Showing posts with label 2007. Show all posts
Showing posts with label 2007. Show all posts

Friday, July 11, 2008

GPL Project Watch List for Week of 07/04, 4th of July Edition

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3/AGPLv3 adoption for June 27th through July 4th, 2008.

This Week:


  • Can OSS Secure of Our Nation?

  • Trust but Verify

  • Software Security Perspectives from Joe Jarzombek from The Department of Homeland

  • Richard Stallman comments - update

  • Followup - Google Code Repository

  • Weekly Count

Can Open Source and Free Software Impact the Security of Our Nation?

In this issue of our blog we see it fitting that we focus on our nation and the security of it through open source. The United States was founded on principals of freedom, so it makes sense that now we look towards "free software" to protect her. However, a question that beckons to be asked is, is open source ready to protect the United States' networks, or is the democratic development and decentralized distribution potentially our downfall? There are obvious benefits to open source software, but at the same time there are flaws to it that need to be addressed before it can be considered secure enough for government's systems.

The recent Debian OpenSSL issue has brought much needed attention to the security of open source software. For those of you unfamiliar with the Debian OpenSSL security problem, on May 13th, 2008 http://www.metasploit.com/ announced that OpenSSL distributed in Debian-based systems had a line of code removed with drastically reduced the number of encryption keys and made them predictable. "Instead of mixing in random data for the initial seed, the only "random" value that was used was the current process ID." This affected releases that were distributed between September 2006 and May 13th, 2008. The code was removed because of incompatibility issues between Valgrind and OpenSSL. This security bug would have large repercussions if the government was using one of those Debian releases. Imagine our nation's security reduced to only 32,767 possible encryption keys that were also guessable.

Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. With in the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.

With proprietary software, there are fewer people looking over the code, but they are more obligated to find bugs since they are being paid by their employer to do so. I am not saying that proprietary software is necessarily more secure than open source software. The Debian OpenSSL bug could have gone by for two years in a proprietary model just the same, since the number of eyes on the code is drastically less due to the closed source code. So perhaps the solution to open source being used by the organizations are bounty systems, such as the $500 dollar bounty Mozilla offers for bug discovery, for bugs that are found in OSS that they are using. Another solution would be to have proprietary third party software analysis to review the security of open source code. Ultimately using open source code has many time and functionality benefits that would be foolish to ignore, but seeing as it is America's security on the line, extra steps must be implemented to ensure the code is safe to use in exchange for the "free" software.

References
http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/2008/dsa-1571
http://www.linux.com/feature/135270
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html




Trust but Verify (from :http://the-opensource.blogspot.com/2008/07/trust-but-verify.html)

Ronald Reagan
Farewell Address to the Nation, Oval Office, January 11, 1989



"If they persist, pull the plug. It's still trust but verify. It's still play, but cut the cards. It's still watch closely. And don't be afraid to see what you see."




http://www.reaganlibrary.com/reagan/speeches/farewell.asp





This is a file from the Wikimedia Commons. The description on its description page there is shown below. Commons is a freely licensed media file repository.


This is the first time that I have had the justification to quote the late President Ronald Reagan to make an obvious point. In the Debian example, the open source community trusted that someone else would look and find the problem. Users believed that the power of community review would reduce the risk of using the software. Users were lulled into a complacency whereby nobody felt the obligation to "verify". Just like when an accident happen, we cannot all just assume that someone else will call 911, offer assistance, get involved. If we accept the socialism of free software, then we must mutually accept the responsibilities associated with the use of such software, or we must impose the obligations of these responsibilities onto the vendors that offer service agreements for such software.

I in no way single out open source software from proprietary software. The point is that just because there is nobody to blame does not mean we cannot look for problems. In the use of open source software, we must be prepared to know how to look, qualify the process by which software is checked and validated, and then centrally and proactively share this information.

Forums exist for the distribution of risk issues, and copious amounts of data has been amassed to allow management of complex environments. Regardless of whether the applications being used are "open source" or proprietary, objective rules and guidelines must be put in place and enforced in order to assure that the power of the community actually means something.

I tend to believe that long past are the days when each user would be forced to review source of any distribution prior to compiling for one's own platform. We as users find it too easy to download the bits, decompress and run. We entrust that in the community of users, someone else will find the problem. This complacency to decentralized responsibility can lead to big problems. The use of open source alternatives to prorietary software is not more risky, it just imposes objective responsibilities and processes that must be abided to in order for open source solutions to continue offering an advantage in the workplace.

Users need to realize that nothing comes free. If we look at the real savings of open source software as that of time, the budget usually allocated to the purchase of commercial solutions can be spent to provide diligent review and management of "open" applications, following documented guidelines, with results of such copious review being continually shared with the community.

Software Security Perspectives with Joe Jarzombek from The Department of Homeland Security (from: http://the-opensource.blogspot.com/2008/07/software-security-perspectives-with-joe.html)


Joseph Jarzombek serves as Director for Software Assurance in the Policy and Strategic Initiatives Branch of the National Cyber Security Division (NCSD) within the Department of Homeland Security (DHS). He hosts and sponsors many public-private collaboration efforts focused on software security. He recently spoke at the AIE Conference on Military Open Source Software, and he shared his perspectives on “Security Considerations in the Use of Open Source Software". The following is my commentary and his words from the conference. Joe Jarzombek also provided the presentation for readers to download.


Ernest Park: The weakness in blind trust of a decentralized community was clearly pointed out with the Debian issue. Without objective mandatory and measurable delivery against processes, software flaws can go unnoticed for periods of time. Joe, is this an example of existing complacency in the use of open source software, and who should accept responsibility for this major security oversight?


