Home CMS Open Source Initiative Blog

    PostHeaderIcon Newsfeeds

    Open Source Initiative blogs

    • OSI Board Evolution

      I spent last week in New York at the annual new-inductees face-to-face Board meeting of the Open Source Initiative Board (pictured here – Christine Hall is also a member but was unable to join us). Having spent the last 11 years working on refactoring OSI for a new generation, I had advised the Board in advance that I intended to step down as President to make way for fresh blood. The Board elected Molly de Blanc as the new President and Josh Simmons as Vice President, with Hong Phuc Dang bravely volunteering to be CFO. I agreed to serve as Board Secretary until someone else feels ready to play that role – no later than next April when my term ends.

      OSI Board 2019-20
      Simon Phipps, Elana Hashman, Pamela Chestek, Molly de Blanc, Faidon Liambotis, Chris Lamb, Hong Phuc Dang, Patrick Masson, Carol Smith (kneeling) Josh Simmons (kneeling)

      The OSI I’m handing over to the new Board is very different to the one I first attended in 2008 (as an observer - I only joined the Board on leaving Sun in 2010). It is now elected rather than selected (albeit via an indirect mechanism to make California regulation easier to manage). The electors are over 60 affiliate organisations representing the majority of the world’s core open source developers and an ever growing community of individual members. OSI now has a viable income arising largely from a diverse range of around 30 sponsors. It now has a staff, including a full-time General Manager, Patrick Masson. It now has maintained systems for managing donations, lists and outreach. And there’s more been achieved – those are just stand-outs.

      All together that means OSI has a proven foundation for the new Board to build upon. Already built on that foundation there are a postgraduate curriculum, a programme to advocate open source in the world of standards, a programme to equip schools with recycled PCs, working relationships with peer organisations like FSF and FSFE and more. There are many people responsible for all this change, too many to name here, and I thank them all.

      People always look forward rather than back and there are still plenty of issues to deal with which are the new Board’s focus. We are already working to improve the license review process, for example. But I’m really pleased with what we have all achieved over the last decade at OSI (and how it matches my 2010 manifesto!) and am thrilled that there’s an energetic, more diverse and younger crew taking over.

    • April 2019 License-Review Summary

      In April, the License-Review mailing list saw extensive debate on the Cryptographic Autonomy License, in particular:

      • its user data clause, and how it affects user freedom
      • obligations placed on the software operator
      • API copyright
      • strategic concerns for the OSI
      • public performance rights for software

      The corresponding License-Discuss summary is online at https://opensource.org/LicenseDiscuss042019 and covers discussions about non-commercial licenses, license revocability, and LGPL/Apache compatibility.

      Cryptographic Autonomy License

      Van Lindberg submits his Cryptographic Autonomy License (CAL) to the review process. This is a network copyleft license, but with a broader scope than the AGPL. The CAL is motivated by ensuring user autonomy in blockchain-based applications. Lindberg has also written an in-depth blog post that serves as a rationale document. Last month, there had already been preliminary discussion about the license on the license-discuss list (see the summary).

      Lindberg and Pamela Chestek summarize the core goals of the CAL:

      • that derivative works are handled in a copyleft manner
      • that any software offering the same API is under a compatible license
      • that user data is portable

      Note: this summary uses the term “operator” to describe a user who runs the software so that other end users can interact with it.

      Summary of Opinions

      While the license presents welcome innovation in the network copyleft licensing space, there is also major criticism:

      • operators are subject to unacceptable restrictions regarding user data
      • it is not in OSI's interest to approve an API-copyleft license
      • the novel use of public performance is unclear, untested, unnecessary, and possibly ineffective

      Bruce Perens does not recommend approval. Henrik Ingo [1,2] thinks that a “revised, less hazardous version of this license” could eventually get approved.


      While Perens was eager to get his concerns heard early, Richard Fontana reminds that no urgency exists: as per the review process, new licenses get an initial 60 days of discussion before any decision. Simon Phipps adds that since Fontana's tenure as license committee director has ended, any review progress will be stalled until a replacement is appointed at the next board meeting.

