OSI Affiliate Member, California Association of Voting Officials (CAVO) is reporting significant developments to advance the use of Open Source Software within electronic voting systems.

According to CAVO, the PAVE Act, tendered by United States’ senators Ron Wyden of Oregon and Kamala Harris of California, includes provisions to address financial barriers that could be incurred by state and local governments evaluating open source options for their elections systems.

CAVO communications director Brent Turner explained, the PAVE bill sets a variety of cybersecurity standards, and requires every voting machine used by a state or local government to undergo testing to affirm those requirements are met. In addition to the standards set forth in PAVE, The Department of Homeland Security (DHS) also has their own requirements. PAVE directs DHS to undertake this testing, of both the standards included in PAVE and their own, on behalf of the state or local government.

Turner added, “Local and state governments are of course also free to set their own additional cybersecurity standards for voting machines used in their jurisdictions beyond those identified in PAVE and by DHS”. Section 2216 of the PAVE bill states that DHS will cover the costs to test any open source technology against state or local voting standards. Turner noted this is critical for the adoption of open source options as “proprietary providers of voting technology can easily foot the bill themselves to have their product tested for compliance with those state or local standards, but open source projects may not have the resources to fund the certification process, thus eliminating themselves from consideration by state and local jurisdictions.”

“In essence, the PAVE bill makes it easier for state and local governments to use open source technology, or, at least, to make sure the cost of certification doesn’t get in the way.”

Open source voting pioneers Brian Fox and Alan Dechert have been working on open source solutions since Dechert’s first public demonstration of an open source election system in 2004. Congresswoman Tulsi Gabbard, representing the 2nd District of Hawaii, was the first to include Open Source Software in federal legislation (H.R.5147), what Fox said at the time would, “give appropriate security direction to the nation's election officials. Congresswoman Gabbard is appreciated as a pioneer advocating the science of protecting our democracy."

CAVO expects such federal legislation to help expedite the development of open source voting systems in California, which can then serve as a model for other states. Turner emphasized, “We have been working on this for almost 20 years. We must now make sure that California Governor Newsom and Secretary of State Padilla understand that if we are to have safe and secure elections in the United States, we must immediately transition from the proprietary software model to a GPL licensed open source system.”

The state of New Hampshire, the city of San Francisco, and the United States' largest voting jurisdiction, Los Angeles, recently announced their intentions to deploy open source voting systems. In addition, the California Assembly recently passed CA AB 1784, which provides "matching funds" for counties developing open source voting systems. The bill, according to CAVO, is expected to make it through the Senate and be presented to Governor Newsom for signature.

Open Source Software project cultivates collaboration by extending outreach to OSI as part of broader community development.

Knowage, the open source suite for modern Business Analytics, combining traditional and big data sources into valuable and meaningful information, has renewed their sponsorship of the the Open Source Initiative® (OSI).  Knowage (formerly SpagoBI) has a 14-years history of open source collaboration, where individuals and companies work together to meet the latest analytical needs, including collaboration with current OSI Affiliate Members Eclipse Foundation, OW2, and Engineering Group- one of the world's leading specialist providers of services, software development and digital platforms that support both public and private companies or organizations through digital transformation.

Powered by a strong international open source community, and released under AGPL3, Knowage code is freely accessible on GitHub.

For over twenty years, the OSI has worked to raise awareness and adoption of Open Source Software, and build bridges between communities. Support from organizations like Knowage, not only provides the OSI with critical financial resources for continued operations, but even more valuably, extends the OSI's network exponentially through Knowage Labs' multiple international partners and collaborators.

"Knowage proudly supports the OSI's efforts in promoting open source to drive innovation, and shares their goal of promoting growth and contributions through authentic engagement across international communities," said Grazia Cazzin, Knowage Director.

"Knowage highlights how businesses, foundations, and projects can come together to co-create innovative open source software and healthy communities," said Patrick Masson, General Manager of the Open Source Initiative. "Maintaining an open ethos that ensures community success, not just one project's, is exactly how open source should work, and we thank Knowage for their commitment."

As a non-profit, community-driven organization, the OSI relies on the support of volunteers who lend their time to develop and manage internal operations and working groups; individual contributing members, whose annual dues provide critical support and whose votes elect the Board; Affiliate Members, composed of a who's who of open source projects and foundations, and; corporations who choose to support our mission through in-kind donations and generous financial contributions.

About Knowage Labs
Knowage Labs, together with the open source community, develop Knowage Business Analytics software, manage related professional services, and coordinate a network of international affiliates that serve as local contact points for customers and integrators. Knowage Labs professionals are employed by Engineering Group with offices in Italy (Bologna, Milan, Rome, Padua, Turin) and Republic of Serbia (Belgrade). For more information, see the Knowage Community Edition.

About Open Source Initiative
Founded in 1998, the Open Source Initiative (OSI) protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure, stewarding the Open Source Definition, and preventing abuse of the ideals and ethos inherent to the open source movement. The OSI is a public charity with global vision based in California. For more information about the OSI, please see https://opensource.org.

In May, the License-Review mailing list saw extensive debate on the Cryptographic Autonomy License. The list also discussed a BSD variant used by the Lawrence Berkeley National Laboratory, and the Master-Console license.

The corresponding License-Discuss summary is online at https://opensource.org/LicenseDiscuss052019 and covers an announcement regarding the role of the License-Review list, discussion on the comprehensiveness of the approved license list, and other topics.

Cryptographic Autonomy License

The review of the Cryptographic Autonomy License (CAL) continues. Back in April, Van Lindberg submitted the CAL as a network copyleft license, but with broader scope than the AGPL (see the summary).

While the CAL clearly tries to comply with the OSD, there are widespread concerns as to whether some fundamental aspects are compatible with open source and software freedom.

Public Performance

Bruce Perens claims that use of public performance rights implies a field-specific restriction in the sense of OSD #6, e.g. because it would allow private use but not public use. (Note: the mere use of these rights does not create such a restriction.)

Scott Peterson [1,2] argues that software interoperation cannot be a “performance” in the sense of US copyright law – even if a public performance right exists for software. The CAL makes software interoperation more difficult and should not be approved. Van Lindberg provides his analysis of the term. Notably, Lindberg's definition does not require a human audience for the performance.