Joe Jarzombek: The OSS community still needs a mature and widely-recognized OSS governance regime. If organizations were to adopt OSS, then our acquisition and security personnel need to become more OSS-savvy. They would need to establish an OSS security expert role for verifying and enforcing OSS conformance to organizational requirements and policy.


Ernest Park: It seems like a well organized group with political or financial motivations could wreak havoc on our country using open source software to open the doors to an attack. Is the government concerned about open source applications being used to hide intentionally hidden trojans and coding flaws, such that institutions using such software can be exposed to highly targeted attacks?


Joe Jarzombek: As part of enterprise risk management, organizations should evaluate the trustworthiness of suppliers, and that includes enhanced due-diligence to better understand the pedigree or provenance of the software and the capabilities of the suppliers to deliver secure products and services before acquiring any developers' OSS. Generally the significant OSS projects are maintained by well known developers in the community. They would have to make sure the project team monitored each developer's initial contribution or only his/her later modifications and updates. Their process would also need to include checks/controls to establish developers' identities and trustworthiness. The developers' geographical locations, nationalities, affiliations, ideologies, and loyalties are also easier to obtain with OSS. On OSS projects, it's often possible to discover developers' identities (at least who they claim to be). The same is not true of many proprietary software projects/developers.


Ernest Park: The FLOSS, OSS, FOSS, free software, open source community is a non-centralized ‘socialist’ network. Does the lack of perceived central responsibility pose a higher obligation of risk awareness and mitigation on enterprise users of these applications?


Joe Jarzombek: First, people should understand that many of the issues identified with OSS are equally true for proprietary software. The ability to determine pedigree/provenance should be one factor, but not the only factor, in decision-making on whether or how to proceed with software security evaluation. If there is inadequate information then there needs to be deeper security analysis, vulnerability mitigation and environment-level isolation and constraints to separate “not yet trusted” from “more trusted” software. If there is no pedigree/provenance information then that has sometimes been used as a reason to reject the software especially if it were to be used in national security systems with US only content requirements.



Ernest Park: Do you feel that enterprises are exposing themselves to undue risk if they choose to save money by using open source applications without budgeting for additional resources to manage and oversee such applications?




Joe Jarzombek: Many organizations are already looking into additional resources to manage and oversee applications that they might use. Several companies such as Palamida and Black Duck Software offer discovery programs that will find "hallmarks" in the source code, COTS products, and large software systems. Several companies now offer services that focuses on software security. We have also collaborated with vendors who have made a business out of scrutinizing OSS code, such as Fortify Software, Ounce Labs, Coverity, Cigital, and others. OSS "commodification" potentially provides the best of both worlds: OSS design/code openness and vendor support.



Ernest Park: I have run into some efforts to increase usage of open source within government. Has DHS been involved with these efforts, and is any policy defined to assure high operational security for all applications going forward?


Joe Jarzombek: DHS has sponsored the Vulnerability Discovery and Remediation Open Source Hardening Project in which Coverity, in collaboration with Symantec and Stanford University, evaluated popular OSS to discover and remediateexploitable vulnerabilities.. In this project 40+ OSS packages, including Linux, Apache, MySQL, Perl/Python/PHP were evaluated for vulnerabilities. 11 packages were remediated.




Ernest Park: What should we be doing as a minimum to insure that we are diligent, responsible technology users and proud citizens defending our homeland?




Joe Jarzombek: The broader stakeholder community needs to be security-aware with a better appreciation of just how much our enterprise missions are more at risk because of exploitable software. These risks have to be mitigated during development and in use. We need more security-informed procurements. As consumers we need to exercise more due-diligence in selecting software suppliers and products More comprehensive software diagnostic capabilities need to be used by developers and testers. Also problems that are found need to be reported as soon as possible so that they can get fixed immediately, ideally before code is released. And users should also keep their software up to date by installing the latest patches.




Ernest Park: Has anyone assembled a best practices guideline for using your data sources to more securely and proactively manage our computing environments?

Joe Jarzombek: Our DHS Software Assurance “Build Security In” website offers many publicly available resources which are free to download. BSI at https://buildsecurityin.us-cert.gov/ offers several sound practices from respected practitioners of software security. David A. Wheeler is well know for his contributions in OSS endeavors. He has released papers and projects on OSS and security, including "Open Source Software (OSS) and the U.S. Department of Defense (DoD) – Webinar". If people are interested in further collaboration on software security practices, I would invite the to join us in future Software Assurance Forums and working group sessions which are publicized on our BSI web site under Events.

Ernest Park: We are repeatedly told that the next big attack will come via the internet. What steps can I do to empower myself, my fellow software users and my country to proactively defend, and more predictively manage my environment?

Joe Jarzombek: Software users should, as a minimum, perform a security evaluation on the programs they choose to use that answer these questions:



  • Are the software's security assumptions consistent with the security assumptions made by and about the component that the software will implement?

  • Can unused functions and interfaces be removed, disabled, or fully isolated without affecting the correct execution of other functions?

  • Does the software expose and provide access paths (intended or unintended) to its vulnerabilities?

  • What are the common exploitable weaknesses in the code, and what form of static or dynamic code analysis has been performed to determine the resiliency of that code?

The open design and source code availability of OSS should make security evaluation easier.



References:


http://ttcus.com/oss/

The Military Open Source Software Conference

April 21-22, 2008

-Goertzel-Jarzombek-OSS_Security SwA.ppt


Weekly Count, Sourceforge Backed up


If our numbers seem lacking this week, its because they are. One of our largest sources of data is backed up at the moment. Sourceforge seems to have stopped updating files past June 22. Once SF is caught up on their files to the present, our numbers will catch up to the expected rate. We emailed the maintainers at Sourceforge and that they informed us that they have located the problem. They notified us that he problem will be fixed within the next couple days when they make their next push. For this week, the GPL v3 count is at 2751 GPL v3 projects. The LGPL v3 count remains at 265 LGPL v3 project. And the AGPL v3 number is up 3, bring the total to 120 AGPLv3 projects.







