Monthly Archives: February 2007

What is open source anyway?

Posted on by
7

Open source is often seen as a community-based method of building software that utilizes grass roots community to allow a democratization of software. The source code is readily accessible to all, enabling open standards and undermining entrenched monopolies. As open source projects build on each other they provide mutual support—upstream and downstream software users have access to the source code so they can debug the software to find bugs and patch the bugs that matter to them. By allowing users to allocate their own resources to develop the software the software evolves to meet the needs of those users who invest resources.

This Utopian view of open source has a key problem, it’s not applicative: you can’t apply it to classify a piece of software as “open source” or “not open source”. Lets take a look at a couple of pieces of software to see whether they might be open source:

WIX (Windows Installer XML) is a software project to allow open source projects to build, package and distribute Microsoft Windows installers for their projects. It is licensed under the common public licence, bearing the Open Source Initiative stamp of certification and hosted by sourceforge, the stereotypical hoster of open source projects.

WIX is not a good fit with our Utopian view of open source, because it is not built by a community, but by employees of Microsoft Corporation on company time, it does not enable open standards but is tied to Microsoft Windows operating systems on a small handful of hardware platforms, and far from undermining Microsoft’s entrenched monopoly on operating systems, appears to be specifically designed to defend Microsoft Windows from open source rival Linux.

ProGuard is a Java “obfuscater,” a tool that converts Java source code to a form from which it is extremely hard to infer any program details. Obfuscators are used to hide the source code and the intellectual property embedded in it. Obfuscators have secondary benefits, because the resulting code can be smaller and run marginally faster, but the primary use is to hide the source code. ProGuard is also hosted on source forge and released under the GPL.

ProGuard’s primary action hides source code rather than making it open, makes third party debugging much harder and third party patching effectively impossible, thus undermining the openness and community aspects of open source.

So should these software packages be considered “open source”?

Patent Claims Against Open Source

Posted on by
3

In the last few days there have been a number of reports that Steve Ballmer (CEO of Microsoft) has made a veiled threat against commercial open source providers with respect to software patents. At least one report provides the whole context of the alleged “threat” and has given Microsoft the opportunity to clarify any potential misunderstanding. The response does not appear to indicate any misinterpretation. Microsoft reaffirmed that their intention is to license their patent protected IP, stating that “Our agreement with Novell is yet another affirmation of our policy to license our IP to others – including open source companies.”

So do software patents threaten open source?

Patents do not threaten open source any more than they threaten closed source.

“Open source” is a term used to identify a licensing model, it is not a term that represents every single software package released under an open source licence. It is therefore true to say that patents threaten individual open source software projects, but it is also true to say that patents threaten individual closed source projects too. It is worth noting that Microsoft themselves were recently ordered to pay $US1.52 billion in damages as a result of a case concerning MP3 patents owned by Alcatel-Lucen (and that’s not the only case MS have lost or are fighting).

How is Open Source Tackling the Patent Issue?

Some open source licences explicitly protect the user against patent claims, for example the Apache License 2.0 contains a patent grant for any code contained within the product. This clause allows the licensee to exercise patent rights that would normally only extend to the licensor.

The validity of this clause is largely dependent on the organisation that issues the licensed software since it assumes that the contributor of the affected code owns the patent and therefore can legally grant that patent licence. Organisations such as the Apache Software Foundation (ASF) have formal IPR management policies to ensure that all downstream users of ASF produced software are adequately protected by this clause.

Even without a patent clause within an open source licence supporters of open source would argue that the peer review process found in community developed open source projects will reduce the risk of inadvertently infringing a patent. In a closed source development model this peer review process is rarely present and so the protection it affords the software producer is lost.

One more protection for open source software is the fact that many companies, such as Sun, IBM, Oracle and Novell have granted licences to use at least part of their patent portfolios within any open source software products. That is, they will not (can not in many cases) sue open source companies. It is interesting that these companies usually retain their right to use their patents against closed source companies.

The Conclusion

It is clear that patents are an issue for all of us to consider, whether we produce open or closed source software. They are not a threat to “open source” since this is a licensing model. They are, however, a potential threat to individual software projects regardless of the licence those projects adopt.

How Open is the Open Solutions Alliance?

Posted on by
1

I’m a fan of open source software, that’s why I work for OSS Watch. When I first started working with open source (about 10 years ago now) the term actually meant more than code was released under an open source licence. It meant there was a community of developers who came together to create a software solution to a shared problem.

However, as the business world has become increasingly aware of open source products as a viable way of creating high quality software for resale, things have begun to change. In some quarters of the open source business domain the importance of an open community in open source software development seems to have been lost.