Chestek [1,2] finds a potential problem with how public performance interacts with modified works, as parts of the license only consider public performance of interfaces. Van Lindberg appreciates this point.

User Data

Bruce Perens argues that the CAL's user data provisions go beyond copyright law. Users don't have an a priori right to receive their user data until the CAL created this right. But this means that the operator's copyright license is conditional on fulfilling the user data obligations, which is an unreasonably far-reaching compulsion.

Pamela Chestek follows up on April's discussion on whether the CAL's user data clause is comparable with the GPLv3's anti-Tivoization clause. Van Lindberg sees a distinction between two of CAL's clauses: The CAL forbids locking down the software via cryptographic means, a kind of Tivoization. The CAL also requires user data to be provided, which is necessary to ensure user freedom in a SaaS context. Bruce Perens agrees that this should be fixed – but by some law, not by a license. And anyway, the user should just keep backups of their data.

Nigel Tzeng [1,2,3] thinks the user data obligations are unrealistic and excessive, for example where the operator has no easy way to make a copy of the data. This is problematic even with a good faith effort to comply, and makes the CAL “unworkable for most operators.” How detailed do requests have to be? Does holding a copyright license imply a possessory interest? But if the user data only covers the user's inputs (not modified or intermediate formats), the right to a copy is also not very useful.

Van Lindberg [1,2,3] responds that the user data clauses ensure data portability to inputs and outputs of the software, and where the user has some possessory interest in the data. What that encompasses precisely would depend on the jurisdiction. Having a (public) license for some data does not imply a possessory interest.

User data requests will typically only cover data that the end user uploaded. This can be implemented via export functionality in the software (note: as is already common in GDPR-compliant systems). That does not imply excessive effort for the operator. Where no such functionality is implemented this may require some effort, but that is comparable with having to provide the source code. When the request covers data that they didn't upload, they would have to specifically demonstrate their possessory interest.

Bruce Perens [1,2] doesn't buy Lindberg's argument that providing user data were easy. In a blockchain setting, providing user data might be as simple as providing a copy of the blockchain. But in other settings operators have no guidance or guarantees. Peer to peer applications seem especially problematic, since every end user would be an operator. Lindberg's fixation on certain SaaS settings is not helpful.

GDPR

Chestek [1,2] assumes the GDPR is being referenced because there would otherwise be a conflict with CAL compliance. Such preferential treatment of the GDPR would be “facially non-compliant with OSD 6”: it relieves someone complying with the GDPR from complying with the CAL. Compliance with the CAL might also be impossible if a jurisdiction has conflicting privacy laws. The section should be rephrased to avoid being specific to any legal regime, or removed when no conflict is expected.

Lindberg [1,2,3] explains that the reference to GDPR is intended to streamline compliance: if the operator already complies with the GDPR, that's already good enough for compliance with the CAL's user data requirements. This is just an interpretive guide, and doesn't confer special permissions. Given the amount of confusion that clause has caused, Lindberg considers removing it.

Fontana: The CAL is not Free because it encumbers APIs

In April, Pamela Chestek had asked why specifically the CAL should not be approved, under the assumption that public performance rights are a thing for APIs.

Richard Fontana responds:

• it forces reimplementations of a CAL-covered API to be open source
• Joke: any license can be opposed on the grounds that it violates OSD 5/6 (restricts some persons, or fields of endeavour)
• but here the CAL really looks like such a violation
• not necessarily a problem: even the GPL certainly restricts some persons
• “From a software freedom perspective, extending a copyleft requirement to an interfae is unjust.”
• CAL might violate the spirit of OSD 9 (don't restrict other software), similar to the SSPL.
• OSI review should not just check OSD conformance, but also whether the license provides software freedom

• the CAL's unreasonable burden on interface re-implementors violates software freedom.

• that the license limits itself to copyright law doesn't mean it provides software freedom

• a copyleft license like the CAL doesn't necessarily make more software available under open licenses.

  • unusual license might see no adoption
  • seems to serve a proprietary dual-licensing business model
  • which would mean it would actually result in less open software

• questions what it means to publicly perform an API.

  • could see such a performance for GUIs
  • but APIs are not typically perceived by users

Pamela Chestek responds that she still can't see the CAL “as even slightly different from the GPL in reach”, under the assumption that API copyright exists. Chestek is more concerned about the applicability of public performance rights outside the US. Chestek is confused by Fontana's position that a free software license may not apply copyleft to all aspects of copyright (such as API copyright).

Chestek does not believe Fontana's argument that the CAL will result in less free software. If some copyleft licenses are harmful, where exactly is the tipping point? Why is AGPL acceptable but CAL not?

Fontana responds that a license may decide to cover API copyright, but no FOSS license should do so. Fontana thinks that the CAL breaks with the (A)GPL tradition, and is confident that the FSF would condemn any interpretation that the CAL were essentially the same as the GPL.

Perens: Licenses should not cover API copyright

Bruce Perens summarizes his stance on free software:

• since the DFSG, it has been clear that running open source software for any purpose must be allowed
• it is necessary that the rules don't have total sympathy for proprietary developers
• it is fine to require the sharing of modifications
• many network copyleft licenses change the fundamental deal of open source
  • running for any purpose no longer allowed
  • such licenses no longer respect users
• approving network copyleft licenses is a slippery slope towards losing authority
• supporting API copyright is a bad idea because it can be used against the open source community
  • perhaps later API copyright licenses will become necessary as a defense

On the interpretation of the OSD, Perens sees two ways forward: Either the OSD is interpreted literally, but is also amended/clarified regularly. Or, the OSD is interpreted intelligently.

Van Lindberg argues that “we have already entered the world in which licenses like the CAL are necessary”: “Put aside the network aspect. How many reimplementations of the GNU readline interface are there? How many bashisms have made it into other shells? Under Oracle v Google, those are derivative works.” Perens disagrees and urges not to “concede the fight before it is lost.”

Henrik Ingo agrees with Perens that the CAL oversteps some boundaries, in particular with its user data requirements. However, the age of SaaS makes strong network copyleft licenses necessary in order to protect end user freedom. Ingo hopes a scaled-down CAL would get approved.

