Archive for October, 2007

Effective decision making in community projects

Published by Ross Gardler on October 25, 2007 in Community and Development. Comments

[This is a post I originally made in March 2005 when working on volunteer projects in the Carribean region. I recently rediscovered it and figured it was just as appropriate to my new community here at OSS Watch. Interestingly I was using an open source technique to inform decision making processes in volunteer projects that were not necessarily software related, althought they were usually IT related. Now I find I come full circle and use the same post in an open source context. I have edited it slightly to make it fit this new context better and to remove some of the original links which have since dissappeared.]

One of the toughest things in any community led project is balancing effective decision making controls against a constricting set of rules and regulations designed to protect the core objectives of the project. Some time ago Sylvian Wallez looked at the approach of the Cocoon project. His observations are interesting, educational and equally valuable to volunteer projects of any type, not just an open source projects, so we have many lessons to learn.

Sylvian observes that whilst a Meritiocracy succesfully identifies the right people to invite into the project, it is not an effective way of keeping the community vibrant. In order to survive a project must be continually active, to be continually active decisions need to be made quickly and contributions need to be encouraged by not restricting them with a lengthy decision making process.

Contributors do not want to waste effort on work that will subsequently be rejected by the community. Consequently, in an ideal world, one will get community consensus before making a contribution. However, in some communities (far too many in my experience) it can be too difficult to gain consensus and so one simply does not bother.

If the effort of gaining consensus is too great then this will stifle contributions to the project. As a result contributions start to dry up and the project may eventually die through lack of activity.

Lazy Consensus

Most Apache projects, and many other sucessful open source projects use the concept of lazy consensus to solve this problem of efficiently gaining consensus. Whilst I have grown to love this method through my work on open source projects, I strongly believe it is applicable to any community led project.

With lazy consensus the idea is that a potential contributor notifies the community of their intentions. For example, they may say “I intend to do XYZ, unless someone objects within 3 days I will go ahead with this.“ This notification can be made in any form that the community accepts, such as via a mailing list or a shared document space with community notification devices (or in non-technical speak, a village noticeboard ;-) ).

The benefits of this approach include the fact that in the absence of an objection one can assume one has consensus. Community members with no objection and nothing to add to the contribution need take no action. Only those people who believe they can help improve it or those who believe there is a flaw in it need spend any time contributing or objecting to the proposal.

A further advantage of Lazy Consensus is perhaps the most important. Lazy Conensus removes the risk of slipping into despotism since community consensus is still required. No contribution is made without the implicit approval of the community and so nobody can cry “foul” at a later date.

Access from Prisons

Published by Stuart Yeates on October 24, 2007 in Community, Discussion and Software. Comments


Beautiful morning by Stuart Yeates
This morning while talking to Niall Sclater (Director of the Open University’s VLE Programme) at moodlemoot about barriers to migrating the last of the Open University’s paper courses to electronic courses via moodle, he pointed me to a great pilot underway in some of the roughest prisons in London.

The POLARIS project trial is rolling out access to educational websites into a number of London prisons, including the Wormwood Scrubs and Bellmarsh. Apparently Bellmarsh with it’s population of very high security inmates is less of a problem than some of the others which have a much higher rates of turnover.

The rolling out of access into such places puts a whole new emphasis on the security of the applications used in educational institutions. It’s worth noting that the OU (for whom prisoners represent a small but significant number of students) has just spent a great deal of time and effort rewriting the roles and security in Moodle.

Commercial re-use or not?

Published by Ross Gardler on October 24, 2007 in Community, Discussion and Software. Comments

An interesting question relating to open content from Brian Kelly:

But should I be taking a more liberal approach, I wonder? Should I permit commercial exploitation of the content? This, after all, has been the approach taken in the open source world, which provides an environment for commercially-viable software vendors to thrive.

First, let me state my “expertise”. I do not consider myself an expert in open content issues but I do have over 10 years in active open source development. This does not entitle me to a fully considered answer to Brain’s question, in fact it may cause me to confuse the two issues. However, as ever I do have an opinion, so here it is…

Open Source allows commercial exploitation in order to provide a reason for people to contribute, there are many others but this one is often the clincher, especially for sizeable contributions. Commercial use of open source works because the value of most software is not in the software itself but in the provision of value-add services around the software.

