OSI, GAP, and "Exhibit B" licences

By Rick Moen

Years ago, at the very beginning of the dot-com era, I attended a series of workshops, hosted by OpenSales, Inc., on open-source licensing issues. Discussions were wide-ranging, but covered all of the major software-licensing issues that have hit Linux and open source over the past decade: licence combinatorics, the threat of software patents, trademark encumbrances, court challenges on various copyright grounds, the implications of future Digital Restrictions Management (DRM) measures in the hands of Hollywood and the recorded music cartels, and the much-discussed "ASP loophole".

The last of these was a new way firms can (from one point of view) subvert the intent of "copyleft" licences -- those that require people distributing modified versions and offshoots ("derivative works") to make their source code available: Application Service Providers (ASPs) run their applications behind closed doors, i.e., never distribute them, instead letting remote customers reach those applications remotely across the Internet. In that usage model, the ASP can fully exploit other people's copylefted code without needing to make their changes available to others. (Essentially, copylefted code's authors assumed that anyone would have to distribute their derivative works, to make use of the borrowed code, but this turns out not to be true.)

Years passed, and for a long time the ASP model had only very limited success. The "network computer", which has no independent local computing power of its own and just images remotely running apps, came and went, victim of performance and network-bandwidth problems and the relative low price of conventional PCs. (Sun Microsystems is still trying to sell the idea, as the SunRay product line.) Hosted Web applications were always said to be just around the corner, but never got anywhere until recently, with the rise of AJAX Web apps, a Javascript-based form of dynamic HTML that has made possible a large number of hosted "Web 2.0" services, and (mostly) aspiring young companies backing them.

You'll note that almost all of those -- Google Maps, GMail, Yahoo Mail, Google Calendar, YouTube, and so on -- all keep their program code entirely proprietary, although it's highly likely that they're building it on other people's open source (and probably, in many cases, copyleft) code.

A number of Web 2.0 firms, however, don't wish to cut loose from their open source roots, and (commendably) wish to have their offerings qualify as open source, but at the same time want to give themselves a business advantage over any commercial competitors reusing their published source code on competing sites. A couple of years ago, they found their chosen tool: An "Exhibit B"-clause modification to the Mozilla Public License v. 1.1 (penned originally by the SugarCRM company, then copied by an increasing number of others) -- dubbed by critic Bruce Perens a "badgeware" clause and by its proponents an "attribution" provision, requires any reuse or derivative work to sport the original sponsoring company's advertising logo on every single user interface screen. That was a couple of years ago.

One problem: SugarCRM and its imitators have been going around in public claiming to be open source, and in most cases strongly implying (or in some cases directly claiming) to be using a licence approved as open source by the Open Source Initiative (OSI), even though their licences fail a couple of the criteria that make a licence open source. Morever, they've been carefully avoiding submitting their modified-MPL licence to OSI's licence-approval process.

Aware of the potential for disastrous PR (from claiming to be open source when a firm really isn't), Web 2.0 company Socialtext employee Mitch Radcliffe wrote a somewhat more modest "Exhibit B" clause called the Generic Attribution Provision ("GAP"), and submitted it as a memo to the Open Source Initiative on November 13, 2006, asking that the OSI Board approve it as an addendum to "any [OSI-approved] 'modifiable' licence" as being compliant with the Open Source Definition. In doing so, Socialtext represents the interests of its own Web 2.0 hosted application under its own badgeware licence, and also by extension those of several other Web 2.0 businesses, all with "Exhibit B" licences: SugarCRM, Zimbra, Alfresco, Qlusters / OpenQRM, and Jitterbit.

So have (leaving aside newcomer Intalio) about a baker's dozen of other "Web 2.0" businesses seemingly not associated with the GAP initiative: Scalix, Terracotta, Cognizo Technologies / CATS, MuleSource, Communiva / Dimdim, Agnitas / OpenEMM, Openbravo, Emu Software / NetDirector, ValueCard / TenderSystem, Open Country / OCM Webmin Plus, 1BizCom, KnowledgeTree, and Sapienter Billing Software / Jbilling. The last of these, eyebrow-raisingly, is currently using the OSI Certified licence-certification program logo alongside its modified-MPL licence, a fact I've brought to the OSI Board's attention, on strong suspicion that corrective action is needed. [Late addendum: Just before press time, after receiving a complaint, Sapienter removed its unauthorised use of OSI's logo, but not its distortive claim to be using MPL 1.1, and to be open source.]

All of those firms are aware of having a potential perception problem, and have had private talks with OSI but have notably not submitted their licences for certification -- creating a situation where other firms have started to copy their arrangements without apparently being aware of the controversy.

That brings us to the present, with newcomer Intalio's press release (quoted by Linux Gazette author Howard Dyckoff in this issue's News Bytes column, claiming to be "open source" because they're in the middle of converting their Web 2.0 hosted Web application to MPL + GAP licensing. I began researching this article, which began as a footnote to Howard's news item, because the press release didn't seem right, and the further I looked, the more problems I saw.

By the way, I mean no disrespect towards Web 2.0 companies generally. In fact, Andrew C. Oliver of Buni.org has, to the great credit of himself and his firm, spoken eloquently against Socialtext et alii's GAP initiative, as clearly contrary to core notions of open source. (Oliver predicts that OSI will approve GAP or some similar mandatory-advertising proposal. I sincerely hope he is mistaken.) (As an aside, ZDnet columnist David Berlind has also written eloquently about the ethical questions surrounding "Exhibit B" firms, and the need to curb or at least resolve their misleading claims that their offerings are open source, when they are very much not.)