***********************************************************************************


Richard Stallman comments - update
In my last post (http://gpl3.blogspot.com/2008/06/gplv3-one-year-anniversary-edition.html), I included comments from Richard Stallman in an "interview" section. I had hoped that Mr. Stallman would welcome the opportunity to comment on an objective, non-commercial, free effort to openly track adoption rates of GPLv3 related licensing in new software releases over its first year. Instead, through a series of email exchanges, Mr. Stallman indicated more of a philosophical disdain with this information effort, and a dislike for Palamida, the company that continues to generously sponsor this effort.



It seems that Mr. Stallman has clear views with how "free" software needs to be described, referred to, counted.





Richard Stallman: "The free software movement is not merely personal. It is a political movement like the environmental movement, the civil rights movement, etc."





Mr. Stallman contacted me after, asking me to clarify his comments clearly in the context in which they were elicited.





Prior to 6/29/08, I asked a series of questions, and did inform him that his responses would be published in their entirety. From an email exchange between Mr. Stallman and I that followed the publication on 6/29/08:






  • ernest park: I can clarify the post. As a note, I was very clear with my intention to publish all of your words, unedited, which I did.

  • richard stallman: You invited me to contribute something and said you would publish it unedited. But I did not do that; I instead said why I did not want to.

  • ernest park: Redhat, MySQL, Sun, IBM - and others all generously sponsor the existence of open source projects through their proprietary commercial activities.

  • richard stallman: I am an activist for free software and freedom; open source is not what I support.

It is clear that Mr. Stallman and I do not see eye to eye. While the various GPL (v2, v3, etc) are specific to the non-commercial aspects of the code, and the availability of the underlying code, aka source code, his position is of "free software being more of a philosophical movement rather than a legal construct around the use and propagation of community developed software.


Followup - Google Code Repository
My views on the licensing restrictions at http://code.google.com/ changed significantly after our talk with Chris DiBona (http://gpl3.blogspot.com/2008/06/gplv3-one-year-anniversary-edition.html). His position of license proliferation is a practical argument. When we see all the licenses out there with prohibitive and vague language, contradictory language, or possibly hidden agendas, perhaps Chris is heading in the better overall direction.


I always think that Creative Commons has always had it right. There is no confusion with what a CC license allows or does not allow. If licenses for open source software were standardized into a simple menu format like CC, how many distinct permutation would really be required? Would the OSS community be better served with less licenses that are clear, with defined interaction and use conditions?



It is a shame that OSI (http://www.opensource.org/licenses) does not require documented interoperability for approval. In this way, even OSI has been party to the unfortunate proliferation of licenses that say similar things, do not cooperate with each other, and create more confusion and complexity for use. As an interesting point, Chris used to be a member of OSI, and consistently lobbied for less approved licenses. OSI approval should really mean much more than the fact that the document passed a spell check (I am being sarcastic).





Chris and I agree on this issue - less licenses with clear terms and documented interoperability will protect the future utility of open source software.
********************************************************************************************************


Missing Week, and what's new?




Time off
We all took a week off for July 4th. It seems that our time off was aligned well to other issues in open source software. Sourceforge was having issues posting updated information, and as of recently, their information was still queued up. We contacted friends at Sourceforge right away, and they acknowledged that they discovered the issue and things would be back to normal.




Farewell Antony, welcome aboard Edwin
As of this week, Antony Tran is stepping down as Project Manager for the GPL3 Information Search site and blog. Antony has been with the Research Group for over a year, and has handled a number of significant research projects specific to open source software worldwide. He is taking time for himself, and may start the arduous process of interviewing at graduate schools.
The team will miss Antony's contributions and leadership. Starting over the course of the next few weeks, Edwin Pahk will take over project management duties for the information site starting next week. Edwin has been with our team for more than one year after graduating from Berkeley.





Change in format going forward
We accurately tracked GPLv3 adoptions over the last year, and despite quotations and interpretations in all directions, I have to say that the integration of GPLv3 variants in project releases was and continues to be at a steady and growing rate, with over 3000 releases using GPLv3, AGPLv3 and LGPLv3 in the last year, and nearly 7000 "or later" releases. The focus of this information site is moving more into the future of open source - news, security, topical stories. You may have noticed over the course of the last few months the addition of interviews. We will continue the interview format, and are eager to continue to make sure you "read it hear first".


If you wish to participate in an interview, or if you want information from me, please send a note to rdgroup@airius.com.


LINKS BACK - Please help!
We ENCOURAGE you to copy the content of this site. The Creative Commons license asks only for non-commercial use, and credit. I would like to ask that you also cooperate with the requests herein without my requiring a modified license. Please send me a note if you do so regularly. This site is translated into half a dozen languages weekly that I can find, and on any week, I can find hundreds of partial or complete copies of the site content on other sites.



  • Feedburner - RSS of this site is available via subscription

  • Email - For those that want the content delivered, email delivery is available. Information about subscribing is on the bottom.

  • With the hundreds of copies of this site that go out weekly via subscription, along with the hundreds of copies on other sites, the stats are out of skew. We use Google Analytics to track usage. When the site is copied, the "tracking script" is not copied. As a result, while I can verify hundreds of links and potentially thousands of readers, Google Analytics does not know about it. Please help.

Link Partners
If you are willing to copy and tranlate the content weekly, please let me know - you will receive the content as soon as it is available, and you site will be listed as a translation. I can send you a bit of tracking code so that you get credit for your contribution to the readership of this site
Post your link on the bottom of the blog page.