To Peren's point that approving non-free licenses could cause the OSI to lose authority, Ingo adds that failing to approve OSD-compliant licenses would be harmful as well. “Network copyleft is clearly an area where currently supply and demand don't meet”. Perens obviously disagrees and reminds that approval can cause problems for the community. The community is also not reliant on OSI approving new licenses, just like the FSF doesn't have to write new licenses: “While we are starting to see reasons for GPL 4, nobody is in a hurry.”

Pamela Chestek [1,2] questions why involving public performance rights is necessary to protect APIs. “Public performance” is an US-specific term, and the CAL might stretch beyond the bounds of copyright. In contrast, the GPLv3 defines its term “propagate” in terms of copyright law. Chestek suggests the CAL could borrow this approach. Lindberg doesn't quite disagree, but objects on multiple points. The CAL should make its intention to cover public performance explicit, it already defines the term within the license, it must also consider IP other than copyright, it doesn't stretch beyond copyright, and Lindberg would like to stick to existing terms.

Freedom in Website and Blockchain Scenarios

Pamela Chestek asks whether she would be eligible to receive a CAL-covered websites source code when she enters a third party's user data into a form on the website. Van Lindberg responds that yes, she would be eligible for the source just as under the AGPL. However, the source code requirement already triggers due to using the software. Here, the third person's personal data is not that third person's user data, but the user data of the one entering the data into the website.

Bruce Perens [1,2] extends the scenario with a blockchain-based example, where there might be “derivative data”. Perens also thinks the CAL's definition of source code includes private keys that were used to manipulate data in the blockchain. After all, any blockchain participant would be an operator processing user data. (Note: this may be a misunderstanding of both blockchain technology and the CAL.)

Van Lindberg [1,2] provides two detailed replies. The CAL does not have a concept of derived data. Instead, obligations arise if someone is a Recipient in the sense of the license. The operator's obligation to provide data only extends to the user's data, and only to the extent that the operator can retrieve this data. Disclosure of private keys is not required in the context of user data, although it could be required in the context of the source code as part of the CAL's anti-Tivoization clause. In general, Perens's hypotheticals “don't really make sense”, and would result in roughly the same outcomes as under the AGPL.

Bruce Perens [1,2] claims that while the CAL may or may not violate the OSD, it definitely violates the FSF's Freedom Zero “to run the program as you wish, for any purpose”. The problematic user data terms even apply to unmodified software. In Peren's eyes, Lindberg has arbitrarily redefined the FSF's concept of Software Freedom to cover user data. Lindberg [1,2] insists the CAL ensures end user freedom the same way the GPL does, this involves preventing intermediaries/operators from taking rights away. The question to decide is precisely whether the operator's freedom to lock down end user data is more important than the end user's freedom to run the software with their own data. Lindberg and Perens just disagree on how to resolve that dilemma. Lindberg has also asked the FSF for their opinion.

Bruce Perens [1] also thinks the user data terms are unnecessary in the decentralized context for which the license was drafted. Lindberg argues that the CAL helps to keep a system decentralized.

Bruce Perens [1] sees an overarching problem with the license: that even competent attorneys seem to be struggling with its terms, particularly regarding user data and public performance. Courts might not share Lindberg's interpretation. Developers without legal counsel don't have the “slightest hope” of applying the license correctly. Lindberg [1,2] concedes that fully understanding a legal instrument like the CAL does require counsel. But the CAL is no more complex than the GPL. The effect of the CAL can be summarized concisely in a manner that would be understood by an ordinary developer. Perens [[1]perens:cal:competent2,[2]perens:cal:gpl-simple] [Perens]perens:cal:competent2 disagrees with that summary, and thinks Lindberg's stance is deeply unsympathetic to users.

Other Points

Re claim by Pamela Chestek: OSI decision making is unpredictable. Bruce Perens responds that “we like it that way”. OSI review should not mechanically implement pseudo-laws, but care about the community's interest.

Bruce Perens asks whether the copyright holder would also be bound by the conditions of the CAL, e.g. regarding user data. Peren's understanding is that they would not be bound, which would privilege them compared to other operators. Van Lindberg claims that the CAL places no party in a privileged position.

Van Lindberg argues that the CAL is also necessarily because the AGPL is so unclear and ambiguous. The CAL would be clearer, and would have applicable case law “at least by analogy”.

Kevin Fleming asks if the CAL is only fully effective if patents are involved. Lindberg responds that patents holders will have extra tools, but that the CAL is based equally on copyright, patents, and contract methods.

Pamela Chestek and Van Lindberg continue their review discussion from last month.

• Lindberg updated language around the LGPL/MPL-style Combined Works exception.

• Chestek thinks the anti-DRM clause is “unintelligible”. Lindberg provides a side by side comparison of the clauses in GPLv3 and CAL.

• Chestek thinks the CAL is overly complicated when trying to ensure that all permissions are passed to downstream recipients. Isn't this as simple as “cannot impose additional restrictions”? Lindberg responds that this isn't as simple. He doesn't want to enumerate allowed restrictions like the GPL does. However, Lindberg updates relevant language in the CAL.

Henrik Ingo is torn on whether the CAL should be approved. Prima facie, the CAL violates the OSD – but only due to its well-justified, tightly-scoped user data requirements that are necessary to ensure end user freedom in practice: “the CAL is a net positive contribution to software freedom.” The user data clauses do not violate Freedom Zero if the operator is viewed as merely running the software on behalf of the end user. If this violates the OSD, maybe the OSD should be amended.

Bruce Perens [1,2] doesn't think the OSD can be a comprehensive list of allowed or disallowed license features. It should not be amended until it can be interpreted mechanically.

Ingo had invoked the License Zero review as precedent. Richard Fontana clarifies that L0 was retracted and not rejected, but that the significant past “hostile receptions” should be treated with some significance.

Lindberg's Summary

Van Lindberg [1,2] tries to summarize various objections and discussion points, and provides references to various arguments that have been made. The three main issues are:

1. whether data portability can be guaranteed as part of software freedom and under the OSD
2. whether public performance is effective, OSD-compliant, and good policy
3. whether the CAL is too complicated or unclear

The objections mainly apply to the operator of the software, not to end users. Issues 1 and 2 are fundamental policy questions.