      License Purpose

      Bruce Perens is concerned that the CAL goes beyond licensing software, but tries to establish some market. Perens suggests that the license's business purpose might better be reached through an ordinary contract.

      Van Lindberg [1,2] responds that while the CAL is being drafted because of a business purpose, its terms are independent of that purpose. The terms only cover licensing of the software, under some conditions. Ultimately, every license has some purpose behind it. In the case of the CAL, the business purpose required a network copyleft license.

      Perens argues that while other licenses may have their own purpose, they are not specific to some application. In contrast, the CAL seems specific to blockchain applications.

      Lawful Interest in User Data

      The CAL requires that operators must provide user data to which an end user has a lawful interest. For example, a user might have a ownership interest in the photos they upload to a photo storage service.

      Bruce Perens [1,2,3] thinks that “lawful interest” is not sufficiently defined, and would require novel theories of data ownership: “There are opinions, and little case law.” This could even require disclosure to third parties if they establish a lawful interest.

      Van Lindberg [1,2,3] responds that lawful interest is defined using known legal terms. The CAL does not grant new rights to user data: either the law recognizes some kind of data ownership or it does not. You can't end up with rights that you didn't already have.

      Lindberg clarifies that the CAL references the GDPR not to define lawful interest, but to clarify how an operator must provide user data.

      Perens points out: if the users already have a right to their data, why does the license need terms to that effect? Lindberg responds: “Just because I have ownership of data does not mean that you have an existing legal responsibility to give it to me. This is exactly the problem addressed by the CAL.”

      User Freedom and Data

      Van Lindberg [1,2] explains why he believes provisions about user data to be necessary. Preserving user freedom is core to Free Software. User data must be protected for that freedom to be effective:

      The insight is that, increasingly, the data and the code are needed together to realize the program's function. Existing open source licenses, such as the GPLv3 family, recognize this and requires the provision of cryptographic keys that would prevent the execution of the code. The CAL recognizes that user freedom also includes the provision of the user's data so that the program functions completely and fully in a context of the user's choice.

      […] I may own my data. I may be able to get a copy of the source code. But […] unless I can use the software to process my own data, I also don't have effective freedom.

      The CAL does not encumber or restrict user data, it just prevents it from being locked into a platform – similar to GPLv3's anti-Tivoization clause. Such a clause is necessary because hashchain applications offer new ways to lock down a program.

      Bruce Perens is not convinced that end user freedom requires the disclosure of this user data. And the license must protect freedom not only for end users but also for operators, so why should it be acceptable to compel operator actions?

      Pamela Chestek and Bruce Perens disagree with the comparison to the GPL's anti-Tivoization clause. It applies when a device with embedded software changes ownership, so that the new owner can install modified software on their hardware. In contrast, the CAL's user data provisions burden the operator of the software to provide access to user data. This is a fundamentally different kind of obligation.

      Operator Obligations

      Bruce Perens [1,2,3] is concerned that the operator's obligations regarding user data are unclear and excessive:

      • The CAL's requirements trigger on mere use of the software, which looks like an OSD #6 and #9 violation. How can forbidding or compelling an action not be a usage restriction?

      • It should be fine to just run software under an OSI-approved license, without having to read it. The CAL's user data requirements break this expectation. Operators have to hire a lawyer to understand the extent of their obligations. This is an unreasonable burden that limits their freedom.

      • The CAL affects data that is processed with the software.

      Van Lindberg [1,2,3] counters:

      • The CAL's user data requirements are about as restrictive as the AGPL's source disclosure requirements: “The license compels an action by the licensee – to make the source code and data available. This is exactly the same type of action required under every copyleft license.”

      • The CAL does not extend to data: “No rights or obligations are created in any other work.”

      • The CAL does not restrict usage. It only requires user data to be provided to the extent that it is available. E.g. data may have to be decrypted for a user with a lawful interest, but the CAL is careful to not require disclosure of private keys.