Send me a note at rdgroup@airius.com that you are using some or all of the content
I will make sure that we host links to your sites, and we will be able to use your content within this site as well.


********************************************************************************************************




Notable Mention

The Research Group actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.

The Research Group (rdgroup@airius.com)

Ernest Park
Edwin Pahk
Kevin Howard
********************************************************************************************************


Subscription

For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "subscribe:gpl3".

********************************************************************************************************


Our Sponsor, Palamida, Inc.

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects.

The opinions expressed within the GPL3 Information Blog are exlusively those of Ernest Park, the subjects interviewed and the contributing authors, and are not intended to reflect the positions of Palamida, Inc and its employees.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

********************************************************************************************************


Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com.

Please mention the GPL3 site when you reach out to Palamida.

Posted by at 2 comments:
Labels: , , , , , , , , , , , , , , , , ,

Monday, June 30, 2008

GPLv3 One Year Anniversary Edition 06/29/08

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3/AGPLv3 adoption for the past year.

This Edition:
  • GPLv3 - One Year Later
  • GPLv3 - 10,000 projects
  • Interviews
    • Conversation With Chris DiBona
    • Richard Stallman on Free Software vs Open Source
    • Words of Wisdom from Marco Barulli
  • Significant Adopters and Rejectors
  • To Sum it All Up
  • Counts for the Week

Happy Birthday GPL v3
It is said that in the act of scientific observation, that which one observes is permanently changed. My team and I were tasked on year with creating a way to objectively track the use of the GPLv3 license and variants within the global of non-commercial software. We spent about 6 weeks planning, researching, and developing tools, processes, documentation and the public site http://gpl3.palamida.com. On the front end, we run JBOSS, on the back, Ruby and MySQL. We do analytics with Pentaho, Groovy and Python, and we manage the content with Google Apps for Business, Mionet, Mesh, and Dropbox.

On June 29, 2007, we went live with 67 Ruby projects from Rubyforge, and by the first Friday, we went to 82. A year has passed, and this team has been staffed by interns from fine colleges around the country, senior project manager Kinyoshi Tokuyama, project managers Antony Tran and Edwin Pahk, senior programmer Chris Porter, and me.

Our goal from that first day was to objectively track the use of GPLv3 variants (GPLv3, LGPLv3, and "or later"), provide accurate counts and clear validation. For each of the more than 15,000 projects collected for this project from more than 500,000 reviewed, the sources were reviewed, proper license references and attributions verified, and the license text, unchanged, was identified. While we used some level of automation, we felt that there were problems that required lots of hands and eyes on the problem. Among these were missing license text, no license information in source headers, bad license links - GPLv2 projects that used URLs to refer to licenses rather than include the text.

We started distributing a weekly mailing, and published our first blog 7/2/07.Our hope was that transparency in our project would instill confidence in our objective results.

User contributions via web form, email and phone calls has been hundreds.

In all, a year later, we are still tracking the usage and adoption of GPLv3 and its variants, including the new AGPLv3. I wish to thank Palamida, Inc. for their generous sponsorship of this important source of information regarding the use and adoption of non-commercial software and related licenses. Their sponsorship allowed this project to run, and afforded us the ability to offer 12 internships to deserving graduate students.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
GPLv3 - 10,000 projects. The numbers say it all
As of 6/29/07 / 6/29/08

Total repository based OSS community: 145,909 / 258,367(SF total divided by 70%)
Estimated Total active Projects: 21,886 / 38,755 (total divided by 15%)
Total active GPL: 18,166 / 32,167 (total active, divided by 77% GPL and 6% LGPL)
Estimated total GPLv3 conversion, including "or later": 13,079 / 23,160 (total active, divided by 77% GPL and 6% LGPL, divided by 72% estimated conversion rate)
Estimated current "or later" impact: 9,083 / 16,083 (50% of GPL)

NOTE - As I said before, in the act of observation, one permanently changes that which is observed. The total projects on Sourceforge today was 180857. One year ago, that number was 102,136. 6 weeks after the launch of the GPLv3 license, the number was 145,910. SF experienced a 40% increase in new projects in six weeks, and over 75% in one year. Did our observtion influence the creation of new projects? Did we draw attention to non-commercial software? Maybe.

The blog site has had thousands of users, hundreds of links to significant sites, we have been mentioned on significant industry sites and quoted objectively by analysts. I tend to believe that my team and I removed some of the FUD element around non-commercial software, and attracted a new set of eyes. I can't take credit for the sudden explosion in new projects 6 weeks after the GPLv3 was launched, but would we have ever noticed if I had not been observing?

The one statistic that have not modified is the active project metric. I actually think it is accurate, and reflects the continuing growing trend of usage of these projects over time.
Therefore:
    1. Or later – 6,858 of 13,079 / 23,160 projected – 76% / 43%
    2. LGPLv3 – 265 of 785 / 1390 projected – 34% / 19% (GPL conversion divided by 6%)
    3. GPLv3 – 2,856 of 12,295 / 21,771 projected – 23% / 13% (GPL conversion divided by 94%) This does NOT include "or later"
    4. GPL, not converted – 5086 / 9007 projected (GPL projects times (100% - 72% convert rate))
  • The use and creation of non-commercial, FLOSS, FOSS, Open Source, Free projects has increased at a rate more dramatic than any previous point in its measurable history
  • In the six weeks that followed the release of the GPLv3 license, overall new projects on Sourceforge increased by more than 40%
  • GPLv3 increased private and commercial awareness to the potential of non-commercial software for the better

All this in one year.

So, what is the summary?