Bruce Perens confirms he believes that “an operator's ability to lock down the data they receive from end users is core to the OSD and to the concept of Free Software” (as phrased by Lindberg). John Cowan thinks Lindberg is approaching this from the wrong end: the right to commit crimes is not core to FOSS. But using FOSS licensing to enforce ethical actions is a Very Bad Idea.

Lawrence Rosen [1,2,3,4] is against approval. While Rosen accepts a public performance right for software (his own OSL uses it), it has limited value and has nothing to do with normal execution of the software. Performance does not include the rendering, display, or execution of a software. Rosen thinks the CAL's user data clauses are troubling, since data is not copyrightable. At most, a confidentiality clause would be appropriate. Lindberg [1,2,3] points out that the CAL has nothing to do with copyrightability of data, and uses a multi-pronged mechanism of which copyright is only one part. Lindberg thinks Rosen is reading the definition of public performance in US law too narrowly, and provides caselaw to bolster his argument.

Luis Villa argues that the CAL is not excessively complex. The CAL and GPL use similarly complex language, although both are more complex than other licenses. If objections on the grounds of complexity were to carry any weight, then “OSI can... only approve long-existing licenses (or trivial permissives). (If that's the board's intent I'd love to hear it; we can all unsubscribe from this list and call it a day!)” McCoy Smith concurs: there's a difference between ambiguity (bad) and inherent complexity (acceptable) of a license.

Pamela Chestek adds the major objection that the CAL would be the first open source license to encumber API reimplementations. This is the main issue, compared to any debates over public performance. Henrik Ingo argues that both are problematic, and that invoking public performance rights seems unnecessary except for the CAL's goal to implement API-copyleft. Lindberg views these issues as independent. The CAL's use of public performance is primarily an alternative to the AGPL's “network interaction” mechanism. API copyleft is a reaction to the Oracle vs Google case.

Richard Fontana thinks Lindberg's summary fails to accurately capture fundamental objections. The issue is not whether API copyleft could be premature, the whole concept runs against FOSS and industry conventions. If a license makes use of API copyright, then please only for maximally permissive licensing. Henrik Ingo thinks API copyright would be a huge detriment to the industry – would any readline implementation be copyright infringement? But if it happens, the FOSS community shouldn't just cede that ground. “Still, as long as we're not there yet, we of course shouldn't be the first party to strike.”

LBNL BSD

Sebastian Ainslie [1,2,3] asks for legacy approval of the LBNL-BSD, a 3-clause BSD variant used at the Lawrence Berkeley National Laboratory (LBNL). Compared to the common BSD template, it adds a caveat that U.S. Dept. of Energy approval may be required, presumably required for all DOE labs. It also adds a paragraph that published modifications fall under the same license by default. This is a bit like an implied CLA, or like copyleft with an opt-out. Ainslie explains this is necessary in order to accept contributions without signed CLAs.

Legacy approval

There is some contention on what legacy approval signifies.

Bruce Perens raises a license proliferation objection. McCoy Smith wonders why OSI approval is needed if the license has already been used for over a decade. Richard Fontana wonders whether actively used licenses are eligible for legacy approval. Kevin Fleming assumes that the use of legacy-approved licenses would be discouraged. On further reading, Fontana finds that legacy approval is just retroactive. It does not require the license to be unused, and does not imply any discouragement.

Richard Fontana [1,2] thinks that legacy-approval must generally meet the same standard as new licenses, especially with regard to OSD conformance. But it would be a good idea for OSI to take a more active role to explicitly approve licenses that are commonly used in Linux distributions. Legacy approval should therefore be more lenient about sloppy or amateurish drafting. 15 or 30 years ago, licenses simply were not drafted with the same standards we expect today.

Fontana sees many people who do not accept OSI's stewardship of the Open Source definition. They can point to a vast collection of open source software that does not use OSI-approved licenses. A mass effort to approve more obviously-FOSS licenses would then have some benefit.

Actual review

Fontana sees the added paragraph as unclear or sloppily drafted. It might not trigger the default license if modified versions are privately given to third parties, without these modifications being published. This is different from Apache 2 which just codifies the “inbound = outbound” expectation. Pamela Chestek [1,2] wonders whether the paragraph is even relevant: “inbound = outbound” is the default expectation, with or without that paragraph. The paragraph mainly affirms that modifications can be published under a different license. Henrik Ingo shares this view (see also below). John Cowan disagrees: by default the modifications would have no license, as the BSD would only apply to the original work.

Tom Callaway questions why the paragraph seems to assign different terms to enhancements than the main BSD license. Richard Fontana too thinks that the contributor license is broader than the BSD. Ainslie [1,2] argues that no such different terms are used, but this seems to confuse the submitted license with a suggested simplification by Callaway.

McCoy Smith and Henrik Ingo note that OSI usually rejects licenses that give preferential treatment to one party, or are specific to some entity. Here, this is not a problem: while the LBNL is mentioned explicitly as a recipient, it receives the same rights as the public.

Henrik Ingo is slightly concerned about the default license paragraph acting like an implicit contributor agreement. But this is not a problem in practice: code added to a BSD-licensed project is considered to be BSD-licensed as well. The paragraph only seems like a clarification in case of a standalone patch is sent without explicit license indicators.

Brendan Hickey isn't sure whether implicit “inbound = outbound” should be promoted. Hickey points to projects like Linux that expects patches to be explicitly signed off by the contributor. Hickey also points to the C-FSL review, where it was discussed that licenses cannot do copyright assignment. So what kind of licensing terms would actually be necessary in order to safely accept contributions? Henrik Ingo responds that the license status of published modified versions is usually clear without having to take extra steps, and that no copyright assignment is involved.

Richard Fontana suggests a DCO (https://developercertificate.org/) as a simpler way to ensure that contributions are properly licensed.

Ainslie says that DOE labs cannot use a vanilla BSD license, which made small changes to the license necessary. Pamela Chestek [[1]chestek:lbnl:doe,[2]chestek:lbnl:doe2] [Pamela Chestek]chestek:lbnl:doe asks for documents that require these changes and McCoy Smith asks which specific changes are mandated. Ainslie says they have to attribute their funding source and add a notice that DOE approval be required. McCoy Smith questions whether the addition of a notice even creates a new license. It is unclear to Chestek which of these changes are part of the license that is under review.