I subscribe to perhaps the most extreme view of community in open source. That is, I believe that looking after a truly open and healthy community will result in the production of quality code.

Whilst I accept that there are different ways of managing a healthy community, one thing I will not budge on is that a healthy community is one in which everyone has a voice and everyone has free will. Unfortunately, there are many businesses releasing “open source” code where this simply is not the case.

So, when I first read about the Open Solutions Alliance I, like many others, ran off to the Internet to try and understand the implications of this new non-profit open source advocacy group. Unfortunately I found very little commentary other than gut reactions. So I had to do some work, to answer my primary question of “are these folk going to look after the open source community?”

The first thing that worried me was the following quote in a linux.com article:

Klawans [OSA spokesperson] acknowledges that exactly what licenses a member business may or may not use is rather vague. “We didn’t take a stance on it so we could get the launch done,” he says, “but we do know that a business has to be supporting the open source project that their project is based off of. They should be contributing code and effort back into the project and moving it forward.

At a time when the Open Source Initiative are attempting to tackle the problem of licence proliferation I would expect an organisation wanting to strengthen the position of open source in the business world would take the view that only OSI-certified licences are appropriate for its membership.

Whilst this stance on licensing is concerning, it says nothing about the OSA opinion of community since the OSI is concerned with open source licences, not with open communities. So, lets take a look at the OSA website itself, in particular their objectives:

Initially, the OSA will focus on the following activities:

  1. Defining and promoting tools, frameworks and best practices that facilitate easy deployment and interoperability between member applications;
  2. Building meta-communities by partnering on projects that involve a variety of companies, communities and individuals to drive innovation and collaboration; and
  3. Coordinating joint marketing campaigns to raise awareness of business-hardened open source applications and solution suites.

Point 1 is something that should be done within existing development communities. Nothing in the alliance’s web site states they will do this behind closed doors, but then it doesn’t say they will do it in the open as part of the existing communities either.

Point 2 is also something that should be done within existing communities. If there is really a need for such meta-communities then they should be created as open communities in full view of all developers on all affected open source projects. Again, there is nothing on the web site to suggest it will not be done in the open, but I would like to be reassured.

Point 3 can be interpreted in at least two ways, the first (pessimistic interpretation) is that open source products are not business-hardened and so customers should only use solutions provided by OSA members. If this is the impression their marketing materials will give then they will be very harmful to open source as a whole (not to mention untrue). Furthermore, if the implication is that only the OSA members have business-hardened open source solutions then why are they not contributing their business-hardening code back the projects as part of the developer community?

Perhaps I should be generous and assume they actually mean that the OSA members are experts in products that are, as open source products, business-hardened. If this is the case then I can hardly take issue with point 3, let’s see what the future holds.

It is encouraging to find the following in the OSA code of ethics:

[Members agree to]

Remain committed to open source business practices including supporting user and developer communities, and maintaining access to source code.

So, with my optimistic hat on I can assume that the OSA truly intend to operate in a fashion that is supportive of community development models. I therefore proceed to wonder why organisations like The Apache Software Foundation have not been invited to join up. After all, many of the initial member companies use ASF software in their products.

[NOTE: to my knowledge the ASF has not been invited, since I am a member of the ASF I should be aware of this if it has happened, but perhaps I missed something]

In order to proceed, I’ll assume it’s an oversight that the ASF has not been invited to join. Exploring the membership details on the OSA site I discover that there are three classes of membership, two of which cost money and are for profit making organisations. The third one does not cost money and is for non-profit organisations.

So, open source foundations can join up. However, their membership level affords very little influence on the actions of the OSA. Such members do not get a vote and they can’t sit on the board. Of course, they are still expected to provide the same 20% FTE of resources that profit making organisations are expected to provide – quite a drain on the resources of a non-profit organisation that is already expending a great deal of resources creating the software at the core of the other OSA members products.

The non-profit membership of the OSA doesn’t sound too good/useful to me.

But then again, being on the “inside” of a potentially closed group, even as an observer, can help open things up considerably. At least such members would be able to report back to their own, open, communities. Well, you’d have thought so wouldn’t you? Lets check the membership agreement…

If Member fails to meet the responsibilities of its membership class, the Member may, at the discretion of the Board of Directors, have its membership terminated.

OK, I accept there there needs to be some protection in place. Nobody wants a rogue in the ranks. However, I’m concerned that it is the Board that make the decision to boot people, not the membership. Recall that only commercial, paying members, can vote for or sit on the board (in fact only the top level paying members can sit on the board).

Am I just being paranoid?