Usage of the GPLv3 license variants has grown consistently with the growth in non-commercial projects as seen in the last year. I have read on sites not well informed about the lackluster reception for the GPLv3 license and its variants, citing a continued strong usage of the GPLv2. What is not brought up is the existence and continued growthof the use of the "or later" license condition, where, at the choice of the user, a user of licensed software can be governed by terms of the present license, or later (such as GPLv3). While it seems like a minor issue, it could become a larger one if a user of GPLv2, or later, code, introduces changes licensed under the GPLv3. In order to accept the changes, the subsequent code, if used, would become, GPLv3.

In the end, if we combine all the "or later" with the GPLv3 and variants, there are 9979 projects governed directly or indirectly by the current GPLv3 licenses.























Interviews
For this special edition of our blog, we found some key figures in the Free Software/Open Source community to share some thoughts with us. First we have Chris DiBona from Google Code, who answered some questions regarding their stance on license proliferation and the AGPL v3. Next, we were able to get some words from Richard Stallman from the Free Software Foundation, who gave us an interesting interview, commenting on the ideologies behind Free Software. And lastly, Marco Barulli from Clipperz gave us some insight on the future of open source software.

Conversation With Chris DiBona, Google's Open Source Programs Manager. (http://code.google.com) (06/29/08)

Ernest Park: The current rate of adoption of the AGPLv3 license is more than double that of the LGPLv3. Considering the fact that the AGPLv3 is the newest of the licenses above, I would contend that adoption is consistent, and that this license may be the first widely adopted license focused on ensuring the freedoms around web delivered services. Is it reasonable to see that AGPLv3 will surpass LGPLv3 in number of distinct licensed projects within the next year?

Chris DiBona: Maybe? I'd be surprised if this is the actual case. Nothing personal, but without knowing your sample size those numbers are next to useless. Our sampling of license popularity is based on our crawl of the internet, version control repositories inclusive. Not just individual and community repositories.

I might also point out that you're making an argument to halt support for lgplv3, not one to support agplv3.

I should also point out that I'm speaking specifically about support for the AGPL on code.google.com's project hosting system. We have AGPL projects in the Summer of Code and are substantive financial supporters of the FSF and SFLC.

Ernest Park: The AGPLv3 differs from the GPLv3 ONLY in section 13, providing language specific to address the conveyance that exists unique to SaaS. http://gpl3.blogspot.com/search?q=section+13. Therefore, do you think your resistance to AGPLv3 to date could be interpreted as a resistance to specific SaaS licensing?

Chris DiBona: No, it is a resistance to overall license proliferation. The benefits that the AGPL attempts to bring to SaaS is not worth the damage yet another license brings to the open source world. The AGPL clearly brings some interesting features to SaaS projects, and I remember when we were releasing Sourceforges code from VA Linux back in the day that some of the executives in the company were upset that other sourceforges' had popped up and not acknoledged the original or patched back. In the end, I don't think this is an actual problem. There are plenty of examples of Apache or BSD projects that continue to be industry leading evn though they are both quite permissive. Licenses clearly matter, but project innovation and leadership count for a lot more that the license a project might choose.

Ernest Park: With the time that has passed, have you reconsidered your position on hosting AGPLv3 licensed projects?

Chris DiBona: No. AGPL doesn't have enough adherents to change our position on hosing AGPL projects.

Ernest Park: What would you change of the AGPLv3 license in order to make it acceptable to Google's code repository? Remember, the only difference between GPLv3 and AGPLv3 is section 13, so I would suspect that any changes would focus here.

Chris DiBona: Section 13 is a mess. Until there is more history around compliance with section 13 and what it means to be compliant and where the linking stops the AGPL will not see much adoption. And that adoption is what would warrant it's inclusion.

Ernest Park: Comments from you in the past proposed that AGPLv3 had nominal usage. Given the facts on license usage in new projects, are you willing to reconsider your prior position claiming a nominal adoption (paraphrase)?

Chris DiBona: No, you are still working from the assumption that your numbers are significant. It is my opinion that they're not. 113 projects is less than the number of projects under any license registered on code.google.com or sourceforge on any single day.

Ernest Park: There are other licenses that Google currently supports with low overall projects, and with low numbers of releases under these licenses. In your effort to prohibit license proliferation, will you set license hosting guidelines for additional licenses with low current usage, or are you focusing such sanctions solely on the Affero GPLv3?

Chris DiBona: That's why we're retiring mpl support, as it too is underused. AGPL supporters seem to think this is something about the AGPL, when it is about fighting license proliferation on code.google.com. I have nothing really against the AGPL save the deleterious effects that yet another open source license brings to the open source software development movement.

Ernest Park: While I personally find the huge numbers of unclear and repetitious licenses useless, we either have to support them all, or support only those that satisfy specific criteria. I do think that you have attempted to outline criteria. It would be good if you objectively spelled out the criteria and made it available for review. While I am certain that the author of the "do good, not evil" license will protest along with much of the FOSS community, the commercial marketplace and developers going forward might appreciate fewer licenses with distinct and defined interoperability.

Chris DiBona: So I think that your company has a significant role to play in pan-license compliance support (obvious) so it is smart to build competency around the AGPL, but for now, it's not destined to be offered as an option at code.google.com

Ernest Park: One last question. From recollection, your position regarding license proliferation has not differed since your tenure with OSI. It seems that OSI could set the example for tightly constraining the proliferation of licenses - stop duplicate licenses, highly incompatible licenses, and in all, set a framework for the approval of a portfolio of licenses that together address specific licensing needs and desires by the creators and users of the content. Why did OSI never actually attempt to constrain "approved" licenses to meet a criteria beyond the license itself, like interoperability, or duplication of existing license?