      • The CAL only compels actions while the operator provides a service. They are free to stop at any time.

      Lindberg appreciates the point that users should be able to run the software without reading the license. But with the CAL, the legal load for end users is still zero. Extra burdens are only placed on operators who want to provision the software as a service to others, which is the same scenario where the AGPL applies extra requirements. And anyway: “if you are providing services to others, you have already taken upon you substantial legal liability.”

      Lindberg is amazed that Peren's examples boil down to preserving operator's freedom to lock down their user's data. “That freedom is definitely granted under some more permissive licenses, but preserving the rights of users is a core aspect of Free Software, which is the tradition addressed by the CAL.”

      Henrik Ingo points out that open source licenses generally grant rights to users and shield them from legal risks. For example, restrictions on DRM are “a great example of protecting user rights”. Peren's objections seem to be problematic primarily with P2P software where end users simultaneously act as operators.

      Solving Social Issues

      Bruce Perens [1] agrees that data being hold hostage is a legitimate problem – but it is a social problem. OSI has previously rejected licenses that try to address social issues beyond the software. While OSI-approved licenses sometimes require disclosure of source code, also requiring disclosure of user data would be overreach.

      Van Lindberg disagrees. The CAL is not in the same bucket of (non-free) licenses like 996 or JSON “do no evil”. The CAL tries to address an issue (user autonomy) “in the exact same way the GPL addresses the social issue of software freedom.”

      API Copyright

      Pamela Chestek [1,2,3] summarizes the CAL's relationship to API copyright: Any reimplementation of a CAL-covered API must be offered under the CAL or a compatible license. The CAL does not have a copyleft effect on software that merely uses/consumes the APIs. Assuming API copyright (Oracle v. Google) is overturned, the CAL will not be affected since the CAL is about public performance of APIs and not their reproduction. But without that precedent, how could other implementations be restricted?

      Van Lindberg [1,2] confirms that Chestek's analysis is correct, but thinks the chances of API copyright being overturned are rather slim. Even then, CAL hooks into patent rights as a secondary means of enforcing copyleft.

      Richard Fontana [1,2] notes that API reimplementations have to be open-sourced when their binaries are distributed or their interfaces are publicly performed. He criticizes the concept of “publicly performing an interface” as unclear, and thinks the relevant clause is written ambiguously. This launches a side discussion about the Oxford Comma.

      Richard Fontana asks about the legal situation of API copyright in the EU under the 2012 SAS Institute Inc. v. World Programming Ltd. decision. Carlo Piana explains that the SAS ruling excludes language APIs, programming languages, and file formats from copyrightability in the EU.

      Strategic Concerns on API Copyright

      Richard Fontana warns that the CAL would be the first license to intentionally expand copyleft to APIs. Henrik Ingo is aghast at Lindberg's explanations: “this couldn't possibly be your intention”. They call some strategic concerns to attention.

      Fontana believes that current community consensus is opposed to API copyleft. He sees “a deep-rooted policy against […] restrictive application of interface copyright in free software/open source […] that ought to be read into the OSD and our understanding of software freedom”. This “is supported by widespread hostility in the [community] to the result in Oracle v. Google” and the FSF's policy of opposing API copyrightability. While a license might acknowledge API copyrightability, it should only do so under highly permissive terms and not use it to impose copyleft requirements.

      Henrik Ingo hopes the OSI “won't and can't approve of” such copyright-maximalist features. Instead, the open source community has an interest in promoting the view that interface implementations always or typically are fair use. Maybe, many years later APIs do become widely copyrighted. Only then would it be in the interest of the community to wield this power as well.

      Ingo also mentions that right now, OSI approval of a license with API copyright elements would be highly undesirable as this could be used by Oracle lawyers as evidence that such views were widely accepted in the industry and open source community.

      Van Lindberg understands the strategic objections, but doesn't think “it is an extension to use legal terminology and case law which already presumptively applies to software.”

      Bruce Perens asks whether it is in OSI's interest to approve licenses that use public performance rights “for purposes other than requiring publication of the source code”.