Another common reason for creating and managing open source software is to add value to a brand. In this case the originating organisation doesn’t care about making money from the software, instead they want is to spread their brand as far and wide as possible. So commercial re-use is just another way to spread their brand message to a wide audience.
I would suggest that, when deciding to allow commercial re-use of open content, one needs to think about where the value of the content is for you. Unlike software it is not easy for people to add value to content. There are exceptions to this, such as Wikipedia, but they are the exception rather than the rule. Consequently, the idea of allowing commercial re-use of content to attract new contributors is not normally applicable, but brand enhancement through wider re-use may be a different story.

In this post I am aware that I have greatly simplified the business models for open source and open content. I’ve kept things simple in an attempt to focus on the important issue – is commercial use complimentary to our objectives in creating content?

Personally I see no reason why Brian should not allow commercial reuse of his content, just as OSS Watch does. In OSS Watch’s case we are paid to produce our content in order to enable us to share information and encourage comment on our developing understanding of a domain. If someone can help in that aim by using our outputs in a commercial setting what harm can it do?

I’m sure Brian would appreciate your thoughts on whether he should allow commercial reuse. Here at OSS Watch we would love to hear if anyone thinks we have made the wrong decision.

Hands Off My Tabs: A GNU/Linux Patent Suit

Published by Rowan Wilson on October 22, 2007 in Legal. Comments

On 9 October a company called IP Innovations LLC filed suit against two major GNU/Linux vendors, Red Hat and Novell. The complaint (pdf courtesy of Groklaw) cites the infringement of three venerable patents now held by IP Innovations, relating to the presentation of user interface elements on a desktop. While parsing the precise extent of a patent’s claims is something that is best left to professionals, there seems to be near universal agreement that these patents cover, among other things, the use of tabs to allow a single window to display separate sets of tools or controls. IP Innovations successfully obtained a settlement from Apple back in June after filing suit for infringement of the same patent set.

IP Innovations’ complaint asks for an injunction against Red Hat and Novell, stopping them from distributing “the Red Hat Linux system; the Novell Suse Linux Enterprise Desktop; and the Novell Suse Linux Enterprise Server”. It also asks for increased damages to be awarded due to Red Hat and Novell’s “willful and deliberate” infringement. Increased damages can amount to as much as three times the royalty that IP Innovations might have expected if a proper licence had been negotiated before distribution.

Naturally the Linux community is livid. Many have jumped to the conclusion that Microsoft is somewhere behind this action, particularly in light of the fact that some ex-Microsoft staff have recently joined the senior management of IP Innovations’ parent company Acacia. Steve Ballmer, Microsoft’s feisty CEO recently predicted that Linux would soon be hit by patent claims from third parties. The filing of this suit just over a week after that speech strikes some commentators as suspicious, particularly as one might imagine that Microsoft themselves might been a more lucrative next target. After all, these patents are old and due to lapse late next year, so the window of exploitation is rapidly closing.

Despite these doubts, no firm evidence has emerged to link Microsoft to Acacia. IP Innovations responded to the blog-storm that followed the announcement of the suit, describing the arrival of the former Microsofties as “‘normal’ business behavior” (their quotes around normal, mysteriously) and stressing that their suit should not be seen as an attack on open source, perhaps fearing the fervent and bitter opposition that such an attack would inevitably unleash:

“IP Innovation is not attempting to inject itself in the ongoing philosophical debate of whether products or services which utilize open source are subject to the same intellectual property laws/behaviors as non-open source offerings… Acacia and its subsidiaries do not philosophically differentiate any company, but rather seek to consistently and fairly monetize patent rights from those companies which incorporate patented technology.”

Acacia are an example of what some critics call a ‘patent troll’; a less loaded term is ‘IP Holding Company’. The business model of such companies involves spending money acquiring patents and then making money by forcing unauthorised users of the patents to take out licences or extracting money from them via the courts. One of the reasons that this is a particularly lucrative area of business is that the holding companies are difficult to retaliate against. If a manufacturer decides to take a competitor to court for patent violation, the result is often a counter-suit from the competitor. After all, they are likely to be doing many of the same things, and to both own patents in that area. Rather than risk injunction (legally enforced withdrawal of the infringing product) the competitors will often reach an out-of-court patent cross-licensing deal that allows both to continue selling their wares. With an IP holding company, there is no competitive product and thus no vulnerability to injunction. Big IT firms like Microsoft have been complaining for many years that such companies stifle innovation and are over-protected by the legal system. Last year the US Supreme Court seemed to endorse that view, ruling in eBay vs Mercexchange that companies who are not themselves exploiting a patent might not deserve the automatic injunction against infringers that they had formerly received as a matter of course.