Chris DiBona: Honestly? OSI is lacking dedicated personnel, which I believe is quite crippling. Without a dedicated staff, how can one expect them to summon the political will to be unpopular with the adherents of the licenses they'd deprecate (which I know all too well). I left the board a long time ago (to get my masters) but I still hold some hope that they'll turn osi around, which I define as 'deprecating a ton of licenses'.

****************************************************************************************************************
Richard Stallman on Free Software vs Open Source (06/29/08)

Ernest Park: It is the one year anniversary of a milestone for non-commercial software users and advocates. I accept and will publish that your views and mine differ, but it seems proper that your voice should be reflected on (this) site in response to the clear successful acceptance of the GPLv3, LGPLv3 and AGPLv3. Do you have any comments on the GPLv3 site and the progress that we've been maintaining?

Richard Stallman: In general, I'm rather unhappy with Palamida, both for terminology (it generally uses the term "open source", which stands for values I disagree with), and for substance (it promotes some non-free software).

Ernest Park: At the end of the day, free software, OSS, FLOSS, etc - there are a lot of names to describe non-commercial software made available in a framework that encourages participatory development, and a lot of opinions and points of view, many distinct, all personal. I believe that for the moment, we can both agree that our values differ in some specific ways. However, would you mind providing a comment less vague and subjective, focused more on the community acceptance and success of the GPLv3 family of licenses?

Richard Stallman: The free software movement is not merely personal. It is a political movement like the environmental movement, the civil rights movement, etc.

You've described the activity using the ideas associated with the term "open source". The free software movement's goal is not even included in that description. Thus, a thoughtful free software supporter knows better than to endorse the way the issue is framed by your site.

I fetched and read the last retrospective, and I got a bad feeling about the values that seem to be present in it. I would have to do a lot of work to identify why I see them there, and I am not sure that would do any good.

Note - The interview above was the result of four rather long emails. The interview was intended for the blog, and the summary above was edited directly from the email exchanges.

****************************************************************************************************************
Words of Wisdom from Marco Barulli (06/27/08)

Antony Tran: With tech at the forefront of our society, how do you envision open source
in the future, both in general and commercially?

Marco Barulli: Being security and privacy issues more and more relevant in our society I hope that the openness of the code that runs on our computers/phones/... will be no longer an option.

Antony: What needs to change in OSS for it to compete more aggressively with
commercial software?

Marco: More attention to the user experience.

Antony: Do you have any words of advice for our subscribers who are trying to
develop the next big thing?

Marco: Just do it. Don't waste time looking for seed investors, put your own money, time and energy into it. If you believe it is the next big thing, VCs will come.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Significant Adopters and Rejectors

Significant adopters
Clipperz
Clipperz was one of the first established projects to adopt the AGPL v3. Their backing of the AGPLv v3 showed that there was a niche of people who were and are dissapointed with the Saas loophole that was not closed in the GPL v3. They believe that software modified for services should also be required to release their code if they used open source software. Since their adoption for the AGPL v3 they have announced that they are planning on developing a suite containing projects licensed under the AGPL.

Open Office
Open Office was a large project that decided to adopt the LGPL v3. The LGPL v3, the less restrictive form of the GPL v3, has not had many big names taking on the license until Open Office. Just as with Clipperz and the AGPL v3, Open Offices showed that there was a group of people who wanted to update their license, but not take on all of the restrictions put in the GPL v3.

Ubuntu Launchpad
Ubuntu's Launchpad as not officially adopted the AGPL v3 yet, but it is a strong candidate for their project. If Launchpad were to adopt the AGPL v3, it may give the license the boost it needed to become a more significant license. And if more projects adopted the AGPL v3 it would help Clipperz develop their suite based around the AGPL.

Significant rejectors
Google Code Repository
The Google Code repository stirred things up when they announced that they would not host AGPL v3 projects. This week we were able to speak to Chris DiBona to ask him questions about why they did not want to host the license. The initial controversy revolved around their intentions behind rejecting the license. Some thought that Google Code did not want to host the license because it conflicted with their business model. But in our interview Chris stated that their intentions were to fight license proliferation. A few weeks back we also interviewed Marco Barulli from Clipperz on the issue, see (http://gpl3.blogspot.com/2008/05/gpl-project-watch-list-for-week-of-0523.html). Now both sides have been able to speak their minds' on the issue, so you, the reader, can make an unbiased decision on the subject.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Year Summary
Well, one year has passed since the release of the GPLv3 and LGPLv3. I'm not big on celebrating anniversaries just for the sake of time passing, but anniversaries do provide a convenient interval for measuring progress and events, so here are some of my thoughts on a few notable developments over the course of the GPLv3 and LGPLv3's one year of life so far:

Free and Open Source

In general, the past year has been significant for the world of Free and Open Source Software. The releases of the GPLv3, LGPLv3 and AGPLv3 garnered significant industry coverage and stimulated interest in the Free and Open Source Software movement in general. Sun's acquisition of MySQL in a $1 billion deal showed that software licensed under an open source license can be a viable part of "big business" in the software industry.

GPLv3/LGPLv3 – Released June 29, 2007

Increased focus on proper licensing documentation was a prominent issue early on in our coverage of the release and adoption of the GPLv3. Through our research on many projects, we found a noticeable number that had very little or sloppy documentation in their downloadable code and on the project's web site. Sloppy, outdated or nonexistent documentation, such as not including proper notice of the license, failure to provide a copy of the license or linking to the GPLv3 on the project web site when everything else in the distribution says GPLv2 is the governing license, weakens the ability of users and licensees to preserve the rights given to them by the GPL. At a minimum, I hope we were able to bring some visibility to this issue.