      There is also the matter of precedent. Perens notes the FSF (although disapproving of software public performance) did something similar with the AGPL, and the OSI eventually approved it. Pamela Chestek thinks this leads to “the understandable complaint that the OSI decisionmaking process can be unpredictable”, especially since no one has claimed that the CAL's API/public-performance aspects would violate the OSD.

      Public Performance

      Henrik Ingo [1,2] cautions that the “use of public performance in a software license is novel and untested.” This is risky for users. The license doesn't even need public performance rights to work but could use “legal methods that are more boring, but better tested and safer”. So for what reason should the license rely on public performance, other than maximizing its copyright power?

      Van Lindberg [1,2] fundamentally disagrees here, and considers public performance key to the CAL. Practically speaking, the AGPL is the only available network copyleft license. But Lindberg found its network copyleft provisions lacking:

      • they do not trigger for unmodified versions
      • they can be gamed by using proxies
      • they are unsuitable to ensure user data access
      • they are unclear in a corporate context

      Lindberg thinks [1,2] that it's better to use public performance – an established right in copyright law – than to define a unique term like “network interaction”. The use of public performance paired with some other definitions also clarifies corporate compliance.

      Henrik Ingo agrees with Lindberg's analysis of the AGPL, and welcomes alternatives. Ingo criticizes the proxy loophole, and its GPL-like mindset that software will be executed as a single process on a single computer which accepts network connections.

      However, Ingo vehemently disputes that public performance would be a solution. This is completely uncharted territory, and the CAL fails to bound its implications. Public performance “only adds uncertainty, but little practical value.”

      The AGPL protects users by giving explicit and unlimited permission to run the program. Instead of restricting public performance, it uses an awkward construction that compels features of the software but not actions by the operator. Other licenses don't have to use that approach, but simple and clear legal terms help protect users. Perhaps the AGPL could be fixed by merely replacing “network interaction” with “interaction”.

      Bruce Perens is confused why, if public performance rights are given, the AGPL went through the trouble of synthesizing a separate public performance-like right.

      Pamela Chestek wonders how the CAL would work in the EU, where no equivalent public performance right might exist. Lukas Atkinson points to “communication to the public”, and suggests that the CAL could reference the WIPO treaty where it is defined.

      Scott Peterson [1,2] is concerned that the CAL tries to introduce the notion that software interoperation could be the copyright holder's exclusive right. This would attract FUD. Actions that impact the interpretation of copyright law should be considered for their broader impact. Bruce Perens refers to Lindberg's argument that public performance is an existing right for software because software is a literary work.

      McCoy Smith links to an article that argues that public performance rights do exist for software, but would not generally apply (Lothar Determann (2015): What Happens in the Cloud: Software as a Service and Copyrights. In: 29 Berkeley Tech. L.J. DOI: https://doi.org/10.15779/Z38DX3N).

      Other points

      Pamela Chestek provides a careful analysis of unclear language in the license.

      Henrik Ingo is concerned that the anti-DRM provision might not be effective, which leads to some comparisons with the GPLv3 [1,2,3,4].

    • April 2019 License-Discuss Summary

      In April, the License-Discuss mailing list:

      • talked about non-commercial licensing
      • discussed license revocability
      • answered a question about LGPL/Apache compatibility

      The corresponding License-Review summary is online at https://opensource.org/LicenseReview042019 and covers extensive discussion about the Cryptographic Autonomy License.

      International Licenses Redux

      As proposed in December, Richard Fontana has updated the “International” license category of the OSI license list.

      Non-Commercial doesn't compose

      Chris Webber posts an essay about non-commercial licenses to the list, based on his experience working at Creative Commons.

      Webber is “sad to see history repeat itself […] given the [recent] volume of submissions in favor some sort of noncommercial style license” (Note: like SSPL). Whereas Rob Myers joked that NC stands for No Community, Webber argues it represents “‘No Composition’, which is just as much or more of a threat”. Core points:

      • Defining (non-)commercial use is extremely difficult. See https://wiki.creativecommons.org/wiki/Defining_Noncommercial.