McCoy Smith [1,2] thinks making the license conditional on DOE approval could be an OSD 7 issue. But is that a license condition, or just a notice?

Pamela Chestek asks how many projects use this LBNL license. Ainslie says it's used by nearly all open source software from Berkeley Lab, adding up to hundreds of releases.

Master-Console

Wayne Rangel Wayne Rangel [1,2] submits the “Master-Console's Open Source Definitive License” for approval. It is difficult to tell, but the rationale for this license seems to be:

• that the original author can take down malicious modifications
• that the source code shall be offered in a specific manner, presumably that the source code can be downloaded via a web browser

Lukas Atkinson expresses their frustration that the license seems impossible to understand, both from a legal perspective and due to the unidiomatic English. Christoper Sean Morrison thinks “that should be grounds for rejection alone.” McCoy Smith sees the license terms as an OSD 5/6 violation. The license is also likely non-free, “although the wording is such that I can’t quite tell.” Bruce Perens points to the Artistic License as an example where an unclearly drafted license resulted in high costs to third parties.

Richard Fontana suggests the license is not yet ready for review. Pamela Chestek [1,2] asks for the license to be retracted from review.

Help Wanted!

Our current editor of the monthly License-Discuss and License-Review reports, Lukas Atkinson, will not be available to continue in June and July, and may have limited availability throughout the rest of the year. If you would like to join the OSI as list editor, or know someone who might, please contact OSI General Manager Patrick Masson. The list editor works on a freelance basis to provide monthly summaries of the License-Review and License-Discuss mailing lists.

In May, the License-Discuss mailing list talked about:

• relationship between the License-Review mailing list and the License Comittee
• evolution of the license review process
• comprehensiveness of the approved license list
• licenses of licenses
• would three licenses be enough?
• email threading

The corresponding License-Review summary is online at https://opensource.org/LicenseReview052019 and covers extensive debate on the Cryptographic Autonomy License, as well as discussion on a BSD license variant.

License-Review / Committee Relationship

In the review of the CAL, a minor point was whether the review of the License Zero should be characterized as a “rejection”.

Luis Villa talks about the history of the License-Review list, that the list at times was an OSI committee, but that any decision making authority lies solely on the OSI board.

Richard Fontana feels that community engagement in the list has declined, making it more difficult for OSI to argue that review decisions reflect community consensus.

Luis Villa isn't sure that engagement has gone down, but thinks the level of engagement is definitely unhealthy – 100+ email threads chase away potential submitters.

Henrik Ingo likens list participation to jury duty. Ingo also points out that there is no need to chime in to repeat a consensus opinion.

Christopher Sean Morrison agrees with Ingo's point that mailing lists dictate “efficient silence”, without a mechanism to silently signal agreement. But engagement also suffers from “rehashed-topic fatigue”.

Pamela Chestek sees some bullies on the list. Someone may stay silent not out of agreement, but to avoid conflict.

Nigel Tzeng suggests anonymous voting by OSI members. (Note: but that doesn't help with discussions.) Fontana thinks that would be ripe for abuse. Tzeng thinks the current system can also be abused, presumably referencing the NOSA review.

Scott Peterson argues against maximally precise rules, both regarding the review process and possible OSD amendments.

McCoy Smith views the board elections as a kind of indirect vote. Henrik Ingo warns that direct democracy can distort a vote. The OSI board must make decisions on their own responsibility.

Evolving the License Review Process

Pamela Chestek announces the new OSI License Review Committee, consisting of Pamela Chestek (chair), Elana Hashman, Chris Lamb, and Simon Phipps. They recognize the need for improvement of the review process, so that all points of view are represented in the discussion. As a first step, they clarify:

• License-Review list collects feedback from the public about proposed licenses. The Comittee considers these responses when making their approval recommendation to the OSI board. If a license is not yet ready, a moderator can move discussion to License-Discuss.

• License-Discuss is for general questions about open source licenses, and for licenses in their early stages of development. It is recommended to develop new licenses in the open, and to regularly seek feedback from License-Discuss.

• There will be an effort towards better moderation, to ensure appropriate conversation and a good pace of discussion, and to encourage wider participation. This includes rules to limit hostility, frequency, and repetitiveness of messages, includes follow-ups from moderators to unanswered questions, and includes enforcement of the existing Code of Conduct.

• The website now clarifies the license review process: community consensus is no longer a precondition. Instead, the board takes the community discussion into account for its decision.

Simon Phipps clarifies that Chestek's announcement represents the decision of the OSI board.

Bruce Perens perceives this change as directed squarely against him. “I, and others, have today been ejected from the license committee.” (Note: this assumes the view that the list members are the committee.) Perens does not think the mere number of messages would be a problem – they are necessary to clarify important questions. Perens doesn't see the point in accommodating people who don't (yet) participate on the list.

Chestek disagrees with the characterization that anyone would have been ejected – instead, these changes have the goal of inviting more diverse responses than is currently the case. Chestek points to concrete examples how Peren's messages come across as agressive: “this is a tone and style of engagement that is inappropriate.” Perens feels this rejects his viewpoint without appropriate concern.

Russel McOrmond lauds Perens for being a persistent advocate of software freedom, and urges him to not take push-back personally.

Lawrence Rosen appreciates the clarity of the new process, but thinks there is too much focus on strict codes of conduct. Just delete the emails you don't want. Rosen is also surprised to recently learn that Perens represented the OSI in their open standards activities (Perens responds). It is important that it's clear within discussions who speaks for OSI and who doesn't. Rick Moen concurs, and urges everyone to assume good faith. Moen also makes a distinction between different kinds of mailing list moderation. In a certain sense, the OSI lists are unmoderated.

Perens responds to Rosen's aside about standards engagement. Perens also thinks any accusations of bullying are over the top, and that these changes to the list are just tone policing. Perens cautions that “license submitters will tell the story as it is most advantageous to them”, especially if they are lawyers. It's important to be able to call that out when it happens. John Cowan thinks Peren's point about lawyers is counterfactual. There's a difference between rethoric and outright misrepresentation.