AGPLv3 – Released November 19, 2007

Released almost six months after the GPLv3 and LGPLv3, this may turn out to be the sleeper license hit in the years to come. With a growing shift in software toward a web-based "cloud computing" model, the AGPLv3 allows developers to choose to embrace the principles of openness and giving back as embodied in the GPLv3 with projects that are hosted remotely and interacted with remotely by users who never download the source code.

The announcement by Marco Barulli, co-founder of the Clipperz ( http://www.clipperz.com/ ) project, of the intent to develop an AGPLv3-licensed suite of web applications, was a great step forward and a positive boost for the visibility of the principles embodied in the license. See our interview with Marco in our May 23 blog post ( http://gpl3.blogspot.com/2008/05/gpl-project-watch-list-for-week-of-0523.html ).


-Kevin Howard
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Counts for the Week
And of course our counts for the week, as we always do. The last week ended with 2721 GPL v3 projects, up 73 GPL v3 projects. The LGPL v3 count ended with 265 LGPL v3 projects, an increase of 14 projects. And lastly the AGPL v3 count ended with 118 AGPL v3 projects, 5 more than the week before.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Notable Mention
Palamida actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.


The Research Group (rdgroup@palamida.com)
  • Ernest Park
  • Antony Tran
  • Edwin Pahk
  • Kevin Howard


********************************************************************************************************
For more information, go to http://gpl3.blogspot.com/.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe:gpl3".

To start receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "subscribe:gpl3".

********************************************************************************************************

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects. The work published on both sites listed below is licensed This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

********************************************************************************************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com. Please mention the GPL3 site when you reach out to Palamida.



Posted by at 3 comments:
Labels: , , , , , , , , , , , , , , ,

Saturday, June 14, 2008

GPL Project Watch List for Week of 06/13

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for June 7th through June 13th, 2008.

This Week:

  • Week Summary
  • New Projects
  • FOSS licenses based on US Copyright law
  • User Contributions

Two More Weeks...
Only two weeks until the anniversary of the GPL v3 license and the creation of this tracking project. We have come a far way and continue to bring relevant and accurate license information. We hope you have made use of our data and have enjoyed reading our blog.

This week our GPL v3 count is at 2592 GPL v3 projects, and increase of 59 GPL v3 projects. There was speculation as to whether the AGPL v3 would draw projects from the GPL v3 conversion rates, but this does not seem to be happening. The AGPL v3 count is up 7 projects bringing it to 109 AGPL v3 projects. The LGPL v3 number is at 251 LGPL v3 projects, up 9 projects from last week.






















New project conversions this week include:
  • EasyVote: EasyVote is a new easy to use, secure and transparent cryptographic online voting scheme for small elections (up to 500 voters).
  • ERP4U: ERP4U / ERP for You / Enterprise Resource Planning for You -- Enterprise Resource Planning web based platform implemented on top of Ruby on Rails.
  • Bluetooth Remote: Control your computer using a bluetooth enabled mobile phone. Move the mouse cursor send key strokes and control the most common applications such windows media player, internet explorer, firefox.

The Open Source "Market" Killed the Tools Market
Though open source tools can be sold, many are offered for free by developers. The open source market is an odd one since the price of the code is, for the most part, just the time to download the software. The fact the most open source code is offered for free makes competition extremely hard you can imagine, which is a gripe of some commercial developers.

In a recent article, John De Goes argued that "The tools market is dead. Open source killed it." Open source has cut costs exponentially for developers, however they are restricted to the licensing terms of the code, which usually keeps it free and open. With so many open source tools now available for free, it restricts commercial companies from using price as a competitive tool since the open source alternative cost zero. So to be able to charge anything for a developer tool, the product would have to be significantly better than the open source alternative. Goes says that this also has a catch to this as well. The cost to learning a new IDE is quite high for most developers, since they are already use to the workings of their current one.

But is killing the tools market really such a bad thing. The death of the tools market was brought about from the birth of the open source market, and those in the open source market would argue that the benefits outweigh the loss. With open source, sharing code has eliminated countless hours rewriting code to do the same exact thing. And though this makes it nearly impossible to charge for your software, the creation of it is significantly easier.

Ohloh is a good site to put things into perspective. On their site, they show the projected cost of the project if it was done from scratch. Right away you can see that some projects would cost millions if not for open source. Subversion, for example, is projected to cost 5.2 million if a team was to write the code themselves. With these gains in cost efficiency, I would say the death of the tools market isn't so sad.

References:
http://www.ohloh.net/projects/subversion
http://tech.slashdot.org/article.pl?sid=08/06/10/0228220&from=rss

-Antony Tran


Thanks for the Continued Support and Contributions
Our database is partly maintained by our team of researchers as well by the contributions that are received from the community. Here is a submission we received last week through our web interface:

****************************************************************************
ApacheMap

Description:
The perl script parses a apache or apache2 combined access log for the IP addresses. It then looks up a Geo-Tag for those locations and if successful it adds them to a data file which the Google maps API then displays. So you get all your unique resolvable hits plotted on a map. From 0.3a onwards new style blue markers are used which contain information about the location when clicked on.


Newest Release:
apache-geo-map-0-6b.tar.gz
****************************************************************************
We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Much Appreciated,

Palamida R&D Group


Notable Mention
Palamida actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to the almost 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.


The Research Group (rdgroup@palamida.com)
  • Ernest Park
  • Antony Tran
  • Kevin Howard

********************************************************************************************************
For more information, go to http://gpl3.blogspot.com.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe".

********************************************************************************************************

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects. The work published on both sites listed below is licensed This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

********************************************************************************************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com, or send a note to sales@palamida.com. Please mention the GPL3 site when you reach out to Palamida.
Posted by at No comments:
Labels: , , , , , , , , , , , ,

Saturday, June 7, 2008

GPL Project Watch List for Week of 06/06

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for May 31st through June 6th, 2008.