So IP Innovations request for an injunction against Red Hat and Novell will now have to be considered in the light of that decision. The court must balance the loss being suffered by the plaintiff against the damage done to the alleged infringer, and select a remedy that evens the score. Injunction is generally considered to be a very damaging remedy, which is partly why IP holding companies have been able to scare manufacturers senseless for so long…

Of course, in the case of distributors of GNU/Linux, any kind of outcome that involves payment of a licence fee is far more damaging than would normally be the case. The GNU General Public License under which the Linux kernel is licensed forbids a distributor from distributing if they cannot do so unencumbered. Paying a licence fee to IP Innovations would be just such an encumbrance. In the case of these particular patents, it might not be such a problem; after November next year the patent will have lapsed and the technology will be available for all to use without a licence. If the patent had longer to run, though, a finding that GNU/Linux infringed it could result in a general inability to distribute, and the effective commercial death of the OS.

Selling free software

Published by Ramón Casero Cañas on October 20, 2007 in Legal. Comments

Two weeks ago we received an email from a user who had been sold a copy of The Gimp (an image editing program) on a leading on-line trading website, without realising that he could have downloaded it from the project’s homepage at no cost. When he complained to the seller, he basically got laughed at.

Although this does not look very ethical, in fact what the seller did is (quite likely) perfectly legal. The Gimp is distributed under the GPL. This means that the software is free in a “freedom” sense, but not that it has to be provided for free. In fact, the GNU project’s position about selling free software is clear:

Many people believe that the spirit of the GNU project is that you should not charge money for distributing copies of software, or that you should charge as little as possible — just enough to cover the cost.

Actually we encourage people who redistribute free software to charge as much as they wish or can. If this seems surprising to you, please read on.

Free software is quite unusual in that it is written by somebody who uses his copyright ownership to grant others the right to do with it as they please, as long as it remains being free software. And this includes selling it for any amount of money.

In most cases free software projects release their programs for free. If they did not, somebody could buy a copy and then redistribute it at no cost. Free software business models focus instead on other revenue streams, e.g. selling support to customers. Unfortunately, the seller was not trading in this case on a product or service but on the lack of awareness of the buyer.

New OSI licences from Microsoft

Published by Stuart Yeates on October 19, 2007 in Legal and Software. Comments

The Open Source Initiative have announced the approval of a pair of licenses from Microsoft. The Microsoft Public License (Ms-PL) and the Microsoft Reciprocal License (Ms-RL) are:

…refreshingly short and clean, compared to, say, the GPLv3 and the Sun CDDL. They share a patent peace clause, a no-trademark-license clause, and they differ only in the essential clause of reciprocation. (slashdot)

This is another step on the road to open source for Microsoft, a road already mapped up with projects like Wix, an open source licensed packager for Microsoft Windows systems. Hopefully these new licences will mean that more projects native to Microsoft platforms (such as those at codeplex) will use an open source licence.

Personally I’m a little worried about the Ms-RL’s use of the word “file,” a technical term used without definition, which a sufficiently well paid lawyers could probably cause problems over: “What if it’s in an email not a file?” “What about when it’s embedded in hardware” etc. But them I’m not a lawyer, so I may have the wrong end of the stick.

Closed Vs Open Source Security

Published by Ross Gardler on October 13, 2007 in Development, Software and Strategy and Policy. Comments

A recent post on the How Software is Built blog (often a good read) seems to be very confused about open Vs closed source quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that reminds the reader that the blog is sponsored by Microsoft.

First we have the question:

In this day and age, isn’t it easy enough to quantify vulnerabilities?

A comment from “Swashbuckler” gets the answer exactly right. Quantifying known vulnerabilities is easy, but quantifying unkown vulnerabilties is impossible. No tool or QA process will allow you to quantify unkown vulnarabilities.

