Monday, June 30, 2008

GPLv3 One Year Anniversary Edition 06/29/08

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3/AGPLv3 adoption for the past year.

This Edition:
  • GPLv3 - One Year Later
  • GPLv3 - 10,000 projects
  • Interviews
    • Conversation With Chris DiBona
    • Richard Stallman on Free Software vs Open Source
    • Words of Wisdom from Marco Barulli
  • Significant Adopters and Rejectors
  • To Sum it All Up
  • Counts for the Week

Happy Birthday GPL v3

It is said that in the act of scientific observation, that which one observes is permanently changed. My team and I were tasked on year with creating a way to objectively track the use of the GPLv3 license and variants within the global of non-commercial software. We spent about 6 weeks planning, researching, and developing tools, processes, documentation and the public site http://gpl3.palamida.com. On the front end, we run JBOSS, on the back, Ruby and MySQL. We do analytics with Pentaho, Groovy and Python, and we manage the content with Google Apps for Business, Mionet, Mesh, and Dropbox.

On June 29, 2007, we went live with 67 Ruby projects from Rubyforge, and by the first Friday, we went to 82. A year has passed, and this team has been staffed by interns from fine colleges around the country, senior project manager Kinyoshi Tokuyama, project managers Antony Tran and Edwin Pahk, senior programmer Chris Porter, and me.

Our goal from that first day was to objectively track the use of GPLv3 variants (GPLv3, LGPLv3, and "or later"), provide accurate counts and clear validation. For each of the more than 15,000 projects collected for this project from more than 500,000 reviewed, the sources were reviewed, proper license references and attributions verified, and the license text, unchanged, was identified. While we used some level of automation, we felt that there were problems that required lots of hands and eyes on the problem. Among these were missing license text, no license information in source headers, bad license links - GPLv2 projects that used URLs to refer to licenses rather than include the text.

We started distributing a weekly mailing, and published our first blog 7/2/07.Our hope was that transparency in our project would instill confidence in our objective results.

User contributions via web form, email and phone calls has been hundreds.

In all, a year later, we are still tracking the usage and adoption of GPLv3 and its variants, including the new AGPLv3. I wish to thank Palamida, Inc. for their generous sponsorship of this important source of information regarding the use and adoption of non-commercial software and related licenses. Their sponsorship allowed this project to run, and afforded us the ability to offer 12 internships to deserving graduate students.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
GPLv3 - 10,000 projects. The numbers say it all
As of 6/29/07 / 6/29/08

Total repository based OSS community: 145,909 / 258,367(SF total divided by 70%)
Estimated Total active Projects: 21,886 / 38,755 (total divided by 15%)
Total active GPL: 18,166 / 32,167 (total active, divided by 77% GPL and 6% LGPL)
Estimated total GPLv3 conversion, including "or later": 13,079 / 23,160 (total active, divided by 77% GPL and 6% LGPL, divided by 72% estimated conversion rate)
Estimated current "or later" impact: 9,083 / 16,083 (50% of GPL)

NOTE - As I said before, in the act of observation, one permanently changes that which is observed. The total projects on Sourceforge today was 180857. One year ago, that number was 102,136. 6 weeks after the launch of the GPLv3 license, the number was 145,910. SF experienced a 40% increase in new projects in six weeks, and over 75% in one year. Did our observtion influence the creation of new projects? Did we draw attention to non-commercial software? Maybe.

The blog site has had thousands of users, hundreds of links to significant sites, we have been mentioned on significant industry sites and quoted objectively by analysts. I tend to believe that my team and I removed some of the FUD element around non-commercial software, and attracted a new set of eyes. I can't take credit for the sudden explosion in new projects 6 weeks after the GPLv3 was launched, but would we have ever noticed if I had not been observing?

The one statistic that have not modified is the active project metric. I actually think it is accurate, and reflects the continuing growing trend of usage of these projects over time.
Therefore:
    1. Or later – 6,858 of 13,079 / 23,160 projected – 76% / 43%
    2. LGPLv3 – 265 of 785 / 1390 projected – 34% / 19% (GPL conversion divided by 6%)
    3. GPLv3 – 2,856 of 12,295 / 21,771 projected – 23% / 13% (GPL conversion divided by 94%) This does NOT include "or later"
    4. GPL, not converted – 5086 / 9007 projected (GPL projects times (100% - 72% convert rate))
  • The use and creation of non-commercial, FLOSS, FOSS, Open Source, Free projects has increased at a rate more dramatic than any previous point in its measurable history
  • In the six weeks that followed the release of the GPLv3 license, overall new projects on Sourceforge increased by more than 40%
  • GPLv3 increased private and commercial awareness to the potential of non-commercial software for the better

All this in one year.