Chestek agrees with Rosen that all opinions should be heard, but these can't be expressed in any way you want. A “deal with it” attitude alienates valuable voices. In contrast: “I've never heard of a forum where people won't participate because it's too polite”. Rosen thinks some blustering is normal for lawyers, and that politeness is not generally necessary: “That is boring. We are adults here.”

James thinks moderation should only be done as last resort and as transparently as possible because it can have chilling effects. John Cowan recalls moderation activity on Fidonet: moderation isn't as large a problem as it might seem, and bans were well-deserved.

Fontana appreciates the improved clarity brought through Chestek's changes. The (purely advisory) role of the License-Review list is a major change of how the process is described, but it reflects the actual process more accurately.

McOrmond thinks the line between passion and rudeness is too subjective to be useful. Strict focus on a CoC would exclude passionate people. Some amount of shared views are necessary in a community. Rick Moen counters: it's perfectly possible to find some common ground and cooperate with people whose views clash. The OSI list “is a natural place for people supportive of OSI's real-world objective.”

There is a bit of a side discussion about threats to and core issues of FOSS by McOrmond [1,2] (Affero etc is a threat), Perens (Affero is fine), Simon Phipps (the rules serve the movement), and Moen (software freedom is a shared value).

Martijn Verburg chimes in with an assessment that OSI's list are more “robust” than others. “An attempt to make both lists more welcome to voices […] can't do any harm.”

Moen suggests a conspiracy theory: that these claims of uncivility arose after the OSI didn't approve certain licenses. Are sinister forces trying to silence effective critics? Would those more diverse views not be more sympathetic to such rejected licenses? (Note: it's impossible to tell to which degree this is joking.) Chestek responds: “I understand that people on this list may be skeptical of my commitment to software freedom and/or open source software”. But the Committee and the Board are more than a single person. “I do hope that simply having a different opinion on the meaning of software freedom at the fringes doesn't mean that one has become captive of anti-freedom forces.” The OSI is working on important problems, such as the function of the lists, the quality of the review process, and the exact scope of open source.

Henrik Ingo writes a detailed response to various points.

• the review process hinges on the few who can actually dissect the licenses and read all the emails
• the list seems comparatively disciplined, aside from discussions that rehash long-past reviews
• the SSPL review saw an influx of new participants. Where there were problems, the list self-regulated
• that a new board points to the existing CoC shouldn't be news
• it is more concerning “that the board believes there is an actual issue that needs fixing”
• some of the “concerns” on the list are just lawyerly bickering or lobbying to change OSI policy
• in many of the mentioned cases, the reasons for non-approval are perfectly clear and don't have to be relitigated constantly
• OSI review is not a court, no cases are lost – revised licenses could be approved
• review is not just about checking whether the OSD applies, but also about how the new license serves the community
• it is not sufficient that a license does no harm
• license review is a lot like “code review”, in the sense that there is a kind of shared ownership
• whereas the FSF's Four Freedoms have significant backing material and discussion, the OSD seems so unanimous and obvious that no comparable body of commentary exists
• maybe that is a problem, and more commentary would help?
• the process seems to be working better than ever, so why fix it?

Richard Fontana thinks the review process is perceived as unpredictable because few licenses make it to a board vote. Those that do tend to be obvious cases and don't need a rationale. Most problematic licenses are retracted by the submitter due to community feedback. Fontana also thinks the OSI has a problem dealing with mistakes, such as approved licenses that are not open source under current understanding. A de-listing procedure might be necessary.

Henrik Ingo thinks outright de-listing would be problematic. As a first step the license stewards could be asked for voluntary retirement of the licenses. Otherwise, they could be moved to a “not recommended” category that recognizes that they were used in good faith.

Nigel Tzeng thinks de-listing licenses would be problematic because they would likely target special-purpose licenses. Tzeng is particularly concerned about the (lack of) acceptance of Government Open Source (GOSS) licenses. (Note: due to overwhelming volume and limited novelty, this summary will not cover the ensuing discussion about GOSS.) Regarding possible delisting, Perens states that it is not OSI policy to promote some licenses over others, beyond marking some as “legacy”. Even though in practice, three licenses would be enough (see separate section).

Tzeng doesn't think his perception that the lists are dominated by Perens and Fontana should be treated as an ad-hominem attack. Perens responds that having an assertive personality paired with relevant expertise should be fine Rosen [1,2] disagrees most harshly, Perens wonders how that response can be anything but ad-hominem. Henrik Ingo expresses the meritocratic view that Peren's and Fontana's influence is mostly a consequence of all the time they spend reviewing licenses.

Luis Villa thinks Chestek's clarifications are fantastic, but is concerned that the meaning of “software freedom” is still unclear in an OSI context. Villa notes that while these improvements target the decision-making process, improvements might also be needed for the record-keeping process. The list archives are an unsuitable medium, instead authoritative summaries are needed. Villa provides some links on RFC-like processes. This seems similar to the March 2019 discussion whether a PEP-style process would help.

Comprehensiveness of the Approved License List

Luis Villa argues that the list of OSI-approved licenses isn't a comprehensive list of usable open source licenses. It should therefore be avoided in contracts or license clauses. But if not that, what is the purpose of the list? Would it make sense to create a smaller list of useful licenses? Villa points to his Blue Oak project as a list of useful permissive licenses.

Richard Fontana thinks the approval process is more important than the resulting list. In a way, the licenses are just a medium through which “open source” is clarified. Fontana also warns against relying on self-appointed authorities, and notes that OSI's License-Review is more transparent than alternatives.

Ben Hilburn [1,2] thinks this discussion is important, but finds Fontana's standpoint confusing. Whether a license is “open source” is defined by its OSI approval. Otherwise, how could OSI be an arbiter of that term?

Nicholas Weinstock insists that the OSD and not the review process is the definition of open source. It follows that the OSD is not just a bunch of factors to consider during review. It also follows that licenses can be open source without being OSI-approved. Too much focus on the list of currently approved license would also result in a weird status for legacy licenses that have since been removed from the list.