Let’s look at what it is that members are supposed to do with their 0.2 FTE contribution in order to avoid being booted. One of the responsibilities of membership is to Express public support for the OSA and the OSA website. Or to put it another way, a member can be thrown out for publicly taking issue with anything the OSA say or do.

What worries me is that non-profit members have no influence over the strategy of the OSA, yet they are required to support that strategy, even if they disagree. Of course, they can leave and so not be bound by the requirement to support the OSA.

I will be watching the Open Solutions Alliance with a great deal of interest. What I want to know is, just how open is the Open Solutions Alliance going to be? If it is open, the OSA could be a great thing for open source. Some coordinated marketing operations (optimistic interpretation of their third objective) is certainly needed within open source and I would welcome it with open arms. But…

If it intends to be truly open, why was it created behind closed doors and why is its structure designed to protect its paying members but not the non-profit organisations that are the guardians of the very software on which those members base their businesses?

Resolving the “good but not encyclopedic” tension on Wikipedia

Posted on by
1

Wikipedia has a clear vision to be an encyclopedia, but editors are sometimes tempted to leave non-encyclopedic entries because they are witty, funny, well-written or just good. To resolve this tension Wikipedia has the Bad Jokes and Other Deleted Nonsense, from which the best is extracted to be kept permanent in a “best of” series.

The Best of Bad jokes and other deleted nonsense is the source of such gems as:

C is for Cookie

C is for Cookie can be regarded as a case study in persuasive oratory, emphasizing the emotional aspect of public speaking. Cookie Monster builds excitement by answering his opening rhetorical question, “Now what starts with the letter C?” with the obvious reply, “Cookie starts with C!” He then challenges the audience, “Let’s think of other things that starts with C,” before quickly replying, “Oh, who cares about the other things?” casually dismissing a whole range of other possibilities as irrelevant. Thus, having ostensibly come for the purpose of covering the letter C in its entirety, Cookie Monster has already focused his agenda exclusively on cookies, employing the classic bait and switch tactic. Several times in his presentation, Cookie Monster emphasizes what appears to be the central thesis of his remarks: “C is for cookie, that’s good enough for me!” The appealing rhythm of this slogan appears designed to entrance listeners, swaying their emotions and making them instinctively want to chant along with him. After rousing the crowd, Cookie Monster systematically lays out the logical underpinnings of his pro-cookie ideology, comparing cookies to round donuts with one bite out of them and to the moon during its crescent phase, in essence using a straw man argument that implies his opponents would advocate the superiority of these competitors over cookies. In this sense, Cookie Monster may be proposing a false dichotomy representing cookies as the only viable choice to a group of obviously inferior alternatives. But before the audience has a chance to catch on, Cookie Monster launches into another round of repetitive chanting, “C is for cookie, that’s good enough for me, yeah!” as young children sing along. Here, Cookie Monster uses a propaganda technique strikingly similar to that employed in George Orwell’s Animal Farm by the pig Napoleon, who trained the farm’s sheep to bleat, “Four legs good, two legs bad” on his cue. Cookie Monster then adds visual stimulation to his discourse by chomping into a large cookie, concluding his remarks with “Umm-umm-umm-umm-umm” and other chewing sounds.

Reporting on UK university open source engagement

Posted on by
Reply

Oxford University Computing Services (OUCS) recently published its Annual Report 2005-2006. Normally this might be a non-event, despite the great work that the staff at OUCS do (I kid you not, this building is packed with absolutely brilliant folks). But I think this annual report is worth special note because of one small section at the end of the main service reports.

3.27. Report on open source involvement at OUCS

OUCS staff make extensive use of open source software to deliver services, and take advantage of the freedom to examine the source code, fix it, and enhance it. The department recognizes that participation in community open source development is valuable for both staff development and enhancement of the University’s reputation, as well as improving the software itself for the benefit of all. However, the copyright in code created during this process by University staff typically belongs to the University, and is not distributed outside the institution without due permission.

Staff who wish to contribute to open source projects seek the permission of the Director before doing so. Requests are normally approved if the software is relevant to departmental work, and the Director is satisfied that the University is free to contribute the software in question. A catalogue of open source involvement approved in 2005-2006 is listed below.

Date Staff Member Description
April 2006 Ray Miller Perl scripts for configuration management, configtool and rb3.
April 2006 Oliver Gorwits Net::MAC – Perl extension for representing and manipulating MAC addresses.
July 2006 Barry Cornelius Meeting Room Booking System (MRBS).
August 2006 Oliver Gorwits Net::Appliance::Session – interactive (SSH) session to network appliance.
September 2006 Barry Cornelius MoinMoin wiki software.
September 2006 Barry Cornelius WebCalendar application used to maintain calendars.
November 2006 Oliver Gorwits Development of our wireless services, including OWL-VISITOR

Many universities across the UK use open source software on a daily basis. For some idea of just how many (and how much) it is worth taking another look at the OSS Watch Survey 2006. use is the key word there. They use open source software, but do they engage with it?