Software quality is not only about the bugs you know exist, it is also about the ones you don’t know exist.

OK, so that one may be an innocent mistake on the authors part, after all, it was phrased as a question (albeit a rhetorical one). However, the post then goes on to say:

I simply don’t get the same feeling from the open-source people we’ve talked to. When we’ve brought the subject up, the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective.

OK, I don’t know who the author has talked to, but it is certainly true that some projects, be they open or closed source, rely on haphazard QA processes. So this statement alone doesn’t bother me too much, but it is followed with:

Am I completely off base? Do things like the Linux kernel and Apache go through rigorous security reviews?

So the author has not talked to two of the communities where security is critical. If the author does not know the answer to this question then they have no right to make the previously quoted assertion.

The answer, by the way, is yes. Both Linux and the Apache web server go through rigourous security reviews.

Many people (errr… many eyes) use the cutting edge code in development and run their internal security tests before rolling out across their multi-million pound businesses or embedding the code in their multi-million pound revenue generating software/hardware products. The many eyes principle is notjust about people reading code contributions, although that is an important part of it. It is also about many eyes on the development as it happens, as opposed to after it is released as a QA’d product.

The author then asks:

Is there proof that “many eyeballs” in open source is at least as good as something like the Security Development Lifecycle in Microsoft?

Both Linux and Apahce, the examples chosen by the author see significant contributions from staff at companies like IBM, Sun, Oracle, RedHat, HP, Google, Amazon, Yahoo!, Facebook (and so on). Does the author really think that these multi-million pound businesses just take the latest Linux or Apache web server release without testnig it? Does the author really think that they don’t get involved with a new release during the QA stages of development? Does the author really think thay they sink developer resources into these projects but ignore the QA process?

Of course, there are also all the smaller businesses who work on development too, they are part of the QA process as well.

That’s what “many eyes” means. I can’t tell you if it is better or worse than any other QA process. However, I would bet that companies who use open source to drive their multi-million pound businesses feel that their own organisations QA processes are “at least as good as something like the the Security Development Lifecycle in Microsoft”.

Free WiFi wherever you go

Published by Ross Gardler on October 7, 2007 in Community. Comments

FON has been doing it for some time, and with some success (I use it myself). Now BT have partnered with them, this could really tip the balance, maybe we really will get free WiFi wherever we go…

With your help we’re building the world’s largest Wi-Fi community. You allow other members to securely log onto your Wi-Fi and in return you can securely log onto the hundreds of thousands of other Wi-Fi connections in the network. Best of all, there is no cost. (from BT FON web site)

If you are ever in my neck of the woods you’ll be able to use my bandwidth. Why don’t you join up and return the favour (you don’t need to be a BT customer).

Why is Facebook labelled as a fad?

Published by Ross Gardler on October 6, 2007 in Community and Discussion. Comments

Brian Kelly wonders why some software products are considered to be fads and why some are not. He says:

The Apache server software saw steady growth in its use from its launch. But I never heard anyone criticise Web server administrators for being fashionable, or doom merchants predicting that the growth would come to an end and, therefore, there is little point in using the software.

And yet such arguments are being made when other software, such as Facebook, becomes popular. Why is this, I wonder?

Here’s my take:

Facebook has limitations that cannot be worked around. It forces me (as a user) to work the way they want me to, their method of working is inneficient (at least for what I am trying to achieve). As a result I don’t see the value and I, possibly rashly, label it as a fad.
In contrast the Apache web server can be customised to work the way I want it to. I’m not forced to follow someone elses way of working, although I can choose to do so if I agree with the fashion. In other words I can choose to set the trend or follow it. Having options means there is a greater chance to retain your market.

Brian then goes on to hypothesise that:

I think this is because services such as Facebook don’t fit in with the ideology of the ‘chattering classes’ – it’s not, open source, for example. And, unlike Apache, there is a lot of money associated with Facebook, with large companies (such as Microsoft and Google) looking to invest in the company.