      • NC is asymmetric. “NC has the kind of appeal that a lottery does: it's very fun to think about participating when you imagine yourself as the recipient.”

      • NC feels like a minefield. If single NC licenses are already confusing, how would it feel if the whole system switched? For example, would a partially-NC Debian distribution be usable?

      • Different license users have opposed goals. “Libre Commoners” want to protect the commons, and want everyone to abide by the license. In contrast, “Proprietary Relicensors” want to prevent free riders in order to develop income. This is anti-community.

      Webber concludes that “Noncommercial fails in its goals and it fails the community. It sounds nice when you think you'll be the only one on top, but it doesn't work, and it never will.”

      Can a contributor take back open source code?

      Antoine Thomas asks whether a contributor would be able to revoke/remove their contributions from a project, and how this would affect old versions of a project.

      Kevin Fleming responds that legitimately provided open source licenses are not revocable, but that a project might honor a request out of courtesy.

      Brendan Hickey points out that copyright law may provide special revocation rights, e.g. 17 USC §203. And even without revocation, a contributor could make life difficult for users.

      Compatibility of LGPLv2.1 and Apache 2.0

      Bryan Christ [1,2] asks whether Apache-covered software can link with LGPLv2.1 libraries and vice versa. The question is motivated by their incompatible patent clauses.

      Bruce Perens [1,2,3] affirms that either direction of linking is fine: neither license imposes terms on the software it is linked with. But the LGPL does extend some terms onto the linked work in its entirety, which could be a problem e.g. with proprietary licenses that prohibit reverse engineering. While the Apache-2 patent clause is incompatible with the GPLv2, the LGPL is structured differently.

      Bryan Christ notes that the ASF lists the LGPL as incompatible. Bruce Perens explains that the Apache Foundation excludes LGPL software from their own projects because the LGPL affects the larger work, but that the licenses themselves allow linking with each other.

      McCoy Smith links to the FSF comment on the Apache license, but notes that it only discusses GPL and not LGPL.

    • Join Us In New York City

      OSI members and affiliates are invited to join the OSI Board of Directors, local college and university student groups, and the broader New York City open source community to discuss "Careers in Open Source".

      • Open source jobs, what are they... where are they?
      • Finding and leveraging open source projects to expand your opportunities.
      • What companies and communities are looking for.
      • What you should look for, before accepting the job.
      • Getting the most out of your company to further your open source career.

      If you're interested in a career in open source software, have some advice to offer, or just looking to network with peers, we hope you will join us.

      Open Source Initiative Spring Meet-up and Mixer
      Tuesday, May 7, 2019
      6:00 PM to 9:00 PM
      UPDATED LOCATION... 122-128 W 26th St, New York, NY 10001, USA ...UPDATED LOCATION
      RSVP: https://www.meetup.com/Open-Source-NYC/events/258658427/

      OSI Board Directors have broad backgrounds and experience, working in a variety of roles—Chief Open Source Officer, Chief Information Office, Chief Technology Officer, Open Source Program Manager, Community Manager, Developer, Architect, Engineer, Attorney—for both corporations and communities—Clojure Community, Cloud Native Computing Foundation, Debian Project, Free Software Foundation, Github, Google, Kubernetes Community, Microsoft, One Laptop Per Child, Open edX, Oracle, Python Software Foundation, Red Hat, Salesforce, Sun Microsystems , The Document Foundation, Wikimedia, Zalando... and many, many, more.

      Photo credit: "NYCMeetUp.jpg" by Patrick Masson (CC BY 2.0) is a derivative of, "Jobs Board" by Malcolm Tredinnick (CC BY 2.0), via Flickr (https://www.flickr.com/photos/malcolmtredinnick/934039609/in/photostream/)

    • Powering Potential Expands to Peru
      Image one
      The Nainokanoka Secondary School
      in the Ngorongoro District, Tanzania, May 2018

      The Open Source Initiative’s first African Affiliate Member, Powering Potential Inc. (PPI), is pleased to announce the launch of their award-winning solar-powered Raspberry Pi computer labs in Peru. The pilot program builds on PPI's successes already enhancing education throughout rural Tanzania, Africa.