So, what is the summary?

Usage of the GPLv3 license variants has grown consistently with the growth in non-commercial projects as seen in the last year. I have read on sites not well informed about the lackluster reception for the GPLv3 license and its variants, citing a continued strong usage of the GPLv2. What is not brought up is the existence and continued growthof the use of the "or later" license condition, where, at the choice of the user, a user of licensed software can be governed by terms of the present license, or later (such as GPLv3). While it seems like a minor issue, it could become a larger one if a user of GPLv2, or later, code, introduces changes licensed under the GPLv3. In order to accept the changes, the subsequent code, if used, would become, GPLv3.

In the end, if we combine all the "or later" with the GPLv3 and variants, there are 9979 projects governed directly or indirectly by the current GPLv3 licenses.























Interviews
For this special edition of our blog, we found some key figures in the Free Software/Open Source community to share some thoughts with us. First we have Chris DiBona from Google Code, who answered some questions regarding their stance on license proliferation and the AGPL v3. Next, we were able to get some words from Richard Stallman from the Free Software Foundation, who gave us an interesting interview, commenting on the ideologies behind Free Software. And lastly, Marco Barulli from Clipperz gave us some insight on the future of open source software.

Conversation With Chris DiBona, Google's Open Source Programs Manager. (http://code.google.com)
(06/29/08)

Ernest Park: The current rate of adoption of the AGPLv3 license is more than double that of the LGPLv3. Considering the fact that the AGPLv3 is the newest of the licenses above, I would contend that adoption is consistent, and that this license may be the first widely adopted license focused on ensuring the freedoms around web delivered services. Is it reasonable to see that AGPLv3 will surpass LGPLv3 in number of distinct licensed projects within the next year?

Chris DiBona: Maybe? I'd be surprised if this is the actual case. Nothing personal, but without knowing your sample size those numbers are next to useless. Our sampling of license popularity is based on our crawl of the internet, version control repositories inclusive. Not just individual and community repositories.

I might also point out that you're making an argument to halt support for lgplv3, not one to support agplv3.

I should also point out that I'm speaking specifically about support for the AGPL on code.google.com's project hosting system. We have AGPL projects in the Summer of Code and are substantive financial supporters of the FSF and SFLC.

Ernest Park: The AGPLv3 differs from the GPLv3 ONLY in section 13, providing language specific to address the conveyance that exists unique to SaaS. http://gpl3.blogspot.com/search?q=section+13. Therefore, do you think your resistance to AGPLv3 to date could be interpreted as a resistance to specific SaaS licensing?

Chris DiBona: No, it is a resistance to overall license proliferation. The benefits that the AGPL attempts to bring to SaaS is not worth the damage yet another license brings to the open source world. The AGPL clearly brings some interesting features to SaaS projects, and I remember when we were releasing Sourceforges code from VA Linux back in the day that some of the executives in the company were upset that other sourceforges' had popped up and not acknoledged the original or patched back. In the end, I don't think this is an actual problem. There are plenty of examples of Apache or BSD projects that continue to be industry leading evn though they are both quite permissive. Licenses clearly matter, but project innovation and leadership count for a lot more that the license a project might choose.

Ernest Park: With the time that has passed, have you reconsidered your position on hosting AGPLv3 licensed projects?

Chris DiBona: No. AGPL doesn't have enough adherents to change our position on hosing AGPL projects.

Ernest Park: What would you change of the AGPLv3 license in order to make it acceptable to Google's code repository? Remember, the only difference between GPLv3 and AGPLv3 is section 13, so I would suspect that any changes would focus here.

Chris DiBona: Section 13 is a mess. Until there is more history around compliance with section 13 and what it means to be compliant and where the linking stops the AGPL will not see much adoption. And that adoption is what would warrant it's inclusion.

Ernest Park: Comments from you in the past proposed that AGPLv3 had nominal usage. Given the facts on license usage in new projects, are you willing to reconsider your prior position claiming a nominal adoption (paraphrase)?

Chris DiBona: No, you are still working from the assumption that your numbers are significant. It is my opinion that they're not. 113 projects is less than the number of projects under any license registered on code.google.com or sourceforge on any single day.