Van Lindberg likens OSI approval to a product certification. It doesn't matter whether something is potentially approvable, only whether it has been approved. In the end, it must be OSI's call to decide whether a license satisfies the OSD. In contrast, the term “Free Software” could be used more freely. Nicholas Weinstock disagrees with Lindberg's comparison: OSI approval is not a completely neutral review, but takes wider concerns into account.

Lindberg argues that only OSI-approved parts of a Linux distro should be called “open source”. There needs to be some definition of that term, and clearly it is for the OSI to decide what it means.

McCoy Smith [1,2] links to OSI's deprecation/retirement category (https://opensource.org/licenses/category) which “should not be used to license any new code.” Lindberg [1,2] claims that it is not clear whether such licenses still are open source. Lindberg suggests a cut-off date.

John Cowan argues that “law is whatever the judge says”, here: open source is whatever the OSI says. It is then perfectly fine to refer to the list of OSI-approved licenses. It is just that this view provides no guidance for OSI's review process. This approach works fine as long as OSI's decisions do not deviate too far from community expectations.

Stephen Paul Weber occasionally sees such “any OSI-approved license” terms in contests or in aggregators. Sometimes, any OSI- or FSF-approved license is allowed, to avoid choosing “sides”. Fontana thinks that approach is clever: both OSI and FSF are respected neutral authorities, unlike e.g. Blue Oak or Fedora. As a historical point, Fontana remembers that Fedora did not rely on the OSI license list because OSI was then seen as too commercially influenced. Nowadays, OSI criticism seems to be the opposite. Henrik Ingo thinks the OSI is now much more important than back then, because Linux distros no longer have the role of kingmakers: whether the software is packaged for Debian or Fedora is no longer crucial for an open source project.

Ingo doesn't think the OSI license list should even try to be comprehensive. Most open source software is covered by a handfull of licenses, but there is a long tail of presumably-compliant licenses. Those can be approved when they are submitted, but there's no need to actively seek them out. Fontana does see some value in mass legacy approval: licenses without OSI approval are common in Linux packages. Approval would defuse the claim that these weren't open source. Ingo thinks distros have different motivations than the OSI. For example, the OSI did not approve the libpng license – but Linux distros will continue to ship it.

CC0 and Patents

Weinstock had mentioned the failure to approve CC0 even though it was OSD-compliant. Fontana interjects here: there are grave concerns because it explicitly does not license patents. Nigel Tzeng [1,2] retells the history of 2012 CC0 review, claiming that it was not as simple as Fontana purports. The CC0 is now a widely used open source license, despite not being OSI-approved. In contrast, Henrik Ingo and Rick Moen recall that Fontana's concerns were a quickly growing consensus. Fontana goes into more depth about his motivations at the time. The CC0 review helped build an understanding of the issues around patents in open source.

Christopher Sean Morrison thinks the problem is that the OSI has no clear policy on the role of patents. If patents are involved, a licenses that excludes them arguably violates OSD 7. But without patents, such a license would be still OSD-compliant. (Note: but compare also Fontana's message referenced above.)

With regard to the role of patents, Rick Moen [1,2,3] argues that having an open source license is a necessary but not sufficient precondition for a software actually being open source. As a hypothetical, Moen considers a jurisdiction that somehow encumbers a BSD-licensed software.

John Cowan [1,2] disagrees with the premise of Moen's hypotheticals. The biggest patent threat to open source software is not from authors but from third parties. It isn't possible to conclusively determine whether some software is safely open-source. Rick Moen doesn't think that stance is workable. Open source software should be called open source, until the day that the software is encumbered by a concrete threat.

Nicholas Weinstock agrees with Cowan's analysis. But it would be useful to discuss open sourceness of licenses separately from the licensed programs. The OSD does not make such a distinction consistently.

Van Lindberg argues that open source only describes the licensor–recipient relationship. Third parties are out of scope, and no warranties about this are given by the license. Moen agrees, but this doesn't change the issue that software cannot be distributed freely if there are claims against it by a third party.

Lawrence Rosen notes that some licenses have defensive termination clauses that may be a sufficient defense against third party patent threats. (Note: Apache 2 and GPLv3 have such clauses.) Bruce Perens is concerned that such clauses could be ineffective if a company moves the patents to a separate entity.

The GPLv2 includes a “freedom or death” clause that can prohibit distribution in certain jurisdictions. Fontana is of the opinion that software ceases to be open source if this clause is invoked.

As an aside about the BSD, Lawrence Rosen suggests it's the OSI's responsibility to warn the public that BSD is not a useful license due to its lack of a patent license – “Use a professional license instead!” Morrison thinks that is baseless fear-mongering. Has this risk actually been tested? McCoy Smith doesn't recall caselaw, but links to academic literature.

License Licenses

Patrick Masson wants to update the OSI license list to include metadata about the license, such as the license of the license text.

Thorsten Glaser provides metadata for his MirBSD license, but notes that no license for it's text has been adapted.

John Cowan links to/extracts the relevant licensing information from GPL, EPL, Apache 2, MPL 2, CDDL and points out that MIT/BSD are freely modified in practice. Lawrence Rosen extracts the relevant paragraph from the OSL.

Richard Fontana cautions that the license submitter and the copyright holder can be distinct, and that noting a copyright holder is not always useful. E.g. the MIT license has no copyright owner, no license steward, and isn't even affiliated with the MIT. (McCoy Smith links to some MIT archeology). It is also questionable whether licenses are copyrighted in general. (Perens concurs). In contrast, Pamela Chestek provides precedent in favour of copyrightability for legal documents. “To those of us who write them, they are as creative as code.”

Three Licenses

How many licenses does one actually need?

Bruce Perens Bruce Perens [1,2] suggests that three licenses should be enough for anyone: AGPLv3, LGPLv3, and Apache 2. They are mutually compatible, OSI and FSF approved, have explicit patent terms, and cover a wide range of license goals from permissive to network-copyleft. Why not guide people towards this “strategically coherent” set?

John Cowan answers: because that would look like ASF/FSF favoritism.

Brian Behlendorf agrees that dealing with dozens of subtly different licenses is tiring. But OSI's legitimacy derives from its principles. Favoring some licenses (and neglecting others) would call that legitimacy into question. But it would be fine to educate potential licensors about license features, and encourage them to stick to the more common set.