Socialtext's GAP clause is as follows:

Redistributions of the original code in binary form or source code form, must ensure that each time the resulting executable program, a display of the same size as found in the original code released by the original licensor (e.g., splash screen or banner text) of the original licensor's attribution information, which includes:

(a) Company Name
(b) Logo (if any) and
(c) URL

Yr. humble servant and others on the OSI's license-discuss mailing list found a couple of obstacles, one large and one small, with that proposal:

OSD #10 ("License Must Be Technology-Neutral") is the larger obstacle: "No provision of the license may be predicated on any individual technology or style of interface." GAP appears from its wording to permit creation only of derivative works having user interfaces, i.e., it prohibits reuse of covered code for daemons. Some online comments from some of the affected firms (though not necessarily Socialtext) indicate that this is the purport of that clause, and is a deliberate effect.

The lesser obstacle is that the OSI Certified approval process vets licences as OSD-compliant -- and Socialtext didn't actually submit one: As worded, Radcliffe's memo seems to say "Please examine all 58 OSI-approved licences to see which of them permit textual modifications, and then consider us to have asked approval for each of those that do, each one with our clause appended."

That procedural gaffe is not necessarily fatal to the merits of Socialtext's proposal per se, but does make it severely out of order as a licence proposal.

I should hasten to add that, as serious as GAP's problems are, all of the firms' in-use other badgeware clauses -- all but one listed on the same page as GAP -- have worse ones: Zimbra, Qlusters, SugarCRM, Socialtext itself, Alfresco, Jitterbit, Scalix, Terracotta, Coznito Technologies, MuleSource, Communiva, Agnitas, Openbravo, Emu Software, ValueCard, Open Country, 1BizCom, KnowledgeTree, and Sapienter Billing Software all require their company logos to appear on "each user interface screen" of derivative works, not just on some "splash screen or banner text". Further, each of those licences dictates an exact location and size where that logo much appear on "each user interface screen". Some of those requirements, rather comically for a would-be open source licence, make it physically impossible to comply if you have combined two codebases under the same licence: e.g., SugarCRM, Terracotta, MuleSource, 1BizCom, Sapienter Billing Software, and Socialtext specify "the very bottom center of each user interface screen", which obviously cannot be true of two logos at once. Moreover, through code reuse, derivative works risk starting to look like Nicholas Goodman's nightmare vision of "Exhibit B" logo requirements run amok.

In no way do I speak for Open Source Initiative, but I'd be extremely surprised if any of those licences as presently constituted, or the Generic Attribution Provision (as patched onto some subset of 58 extant licences) were ever approved by the OSI Board. Meanwhile, all 20 of the firms cited continue to claim in public to publish open source software despite having never submitted their licences to OSI for certification and the doubtfulness of their claim on its face.

(SugarCRM CEO John Roberts ignored my question of why, if his firm's licence is open source, the SPL FAQ claims its unlawful to sell works derived from it. Matt Asay, VP of Business Development for Alfresco -- and an OSI Board Member! -- similarly ignored my question of whether Alfresco would kindly suspend claims of being "open source" until its licence is evaluated, or at least commit to remove that claim if its application is declined.)

Socialtext even claimed last July that its wiki software, "Socialtext Open", was available under MPL v. 1.1, when in fact that is simply not the case. [Late addendum: Socialtext retroactively corrected that published claim just before press time, the second time I mentioned it on the OSI license-discuss mailing list.]

There may be a good-faith effort at dealing reasonably with the open source community somewhere in there, but it's late in coming and there's been recently not quite as much candour as one might hope. I would caution firms like Intalio from assuming they've truly gone open source, solely on account of Radcliffe's "submission" of GAP to OSI's Board, and never, ever trust that a licence is genuinely open source just because some Web 2.0 firm claims it is.


Bio picture Rick has run freely-redistributable Unixen since 1992, having been roped in by first 386BSD, then Linux. Having found that either one sucked less, he blew away his last non-Unix box (OS/2 Warp) in 1996. He specialises in clue acquisition and delivery (documentation & training), system administration, security, WAN/LAN design and administration, and support. He helped plan the LINC Expo (which evolved into the first LinuxWorld Conference and Expo, in San Jose), Windows Refund Day, and several other rabble-rousing Linux community events in the San Francisco Bay Area. He's written and edited for IDG/LinuxWorld, SSC, and the USENIX Association; and spoken at LinuxWorld Conference and Expo and numerous user groups.

His first computer was his dad's slide rule, followed by visitor access to a card-walloping IBM mainframe at Stanford (1969). A glutton for punishment, he then moved on (during high school, 1970s) to early HP timeshared systems, People's Computer Company's PDP8s, and various of those they'll-never-fly-Orville microcomputers at the storied Homebrew Computer Club -- then more Big Blue computing horrors at college alleviated by bits of primeval BSD during UC Berkeley summer sessions, and so on. He's thus better qualified than most, to know just how much better off we are now.

When not playing Silicon Valley dot-com roulette, he enjoys long-distance bicycling, helping run science fiction conventions, and concentrating on becoming an uncarved block.

Copyright © 2007, Rick Moen, rick@linuxmafia.com.

This article was first published in issue 134 of Linux Gazette, January 2007.