Ernest Park: There are other licenses that Google currently supports with low overall projects, and with low numbers of releases under these licenses. In your effort to prohibit license proliferation, will you set license hosting guidelines for additional licenses with low current usage, or are you focusing such sanctions solely on the Affero GPLv3?

Chris DiBona: That's why we're retiring mpl support, as it too is underused. AGPL supporters seem to think this is something about the AGPL, when it is about fighting license proliferation on code.google.com. I have nothing really against the AGPL save the deleterious effects that yet another open source license brings to the open source software development movement.

Ernest Park: While I personally find the huge numbers of unclear and repetitious licenses useless, we either have to support them all, or support only those that satisfy specific criteria. I do think that you have attempted to outline criteria. It would be good if you objectively spelled out the criteria and made it available for review. While I am certain that the author of the "do good, not evil" license will protest along with much of the FOSS community, the commercial marketplace and developers going forward might appreciate fewer licenses with distinct and defined interoperability.

Chris DiBona: So I think that your company has a significant role to play in pan-license compliance support (obvious) so it is smart to build competency around the AGPL, but for now, it's not destined to be offered as an option at code.google.com

Ernest Park: One last question. From recollection, your position regarding license proliferation has not differed since your tenure with OSI. It seems that OSI could set the example for tightly constraining the proliferation of licenses - stop duplicate licenses, highly incompatible licenses, and in all, set a framework for the approval of a portfolio of licenses that together address specific licensing needs and desires by the creators and users of the content. Why did OSI never actually attempt to constrain "approved" licenses to meet a criteria beyond the license itself, like interoperability, or duplication of existing license?

Chris DiBona: Honestly? OSI is lacking dedicated personnel, which I believe is quite crippling. Without a dedicated staff, how can one expect them to summon the political will to be unpopular with the adherents of the licenses they'd deprecate (which I know all too well). I left the board a long time ago (to get my masters) but I still hold some hope that they'll turn osi around, which I define as 'deprecating a ton of licenses'.

****************************************************************************************************************
Richard Stallman on Free Software vs Open Source
(06/29/08)

Ernest Park: It is the one year anniversary of a milestone for non-commercial software users and advocates. I accept and will publish that your views and mine differ, but it seems proper that your voice should be reflected on (this) site in response to the clear successful acceptance of the GPLv3, LGPLv3 and AGPLv3. Do you have any comments on the GPLv3 site and the progress that we've been maintaining?

Richard Stallman: In general, I'm rather unhappy with Palamida, both for terminology (it generally uses the term "open source", which stands for values I disagree with), and for substance (it promotes some non-free software).

Ernest Park: At the end of the day, free software, OSS, FLOSS, etc - there are a lot of names to describe non-commercial software made available in a framework that encourages participatory development, and a lot of opinions and points of view, many distinct, all personal. I believe that for the moment, we can both agree that our values differ in some specific ways. However, would you mind providing a comment less vague and subjective, focused more on the community acceptance and success of the GPLv3 family of licenses?

Richard Stallman: The free software movement is not merely personal. It is a political movement like the environmental movement, the civil rights movement, etc.

You've described the activity using the ideas associated with the term "open source". The free software movement's goal is not even included in that description. Thus, a thoughtful free software supporter knows better than to endorse the way the issue is framed by your site.

I fetched and read the last retrospective, and I got a bad feeling about the values that seem to be present in it. I would have to do a lot of work to identify why I see them there, and I am not sure that would do any good.

Note - The interview above was the result of four rather long emails. The interview was intended for the blog, and the summary above was edited directly from the email exchanges.

****************************************************************************************************************
Words of Wisdom from Marco Barulli (06/27/08)

Antony Tran: With tech at the forefront of our society, how do you envision open source
in the future, both in general and commercially?

Marco Barulli: Being security and privacy issues more and more relevant in our society I hope that the openness of the code that runs on our computers/phones/... will be no longer an option.

Antony: What needs to change in OSS for it to compete more aggressively with
commercial software?

Marco: More attention to the user experience.

Antony: Do you have any words of advice for our subscribers who are trying to
develop the next big thing?

Marco: Just do it. Don't waste time looking for seed investors, put your own money, time and energy into it. If you believe it is the next big thing, VCs will come.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Significant Adopters and Rejectors

Significant adopters
Clipperz
Clipperz was one of the first established projects to adopt the AGPL v3. Their backing of the AGPLv v3 showed that there was a niche of people who were and are dissapointed with the Saas loophole that was not closed in the GPL v3. They believe that software modified for services should also be required to release their code if they used open source software. Since their adoption for the AGPL v3 they have announced that they are planning on developing a suite containing projects licensed under the AGPL.

