urlingame, Calif.—The Open Source Initiative (OSI), the non-profit organization that manages the Open Source Definition and certifies open-source licenses, lists nearly 60 approved licenses on its Web site—and at the rate they’re currently being added, that tally may increase before you’ve finished reading this article. The large number of licenses has led to confusion among the developers and companies who use them and rancor among the lawyers who must navigate their legal compatibility. The toughest chore still rests with the OSI itself, however: reining in the proliferation of open source licenses.
In a public presentation at the OSDL Enterprise Linux Summit here yesterday morning, Lawrence Rosen, an attorney and a computer specialist, offered a sampling of license requests he received via e-mail as general counsel for the OSI. The prospective licensors’ proposals revealed the complications inherent in the license approval process and provided an insider’s look at how the proliferation problem propagates.
Rosen, who is a founding partner of a technology law firm that specializes in intellectual property protection and licensing and who authored a book titled Open Source Licensing: Software Freedom and Intellectual Property Law, seemed daunted by the proliferating licenses problem despite his credentials. This week, he began a OSDL Enterprise Linux Summit presentation, “Open Source Licensing Issues,” by stating that he would offer no solutions for the problem. He intended only to present the scope and complexity of the challenge the OSI faces: evaluating licenses that are meant to provide structure to a fast-growing, global open-source software (OSS) ecosystem.
A Problem Without Borders
The OSI, although versed in law (patent, copyright, trademark), can know only the laws of its jurisdiction (San Francisco, Calif.). That raises a problem, as the open source community is worldwide. Rosen presented a license request from Munich, Germany, that was based on dissatisfaction with the U.S. legal protections an existing license provided. “It’s a legitimate reason for submitting a new license if there is an aspect of your license that doesn’t satisfy the law of your country,” said Rosen, but admitted that the OSI has no way of knowing whether the legal disparity is legitimate or whether a duplicative license is necessary at all. “Is the fact that the law trumps the license good enough in this case?” he asked.
The global nature of open source also raises a language barrier for many perspective licensors. Rosen read through a few requests that he found difficult to interpret, as the author was not a native English speaker. So before even getting to the validity of the proposal, the OSI needs to just determine what the author means. Such ambiguity leads to confusion, with the danger of either rejecting a legitimate proposal or approving a license that offers nothing new.
“Do existing licenses solve all legal problems and concerns,” Rosen posed. “If they don’t, we need new licenses. If they do, we have to convince people to use the existing licenses.”
This is the crux of the proliferation problem. Adding more licenses isn’t inherently bad; adding licenses that offer provisions an existing license already covers is. “It’s not because the number’s too high [that people have problems with licenses],” said Rosen. “It’s because they’re too duplicative.”
Of course, the fly in the ointment is there is lots of room to interpret how well a given license solves a developer’s or company’s legal concerns. “Really good lawyers working for really big companies decide that just because there are a few aspects of a license that they don’t like that they’ll propose a whole new license,” said Rosen.
If the OSI were to approve these proposals, the result would be nuanced variants of existing licenses being established as independent licenses when minor modifications to licenses on which they are based would suffice. For example, Sun’s proposed Common Development and Distribution License (CDDL) is similar to the Mozilla Public License (MPL), and Rosen states the feedback from the OSS community is basically ‘We don’t need two licenses, we need one better license.’
An improved license doesn’t necessarily mean less work for OSI, however. Changes to existing licenses require a separate approval process, so the organization can verify that the modifications don’t break compatibility with the older license and still adhere to the Open Source Definition.
OSI’s policy is to push back on new licenses that “aren’t very different from existing licenses.” It encourages potential licensors to review the existing licenses to ensure that none of them meets their needs before proposing a new one. But with 60 existing licenses and climbing, it is unrealistic to expect each applicant to have done so thoroughly. Many proposals, Rosen explains, are based on the author’s assumption of what existing licenses lack. If those assumptions are wrong, the license proposals are redundant, and ultimately add to the proliferation. This problem only grows as more licenses are approved.
Is Compatibility the Real Problem?
At the beginning of this year, SourceForce.net, the largest repository of OSS code, had tens of thousands of projects under 24 licenses. Rosen sees an opportunity for consolidation in these numbers, yet he realizes what a thorny proposition that is.
How does OSI convince each project owner under a redundant license to move its project to a broader license? Many owners would undoubtedly adopt a ‘if it ain’t broke, don’t fix it’ attitude toward their existing licenses.
What would the move mean for all the production software already incorporating that project? Even if all the licenses were consolidated down to an all-encompassing few, all the software based on older, eliminated licenses still must be dealt with, including any that were sublicensed and incorporated into large deployments. The implications are enough to stagger even a seasoned attorney.
More Questions Than Answers
Rosen was true to his word. He didn’t offer any solutions to the complex issues of open-source licenses. Posing many more questions than he answered, he painted a picture of the struggle the OSI faces in its mission and the risks this burgeoning problem threatens to create for the open source community. This week OSI announced a reorganization of its executive team to try and address these and other challenges. Immediately after announcing he was stepping down as general counsel to assume an informal advisory role, Rosen quipped, “I am free at last. I am no longer dealing with that proliferation problem [from the inside].” Unfortunately, the open source community won’t be able to make the same proclamation for some time.