It is virtually inevitable that infrastructure use of software at universities and colleges will throw up use cases that have not been anticipated by the software developers. Call it a feature or call it a bug, the truth is that occasions regularly arise in which staff need to write patches to fix some software for the local deployment (obviously I’m talking about open source software here; fixing proprietary software is a whole different ball game). Sometimes this really is a completely local fix, a workaround for some quirk in the way the local infrastructure was set up in the first place. But just as often a staff member is writing a patch that would be a genuine improvement to the software being used. The question you want to ask is just how hard is it for a IT staff member to contribute code to an open source project as normal part of their work?

The answer, of course, is that it varies from institution to institution. At the University of Oxford, the Computing Services took the view that this process needed to be regularized, simplified, and most important, made clear to staff members. Reporting on progress in the OUCS annual report brings us full circle.

Is OUCS unusual in getting its engagement with open source sorted? Perhaps not. What would be great though is if I had two dozen more examples of sensible practices at universities and colleges across the UK. If you know of one, do let me know.

Microsoft, Verisign and Partners to Collaborate with OpenID

Posted on by
2

OpenID is an open, decentralised, free framework for user-centric digital identity. The goal is to release every part of this work under the most liberal licences possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.

Microsoft and VeriSign, along with other partners, have announced that they “will collaborate on interoperability between OpenID and Windows CardSpace(TM) to make the Internet safer and easier to use. “

What interests me in this announcement is the word “collaborate”. I can almost hear the MS sceptics groaning, but is this announcement different?

OpenID was originally specified without any specific authentication method in mind. Brad Fitzpatrick, the original creator of OpenID, said, “Now people ask me what I think about Microsoft supporting it, using their InfoCards as the method of authentication…. I think it’s great! So far I’ve seen Kerberos integration for OpenID, voiceprint biometric auth (call a number and read some words), Jabber JID-Ping auth, etc…. all have different trade-offs between convenience and security. But as more people have CardSpace on their machines, users should get both convenience and security.”

CardSpace is claimed to provide significant anti-phishing, privacy, and convenience benefits to users. Scott Kveton, CEO of JanRain (another of the partners in this agreement), says, “Windows CardSpace is shipping with Vista today and is a well thought-out technology that helps address many of the privacy and security concerns that people have had with OpenID. OpenID helps users describe their identity across many sites in a public fashion. The two together are very complimentary products and each has its strength.”

This looks like a true collaboration between the OpenID community, Microsoft and others. From what I have seen All parties are happy with the deal and there appears to be no evidence of one “side” having to compromise. A true victory for open development? I think so, only time will tell us for certain.

Claiming the muddle ground

Posted on by
Reply

A muddle is a state of confusion. You can find yourself in a muddle. And one of the causes of muddles is unclear writing that blurs or jumbles things that ought to be distinct. Muddles are ever so hard to avoid creating when you try to explain difficult, complex or subtle concepts.

Would you be surprised to learn that a lot of writing out there falls into the muddle category? Indeed, much as we try within OSS Watch, I would even guess we inadvertently generate our fair share. Of course we try to prevent this through careful editing of our documents. And we also review our documents on a regular basis to see, as with fresh eyes, whether we have overlooked a muddle. It’s an ongoing process and we appreciate it when someone reading one of our documents spots a muddle and let’s us know.

The key feature of these muddles, however, is that they are inadvertent.

What if your intent was to create a muddle perhaps in an attempt to manipulate a market space? Although such a malicious action might involve outright lies, there is necessity for that. A little understatement. Damning with faint praise. A few real cases where something has gone wrong for the other guy. And you are in. Because the object is not to get you to believe a falsehood, only to prevent you from learning and believing the truth. The deliberate intent to create a muddle for some other ends is sometimes called FUD; the sowing of fear, uncertainty, and doubt by one competitor or its proxies in an attempt to a manipulate a market space.

I honestly don’t know how much FUD happens. But I do know a muddle when I see one. And since most people do not wish to inadvertently perpetuate a muddle, a tell-tale sign of whether you are dealing with FUD or merely a benign muddle is how the author responds to having the muddle pointed out to him or her.

So this is a plea for everyone to claim the muddle ground. And we’ll work together to clear it up.