      Over the past 13 years, PPI has installed 29 solar-powered systems, and 203 computers with servers, in 29 secondary schools across Tanzania. As a result, more than 23,000 students and teachers have been provided with direct access to educational materials and technology-training with minimal impact to the environment.

      Image one
      Neema Lyimo, PPI ICT Manager & installation team at
      The Nainokanoka Secondary School, May 2018.

      PPI created their Solar-Powered Access to Raspberry Computing (SPARC) installation model using Raspberry Pi computers loaded with an abundance of open source software, such as RACHEL from WorldPossible.org, and Kolibri from Learning Equality. Educational resources include Khan Academy videos, UNESCO textbooks, and Project Gutenberg literature with health and medical information.

      Image one
      Solar Panel Installation at
      The Nainokanoka Secondary School, May 2018

      A basic SPARC lab installation consists of five Raspberry Pi computers, two 85-watt panels, three 108Ah batteries, a 15 amp charge controller, a 350 watt inverter, and a lightning arrester system. A SPARC+ installation includes 15 more computers, additional solar panels, six new batteries, and a new charge controller. PPI also uses local vendors to work with school districts to provide solar power and additional equipment.

      After installation, school district-selected teachers having a familiarity with technology are given a specialized three week “Train-the-Trainer” course. PPI prepares them to instruct tech literacy classes by learning networking, hardware, word-processing, database, file management, RACHEL maintenance, and email basics.

      Image one
      Project Team Meeting at the San Francisco School
      in the Belen District of Iquitos, Peru with (l to r)
      Anita Gil Avila, principal; Cledy Grandez Veintemilla,
      Director of the Rosa de America private school;
      V. Ena Haines, PPI Management Team; and Dana Rensi,
      PPI Regional Director, Latin America, July 2017.

      Currently, PPI’s pilot project is placing a SPARC lab in the Amazon region at the San Francisco Rio Itaya School, located in a low-income district of Iquitos, Peru. Leading this effort is Dana Rensi, PPI Regional Director, Latin America. She is a recipient of a Fulbright Distinguished Award in Teaching and an Educational Media Specialist in Ashland, Oregon. After being a Fulbright exchange teacher in Iquitos for a year, Rensi began working with V. Ena Haines from the PPI Management Team and is currently scheduled to be on site for five weeks this summer to establish the pilot. If successful, SPARC labs may also be expanded to other villages along the Amazon River.

      The geographic isolation of this region in Peru is similar to rural Tanzania in terms of educational hurdles like a high turnover rate for teachers, limited resources and a lack of electricity. Iquitos, for example, is known as the largest city in the world that is accessible only by river or air, which makes technological progress challenging. The pilot installation is on the outskirts of Iquitos in Belén, one of thirteen districts of Peru’s Maynas Province known as “The Floating City.” Other villages along the Amazon River face the same accessibility problems coupled with regular seasonal flooding that has grown worse in some areas from climate change.

      Image one
      An external view of The San Francisco School
      during seasonal flooding, March, 2019.

      Rensi believes the SPARC lab installation could alter the game entirely for students there. “I came from teenage parents and a poor background. Education was my way out,” she explained during a recent interview. “They [the students] deserve an opportunity to learn no matter what circumstances they are born under or where.”

      For this reason and more, PPI is actively seeking volunteers and sponsors for the pilot program in Peru alongside their continued efforts in Tanzania. They will also host a spring fundraiser celebrating their 10-year partnership with the Segal Family Foundation on Wednesday, June 5th from 6 to 8:30 p.m. at 39 West 29th Street in New York City to raise money for a major computer lab upgrade for the 800-student Sazira Secondary School near Lake Victoria in rural Tanzania.

      To learn more or find out how you can help, visit Poweringpotential.org.