This is a common mistake. Open source is not (at least should not be)  an ideology of the “chattering classes”. It is a development methodolgoy that gets real work done, for real people, in real profitable organisations.
It’s interesting that Brian claims that there is no money being invested in the Apache web server. Who does he think pays for the people who develop it? The server is embedded in a huge range of high profile commercial products from a very large range of companies, much larger than those reported to be interested in Facebook. If the Apache web server were not owned by a non-profit I suspect its valuation would be far higher than Facebooks.
Sure, there is money <b>associated</b> with Facebook, but nothing truly significant in terms of profit. On the other hand, there are huge profitable organisations that are fully dependant on the Apache web server and sink considerable amounts of money into its development.
I therefore cannot agree that the reson some users like Facebook and others do not has anything to do with money, at least not if we ignore the chattering classes and listen to those with opinions we value. Instead I think it is more to do with the ability to make the product do what you want. Of course, for every person claiming it is a fashion there is another claiming it will be here for ever. We should listen to those voices too.

Brian says “as professionals we should base our judgments on evidence, rather than beliefs and, if the evidence shows that our beliefs aren’t working, then we may need to modify our beliefs, rather than ignore the evidence.” I fully agree.

Can anyone show me the evidence that Facebook is not a fad? I doubt it.

Can I show you the evidence that Facebook is a fad? No, I can’t
Brian then goes on to cite the netcraft survey as evidence about the changing fashions in the server market:

On the other hand, maybe Apache is starting to become unfashionable; after all as a recent Netcraft survey reportedits market share [is] declining closer to the 50% mark, as Microsoft … gained over 3 million hostnames“.

Sorry, I don’t see that as evidence. Look past the headline that Brian quotes, take a look at the historical figures in the survey (they are on the page Brian links to).

The Netcraft survey shows there has been no real change in market penetration since Dec 2001 for both Apache and Microsoft, and no significant change for Apache since Dec 1999. What we are seeing may be just another short term fluctuation, or it may be the start of a genuine change in market make-up. It is impossible to tell from the survey data.

Statistics can be used to prove anything, only time will tell us the truth. The same is true for Facebook, having a huge number of users today is not eviudence that they will have users tomorrow. It is dangerous to ignore the evidence of the past failures of walled gardens in the Internet space (e.g. Compuserve, Telecom Gold, MiniTel, Prestel and AOL) when compared to the flexibility of a truly open system. Only AOL survived by tearing down its walls. The dot com boom and bust saw similar results, the only really significant players in those early e-commerce days that held out were Amazon and EBay – both were early adopters of the open API approach to their data.

All this is hardly conclusive evidence, but it is why I tend more to the “fashion” side of the argument. Of course, my opinon is based on history and we all know that history is not an accurate indicator of the future. Unfortunately, for me, history is all I have (apart from my gut instinct that is).

Use the fork, Luke

Published by Ross Gardler on October 5, 2007 in Development and Software. Comments

Open source means (amongst other things) that you have access to the source code. But what if you have no intention of even looking at the code, is access to the source code important to you?

It should be.

To illustrate why, let me paint a picture:

You’re IT department has installed a new piece of software across all desktops in the organisation. Your users like it, in fact, it becomes a key part of their daily life. Everyone is happy.

Over time the software improves and bugs are fixed. It’s time to upgrade to a newer version.

It’s going to cost money, so you enter a new procurement phase, the decision is upgrade to the latest and greatest version of the current solution or switch to another solution. The upgrade is cheaper, in terms of technical, licence and training costs and the competitors are not significantly better, so upgrade it is.

[Notice it makes no difference up to this point as to whether you have access to the source or not.]

More time passes, technology has moved on and your users are demanding another upgrade so they can do all the latest cool stuff. Time for a new procurement phase.

Now, lets imaging that the company behind your chosen product has decided to stop supporting it. It is at this point that access to the source becomes important.

A closed source product would have been left behind. There would have been no development from the point at which support was withdrawn. You have limited choices, stick with the old version or switch to another product.

On the other hand, an open source solution may have been picked up by any of its users, or more likely a community of its users and development could have continued. If nobody has picked it up you now have that option, instead of spending money on a new product, data conversion and retraining you could take the code and start a new project, either with internal resources or by paying a third party. Of course, you could still choose to switch to another product, but remember that your data conversion costs will almost certainly be lower since you have access to the source code of your existing solution.

This is exactly what happened recently when Linspire chose to discontinue development of their web authoring system Nvu. Users created a new community and have just made a bug fix release.

We don’t like to fork open source, but sometimes, if the original community is broken we need to. It is the potential to fork that makes open source sustainable.