
If a company doesn't do it then maybe it's too small a target to be worth sueing etc. We're a big target so this is what we do.
Posted by: Billy | Feb 5, 2007 1:40:05 PM
The real problem here is that it's a few bad apples in the bunch that are ruining it for the rest of us. Is this the freedom that open source software movement is meant to inspire? The freedom was about sharing code to improve software quality and avoid continually reinventing the wheel. Money isn't really the issue and there are plenty of different OSS licensing schemes out there to let you pick one that suites your fancy. The problem is always about the originality: you can't even take the licensing terms at face value for the what the authors of the software intended without worrying that their terms have been corrupted by violating some else's IP.
A set of approved and thoroughly scrubbed pieces of code seem like a good idea, but when does that trust really become enough? For example, IBM can trust Eclipse because it can help maintain control over the Eclipse development process and its in the interest of the consortium to keep that code clean. But, say a developer from IBM donates 100% claimed original code to an open source project, some other company comes along and see the code, how do they know to trust that person?
Perhaps the real solution is better traceability in open source software development and model where liability is shifting to the violator. Thus, the person who breaks the terms of licensing and ruins it for the rest of us can be identified and held accountable. I'm not sure the development tools are quite there to support this.
Posted by: Mike | Feb 5, 2007 9:55:18 PM
"Apache 2.0 code must now be vetted by an independant committee to make sure we don't get sued by somebody who says he/she owns that line of code and it was stolen from him/her but someone else who used it and put it in an Apache 2.0 product."
How is an Apache 2.0 license different from any other in this respect? Why isn't the IBM Public License treated the same way? Or the MPL, or...?
Posted by: dion gillard | Feb 6, 2007 3:44:19 AM
Thats cool but does Apache offer indemnification? Without that it's pretty much meaningless because users of the code are still liable.
Posted by: Billy | Feb 6, 2007 8:22:40 AM
Does any software license, even the proprietary ones for DB2, WebSphere, Microsoft Windows EULA, etc indemnify your use of the product?
Last time I read one of those, they had stuff like this in them:
"IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other
documentation. Nothing contained in this docu-
mentation is intended to, nor shall have the effect
of, creating any warranties or representations from
IBM (or its suppliers or licensors), or altering the
terms and conditions of the applicable license
agreement governing the use of IBM software."
Hence theres no way some other company could bundle a licensed version of DB2 in their product, as IBM wont indemnify that other company if the database loses lots of important data.
Take a 'trusted' release from the Eclipse Foundation or the ASF. Those releases have license statements and copyright statements in them that state who owns the code. You can choose to trust those organisations and their code, or not. I don't believe those organisations, or IBM either, are going to indemify their users.
Posted by: Dion gillard | Feb 6, 2007 10:15:09 AM
I actually like the idea proposed by Mike "Perhaps the real solution is better traceability in open source software development and model where liability is shifting to the violator. Thus, the person who breaks the terms of licensing and ruins it for the rest of us can be identified and held accountable. I'm not sure the development tools are quite there to support this."
This seems to make a hell of a lot more sense and puts the onus on the person submitting the code (morally and financially) to verify and state that the code is clean and free to use. If later on a person comes back and sues for illegal reproduction the offending segment of code can be tracked and the submitting person can be identified and held accountable. As much as people want to believe the big friendly OSS space is out there the fact is that even if there are 99.9% people that could care less about suing and are contributing to solve Billy's problem that 0.1% that can could cost a person their company and lively hood. There are more than a few people that will throw darts at big companies hoping a drip of money will come their way.
I am with Billy in believing that constantly rewriting algorithms that have been done in every programming language over the past 30 years is annoying as all hell.
Posted by: John | Feb 6, 2007 2:04:08 PM
in the Apache Software Foundation, we have Project Management Committees (yes, bureaucracy!), which are a subset (or the whole lot) of the committers, for a codebase.
The PMC members are there to review every commit, and ensure nothing sneaky finds it's way in, and to do deal with it, if someone tries.
Sure it's not perfect, but there are plenty of tools to trace code submissions, commits to version control, archived mailing list discussions etc.
Works for me :-)
Posted by: dion gillard | Feb 6, 2007 5:55:55 PM
Dion I believe Apache has the best and most effective form of OSS in terms of the code quality and the amount of effort the foundation puts in to ensure the code is legit. But in my opinion there still is not enough accountability put on the submitter. Lets say IBM for example uses an Apache library and ships it in a multi million dollar software product that later has a piece of code in it deemed to be copied from a company like lets say SCO by the original committer to Apache. Who is held responsible? My guess is IBM still comes under the gun of the lawsuit. Now what if IBM paid Apache for that same piece of code, with the payment being an agreement from Apache to IBM that the code is clean and if any lawsuits arise they will take the blame and right the wrong. I think in that case more than a few companies would be interested in using that code because they are protected.
Posted by: John | Feb 6, 2007 8:07:38 PM
Did you ever try contacting the copyright holder(s) and attempt to get a license more suitable for your use?
One of the things many don't get with free software licenses is that the copyright holder is free to release the software to anyone s/he wishes under *any* license.
The GPL doesn't limit what you *use* the code for, only how you (re-)distribute it.
Posted by: Asgeir S. Nilsen | Mar 5, 2007 2:01:07 AM
On personal opinion, I find this very helpful.
Guys, I have also posted some more relevant info further on this, not sure if you find it useful: http://www.bidmaxhost.com/forum/
Posted by: guanhua | Mar 28, 2007 7:11:08 AM