The Converging Network

There’s been a very interesting dialog and discussion over the past month or so about what it means to be open source software. First the OSI telegraphed that they are going to more actively police vendors who make claims about being open source but don’t meet the OSI’s definition (a narrow and non-market savvy position from my viewpoint, btw.) Keep in mind too that the OSI can only do this through informal peer pressure as the OSI doesn’t have “teeth” to enforce their open source definition. I blogged previously about this and the pink elephants no one is talking about – vendors who modify the GPL by imposing their own conditions and interpretations of the GPL. (I’m referring to GPLv2 here.)

The new controversy brewing around open source is Sourcefire’s move to change, or in their words “clarify”, the licensing in Snort. Alan’s done a good job of discussing this on his blog and while I usually try not to cover the same ground I think there are a few more things to say about this situation. In summary what Sourcefire has changed is removing the ability to license Snort under GPLv3 (previously allowed), Sourcefire-favorable interpretations (but not backed up by any industry interpretations) of the GPL laid out in a preamble to the license (intending to curb commercial offerings without a separate commercial Sourcefire license), and assignment of full rights to Sourcefire of any code contributed to Snort by third parties. Added to the controversy is Sourcefire’s recent blanket change of the headers to existing code to limit the licensing to GPLv2, including non-Sourcefire open source developers’ work contributed to the code base, and making claims that rights to contributed code were granted to Sourcefire all along, and you’ve got a real brewhaha on your hands.

I’m actually very familiar with what Sourcefire wants to do here with the most of these license changes (excluding of course the changing of file headers and claiming rights to prior contributions - I will share my thoughts on that in a bit). Much of their goals are very similar to the StillSecure Community License we created for Cobia . Basically, use it as much as you want for free, here’s the source to change/modify/contribute back if you like, and here is a commercial license for those who would like to use Cobia to make money. And btw, we would love you to do any and all of these things. But, there are also some very important differences worth discussing.

There are many ways to achieve an outcome such as the licensing in this situation. We actually considered taking a similar approach for Cobia licensing; use the GPL, add or “re-interpret” our own stipulations to the GPL, and then try and walk this fine line of using the GPL while deviating away from it when it didn’t suit our needs. The problem with that approach, at least for me, is it just didn’t seem like that approach was being faithful to the GPL. But the biggest issue is that it just creates confusion and isn’t consistent with our values in how we deal with customers and partners. Rather than taking a perfectly good round peg and wrapping a bunch of duct tape around it to make it force fit some square hole, I believe it is better just to be straight forward with people, even if it means a few might chose not to use the software because it wasn’t licensed under the GPL or some other OSI license. It is more important to me to be very up front and clear about licensing a product than to come up with a convoluted way to use the GPL, making no one happy in the end. And don’t get me wrong, we took some hits for calling Cobia open source by those who only want open source to mean software under an OSI approved license. Open source is much broader than that narrow definition and that’s one we’ll just have to agree to disagree on.  

If you are going to slide down the slippery slope of splitting hairs with the GPL, are you really GPL anymore or is the GPL just a hollow label because the details are really in the fine print? It may quack like a duck, but if in the end it doesn’t really walk like a duck any longer, it ain’t a duck. If every vendor adds their own “interpretation” of the GPL to suit their own narrow interests then the GPL becomes diluted and everyone will simply discount it and jump right to the fine print, assuming you can always find the fine print. If you’ve been involved in open source or follow the communities that develop around open source projects, the one thing you learn very quickly is that more than just the software has to be open. You must be clear and consistent with your intentions and your communications. Any attempts to slip something by, or even the appearance of being disingenuous with the community, immediately breaks down trust, causing hostility and suspicion. And going dark when there’s controversy or when you need to explain your actions or intentions really causes problems.

Those considerations went not only into the StillSecure Community License we developed for Cobia, but also creating a complete license FAQ and explanation web page. We took all of the most commonly asked questions about our license, is it open source, is the license OSI compatible, when can I use the software for free, when do I have to have a commercial license, what services can I offer without a commercial license, etc., etc., and put it right there on the web site in plain English language. (Try to get the lawyers to do that!). The idea behind all of this is we want to be transparent. We are a for profit company, we are giving a lot of things to you for free (including the product and the source code), here’s how we make money and (just as important) here’s how you can make money if you want to. Nothing is hidden, we don’t couch things in funny legal terms or split hairs by applying our own funky definition to something everyone knows means something else.  

But there’s another significant difference for us. We started Cobia under this license from the beginning as a for profit company, rather than trying to turn the ship of an existing GPL project and morph it into a for profit product. What Marty and Sourcefire are trying to do, while very worthy and appropriate business goals, is also very difficult without doing damage to the trust built up over the life of the project. For example, yes, you can place requirements that future contributed code also include a broad license of rights. But you can’t change history and change the license, or on your own say that a grant of rights was in place all along. That ‘s the kind of stuff you want to be very intentional about, or else it looks like the rules are being made up as you the game is being played. There is no eminent domain under the GPL that says because you started the project or contributed the most code you can change or usurp code under a license change midstream that impacts the contributions of others. Quantity of contributed code doesn’t matter – every contributor has the same rights under the GPL. The person who contributed three lines of code has the same rights as someone who contributes a thousand. Frankly, it’s a tough thing Sourcefire is trying to do here and I don’t envy their position or necessarily agree with the approach here. It has all the signs of one of those situations where every option creates problems you’d rather not have. Sometimes you’d like to rewind the tape and start all over but in life and business that’s not usually possible.

This situation gave me the opportunity to reflect back on the decisions we made around Cobia licensing and the choice not to try and re-interpret the GPL. Trust, clarity, communications and transparency are things which are very important to creating a product, technology and community around Cobia and I hope we can continue to adhere to those goals in the future. I think this is an important topic to discuss and not let go unnoticed. I know Alan proposed having a podcast with those involved in the Snort controversy which I think is a great idea. I hope they chose to participate and even if they don’t, I think we should move forward and have this conversation on one of the upcoming podcasts.