Open Office
Open Office was a large project that decided to adopt the LGPL v3. The LGPL v3, the less restrictive form of the GPL v3, has not had many big names taking on the license until Open Office. Just as with Clipperz and the AGPL v3, Open Offices showed that there was a group of people who wanted to update their license, but not take on all of the restrictions put in the GPL v3.

Ubuntu Launchpad

Ubuntu's Launchpad as not officially adopted the AGPL v3 yet, but it is a strong candidate for their project. If Launchpad were to adopt the AGPL v3, it may give the license the boost it needed to become a more significant license. And if more projects adopted the AGPL v3 it would help Clipperz develop their suite based around the AGPL.

Significant rejectors
Google Code Repository
The Google Code repository stirred things up when they announced that they would not host AGPL v3 projects. This week we were able to speak to Chris DiBona to ask him questions about why they did not want to host the license. The initial controversy revolved around their intentions behind rejecting the license. Some thought that Google Code did not want to host the license because it conflicted with their business model. But in our interview Chris stated that their intentions were to fight license proliferation. A few weeks back we also interviewed Marco Barulli from Clipperz on the issue, see (http://gpl3.blogspot.com/2008/05/gpl-project-watch-list-for-week-of-0523.html). Now both sides have been able to speak their minds' on the issue, so you, the reader, can make an unbiased decision on the subject.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Year Summary
Well, one year has passed since the release of the GPLv3 and LGPLv3. I'm not big on celebrating anniversaries just for the sake of time passing, but anniversaries do provide a convenient interval for measuring progress and events, so here are some of my thoughts on a few notable developments over the course of the GPLv3 and LGPLv3's one year of life so far:

Free and Open Source

In general, the past year has been significant for the world of Free and Open Source Software. The releases of the GPLv3, LGPLv3 and AGPLv3 garnered significant industry coverage and stimulated interest in the Free and Open Source Software movement in general. Sun's acquisition of MySQL in a $1 billion deal showed that software licensed under an open source license can be a viable part of "big business" in the software industry.

GPLv3/LGPLv3 – Released June 29, 2007

Increased focus on proper licensing documentation was a prominent issue early on in our coverage of the release and adoption of the GPLv3. Through our research on many projects, we found a noticeable number that had very little or sloppy documentation in their downloadable code and on the project's web site. Sloppy, outdated or nonexistent documentation, such as not including proper notice of the license, failure to provide a copy of the license or linking to the GPLv3 on the project web site when everything else in the distribution says GPLv2 is the governing license, weakens the ability of users and licensees to preserve the rights given to them by the GPL. At a minimum, I hope we were able to bring some visibility to this issue.

AGPLv3 – Released November 19, 2007

Released almost six months after the GPLv3 and LGPLv3, this may turn out to be the sleeper license hit in the years to come. With a growing shift in software toward a web-based "cloud computing" model, the AGPLv3 allows developers to choose to embrace the principles of openness and giving back as embodied in the GPLv3 with projects that are hosted remotely and interacted with remotely by users who never download the source code.

The announcement by Marco Barulli, co-founder of the Clipperz ( http://www.clipperz.com/ ) project, of the intent to develop an AGPLv3-licensed suite of web applications, was a great step forward and a positive boost for the visibility of the principles embodied in the license. See our interview with Marco in our May 23 blog post ( http://gpl3.blogspot.com/2008/05/gpl-project-watch-list-for-week-of-0523.html ).


-Kevin Howard
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Counts for the Week
And of course our counts for the week, as we always do. The last week ended with 2721 GPL v3 projects, up 73 GPL v3 projects. The LGPL v3 count ended with 265 LGPL v3 projects, an increase of 14 projects. And lastly the AGPL v3 count ended with 118 AGPL v3 projects, 5 more than the week before.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Notable Mention
Palamida actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.


The Research Group (rdgroup@palamida.com)
  • Ernest Park
  • Antony Tran
  • Edwin Pahk
  • Kevin Howard


********************************************************************************************************
For more information, go to http://gpl3.blogspot.com/.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe:gpl3".

To start receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "subscribe:gpl3".

********************************************************************************************************

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects. The work published on both sites listed below is licensed This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

********************************************************************************************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com. Please mention the GPL3 site when you reach out to Palamida.