Rosen's mention of the OSL elsewhere prompts John Cowan to announce his dislike of the license: it establishes a separate incompatible copyleft ecosystem or commons from the GPLv2 and GPLv3 ecosystems that already exist.

Rosen disagrees. Copyleft licenses are generally compatible regarding aggregations or collective works, and incompatible regarding joint or derivative works. But that isn't a problem because joint derivative works are rare in practice. The GPL/AGPL group is the odd one because the FSF interprets them to apply to static linking and other interactions. That is a problem with the FSF interpretation, not with copyright law.

Thorsten Glaser accuses Rosen of promoting an agenda here, and that the GPLv2/GPLv3 ecosystems are much more important in practice than the EPL/MPL/OSL ecosystem.

Topicality and Email Threading

Kevin Fleming is frustrated that discussion threads are often derailed by tangential discussions. Such discussions should be split off into a separate topic, so that other people don't have to wade through off topic discussion to find the relevant parts. Discourse allows messages to be moved to new topics after the fact.

John Cowan thinks that threading mail readers help, but that some amount of topic intermingling is unavoidable in any medium. Rick Moen shares the sentiment that threading is easy. “The above is internet 101 […] dont't blame the tool when the user cannot be bothered”. Regarding Discourse, it doesn't show any threading within a topic.

Luis Villa sees these OSI mailing lists as a disproportionally email-entrenched group. And even here, threading does not work in practice – hardly a case of Internet 101. This is dysfunctional. Having to master advanced email techniques seems like an unnecessary barrier to entry. Thankfully, other software does not blame the user – Discourse tries “to reach users where they actually read and write”. Moen responds.

Other discussions

Nigel Tzeng feels that the License-Review list was much more diverse in earlier times (2012), but is now dominated by Richard Fontana and Bruce Perens. Even though everyone is acting in good faith, this hurts engagement on the list. Bruce Perens notes he had been absent from the list for many years, only participating again since mid 2018. Were things really so different back in 2012? In the archives, Perens mostly finds the same posters as today.

Help Wanted!

Our current editor of the monthly License-Discuss and License-Review reports, Lukas Atkinson, will not be available to continue in June and July, and may have limited availability throughout the rest of the year. If you would like to join the OSI as list editor, or know someone who might, please contact OSI General Manager Patrick Masson. The list editor works on a freelance basis to provide monthly summaries of the License-Review and License-Discuss mailing lists.

The Software Liberty Association Taiwan joins long list of Open Source Initiative Affiliate Members and growing representation in Asia.

PALO ALTO, Calif. - May 20, 2019 - The Open Source Initiative ® (OSI), the global organization working to promote and protect open source, is excited to announce the Affiliate Membership of the Software Liberty Association Taiwan (SLAT). Founded in 2001, SLAT is Taiwan’s first legal entity dedicated to Free and Open Source Software (FOSS), supporting both the development and user communities.  As an active community of advocates and technologists, SLAT both drives initiatives, and partners with existing projects, to promote FOSS, including the Open Source Software Application Consulting Center—a program fostering FOSS in Taiwan's schools.  

Critical to both the OSI's and open source projects' success is, as stated in the OSI mission, "building bridges between communities." Both the OSI and SLAT believe those organizations serving Free and Open Source Software communities should seek out ways to support each other—SLAT's Affiliate Membership is an excellent example of such collaboration.

“We’re thrilled to have SLAT join us in our work to advance Open Source Software and foster open source development,” said Patrick Masson, OSI General Manager. ”SLAT is already doing amazing work throughout Asia, and I hope we can compliment their efforts, and even help expand their good work through other OSI Affiliates. Open Source Software is a world-wide phenomena, so the OSI must commit to working globally.”

"We found a blue ocean in the world of FOSS," said Franklin Weng,  former SLAT president and current executive director. "Many  educational applications simply aren’t profitable enough for proprietary vendors to invest in  however are vital to students and schools . FOSS plays a critical role in educational software: programs like Kanagram, Geogebra, GCompris, Kalzium, Stellarium, and Kmplot, covering all kinds of subjects, and making education accessible.  Everyone, every kid, no matter rich or not, elite or not, they all can use these resources in their learning."

In  2015, SLAT launched the Software Liberation Movement, The goal, “explain to people that they have the freedom to choose whatever software tools they need according to their real-world requirements," explained Weng. "We, the users,  should be the ones who determine which tools we use for achieving our goals. However in reality, most people are bound by limitations or restrictions inherent to proprietary software.  We'd like to make people aware that they have many choices, and Open Source Software should be like that of 'public infrastructure' in the physical world—just like buses, trains, accessibility facilities, etc. The value of public infrastructures lies not in how many people are using them, but in the fact that they exist when people have such requirements."

Most recently SLAT has begun promotion of “Public Money Public Code“ in Taiwan. Such policies require that publicly financed software developed for the public sector be made publicly available under a Free and Open Source Software licence. “If it is public money, it should be public code as well.”  Again Weng, "OSI and SLAT are both committed to educating people about open source -- its spirit and value. The OSI reviews and certifies open source licenses, which we think is very important, clearly identifying what is open source. It's very important developers in Taiwan use OSI approved open source licenses. We're very happy to join OSI as an Affiliate Member to, together, support  initiatives like the Software Liberation Movement, and Public Money Public Code."

The OSI Affiliate Member Program is available at no-cost to nonprofits, educational institutions, and government agencies that support the OSI's mission to promote and protect open source software. As the steward of the Open Source Definition certifying Open Source Software Licenses, by establishing such certification as the standard for open source software development and distribution, and with the support of our Affiliate Membership, the OSI has become a cornerstone of software freedom.

About Software Liberty Association Taiwan
Founded on April 8, 2001, the Software Liberty Association (SLAT) is dedicated to serving the free and open source community, promoting free software and open source applications to promote community growth.To learn more about SLAT, visit: https://slat.org/

About The Open Source Initiative
Founded in 1998, the Open Source Initiative (OSI) protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure, stewarding the Open Source Definition, and preventing abuse of the ideals and ethos inherent to the open source movement. The OSI is a public charity with global vision based in California. For more information about the OSI, please see https://opensource.org .