3 comments:

Anonymous said...

Why do you call it "non-commercial software" ?
RHEL is commercial free software.

Anonymous said...

My problem with AGPL is this. Section 0 defines what "modify" means in the license: To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy.

Suppose I download some AGPL code, put it on my server, make changes to it, and let people interact with it. Are my changes something that requires copyright permission? At least in the United States, the answer is NO, says 17 USC 117. That section says:

Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:

(1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or[...]

The courts have taken a liberal view of what "essential step" means, interpreting it as more than just getting the program to run. Changing its functionality to meet your business needs is covered.

I seem to recall that other countries have similar provisions in their copyright laws, or consider their fair use provisions to cover adapting your copy of a program.

But if I don't need permission to adapt the program, then practically AGPL code is just like GPL code. It's possible, I suppose, to imagine SaaS situations where the modifications would go beyond what 17 USC 117 or fair use cover, and then AGPL would be meaningful. But every SaaS situation I've seen involved modifications that would fall under 17 USC 117.

The fundamental problem here is that what the authors of AGPL want to do is stop you from doing something that copyright law gives you permission to do. That's something that, say, Microsoft could get away with in a license, because Microsoft's licenses are designed as contracts that both give you rights you do not normally have AND take away rights that you would otherwise have.

But the FSF is very adamant about wanting their licenses to NOT be seen as contracts. They want them to be seen as expansive licenses, that ONLY give you permissions that you would not otherwise have, and do not take anything away from you.

Unfortunately for them, the SaaS hole requires taking away in order to stop, and that's simply not achievable with the kind of non-contract expansive license they are trying to use.

Anonymous said...

To both commenters, thank you for the feedback. It provides a good opportunity for discussion and clarification.

Anonymous #1 (6:02 PM): “Non-commercial software” was used as a general descriptive term. The term is just one way of saying that the code itself is not what is being sold. When one buys a subscription to Red Hat Enterprise Linux, one is paying for Red Hat’s particular distribution package, support and updates. We did not intend to say that software such as RHEL can’t also be used for “commercial” purposes or to perform tasks at a “commercial” enterprise.

Anonymous #2 (7:58 PM): First, keep in mind that the opinions expressed on this blog are not intended to be, nor should they be considered as, legal advice. If you want a specific interpretation of copyright law or a licensing issue as it applies to a particular situation you need to consult with an attorney.

On to your point: Are you trying to say that the AGPLv3 somehow requires someone who "modifies" code licensed under it to obtain copyright permission before being able to use the "modified" program? None of the family of licenses from the Free Software Foundation requires such permission.

If that is what you are trying to say, I believe you misunderstand what the AGPL is trying to do, and maybe what the FSF licenses are trying to do in general. Just because Section "0" defines what "modify" means in the way it does, does *not* mean one would need copyright permission in order to make and use such a modification. What that section is doing, in my personal opinion, is defining the cutoff point for where newly copyrightable code begins as opposed to merely modifying the existing code for, as you quoted from 17 U.S.C. 117(a)(1), "...as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner..." This "essential step," as the statute says, is not an infringement, and therefore would not “requir[e] copyright permission.” I'm not sure how your statement about "the courts" having taken a "liberal view" helps much.

Going beyond the "essential step," however defined, merely means that the person making such a modification has now created his or her own copyrightable work, i.e., the modification, which now must be licensed along with the original code, "as a whole," according to Section 5(c) of the AGPLv3, under the terms of the AGPLv3. No permission necessary.

The APLv3 is indeed just like the GPLv3, with the exception of Section 13, which applies to the use of code via remote network interaction. That was the whole point -- the GPLv3 does not address that, the AGPLv3 does. In all other respects the licenses are virtually identical. Take a look at our April 14 post on Section 13 specifically.

On to your point about modifications going beyond 17 U.S.C. 117, it is not only possible, but encouraged, for modifications to go beyond the initial work. The entire point of the free software movement is to encourage the sharing, modification and improvement of software code. The FSF family of licenses require that new code created as a "modification" of existing FSF-licensed code, be licensed under the same terms to preserve the code, encourage further innovation and creativity, and protect such code from being incorporated into a proprietary project, which would effectively remove it from the "code pool" of useful ideas. You may also want to see our June 7 post on FOSS licenses and U.S. Copyright law.

Kevin Howard
Legal Research Associate
Palamida Corporation