This Week:

  • Week Summary
  • New Projects
  • FOSS licenses based on US Copyright law
  • User Contributions

Almost A Year Has Passed
The year has gone by quite quickly since the GPL v3 was first released. We have just entered into the month of the release, and it is only 23 days until a complete year has passed. It doesn't seem like we have been tracking the GPL v3 and its derivatives for a year, but it is more believable when you look at the count. Cumulatively, the GPL v3 and its derivatives have gained over 2800 adopters, which is an impressive number. Thousands of projects have, and now we can more confidently say thousands more will adopt the GPL v3, proving its significance in the open source community. The GPL v3 alone is now at 2533 GPL v3 projects, an increase of 62 GPL v3 projects. The AGPL v3 has gained 2 new projects, and is now at 102 AGPL v3 projects. And the LGPL v3 is now at 242 LGPL v3 projects. These numbers are considerably large and are still growing by the day. We will do a year summary to review all the key points over the past year for the anniversary of the GPL v3.






















New project conversions this week include:
  • kjscompress: Command line tool to compress and obfuscate Javascript code and compress CSS code. (Based on KJS -- Javascript library included in KHTML.)
  • IT-Inventory: IT Inventory is a web based system for inventorying computers and other IT based equipment. You can also track repair orders for computers.
  • MySXP Open Platform: Application SAP like for win32, based on MySQL,and mixed with the egroupware politics and database compatibility.

FOSS licenses based on US Copyright law
Since most, if not all, US-based FOSS licenses are based on US Copyright law as defined in the US Constitution, all have this same "life of the creator plus 70 years" term, so length alone is not an advantage. Also, a work or creation is considered to be "copyrighted," at least under US law, as soon as it is "fixed in a tangible medium," which can mean bits saved on a magnetic disk. So while something may be "copyrighted," it is more difficult to enforce a copyright without a written registration with the US Copyright Office. Compare proving in a court of law that you "own" electronically distributed code merely by saying that you created it with being able to have documented proof that you are the author and registered the work on a particular date. To be in technical compliance with US Copyright law, and to maintain a copyright registration, the creator of a software project would probably have to periodically re-register the work as it grew and progressed, since adding new code is adding new "creative elements" which are in themselves copyrightable, but also change the original work enough so that it is something entirely different, thus requiring a new copyright.

In my opinion, it is actually a disadvantage to not license a work and leave it up to US Copyright law. If you look at the rights granted under US Copyright law ( http://www.copyright.gov/circs/circ1.html#wci ) you can see that the first three of those rights (right to reproduce, right to prepare derivative works, and right to distribute copies) seem to be pretty easily applicable to software code, but were obviously not originally conceived with electronic bits traveling around the Internet in mind.

So, not only do they not quite fit, they are fairly restrictive in terms of only granting any of these rights to the original creator of the work. So, before anyone can perform any of the "rights" related to the "work" granted to the original copyright holder, the original copyright holder must give permission. Combine the clunkiness of this method of permission with the instantaneous worldwide distribution system of the Internet and you have an unmanageable mess of trying to coordinate and keep track of who has what rights. Remind you of anything? Digital music?

FOSS licenses are written specifically for software code and define, to varying degrees, what can be done with that code and by whom. FOSS licenses are used by the holder of an original copyright in a creative software "work" to grant the permission ("license") mentioned above to others for others' use. FOSS licenses actually improve the efficiency of the open source movement. Keep in mind that the same rights granted under US Copyright law that are the foundation of FOSS licenses are the same rights that are the foundation of closed-source and proprietary licenses, so you can see that the structure of any given license can lead to dramatically different outcomes for what happens to software code depending on how various rights are granted or restricted.

-Kevin Howard


Thanks for the Continued Support and Contributions
Our database is partly maintained by our team of researchers as well by the contributions that are received from the community. Here is a submission we received last week through our web interface:

****************************************************************************
Gloss

Description:
Gloss is intended to be a drop-in replacement for the existing MythTV frontend. It is written in Python however uses the Clutter OpenGL framework with the intent of producing a visually richer interface than the existing MythTV frontend.

Newest Release:
gloss-0.1-rc1.tar.gz
****************************************************************************
We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Much Appreciated,

Palamida R&D Group


Notable Mention
Palamida actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to the almost 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.


The Research Group (rdgroup@palamida.com)
  • Ernest Park
  • Antony Tran
  • Kevin Howard
Posted by at No comments:
Labels: , , , , , , , , , , , ,

Friday, May 16, 2008

GPL Project Watch List for Week of 05/16

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for May 2nd through May 16th, 2008.

And We Are Back
As mentioned in our last posting, we have been making some changes to our database, so our numbers were stagnant up until yesterday. We have been changing our internal interface, to make our research more efficient and accurate. Most of the work is behind us now and our numbers are back up to date. For those of you who track our numbers carefully, you will have noticed the large jump in projects over the last couple days. That was partly from the completion of the changes as well as from inputing two weeks of data. We missed last weeks post due to the maintenance.

As of today, May 16th, our count for the GPL v3 is at 2371 GPL v3 projects. Since our last post, this is 160 new GPL v3 projects, which is the cumulation of over 2 weeks of projects. This matches with our estimate of approximately 50 projects per week. The AGPL v3 is still growing and is at 86 AGPL v3 projects, soon to hit 100 projects. And the LGPL v3 count is now at 219 LGPL v3 projects, up 19 projects since our last posting.

This Week:

  • New Projects
  • This Weeks Story: Storage and Computing "on the cloud"
  • See you later! LGPL's "or later" may be right now at discretion of the user.
  • User Updates























New project conversions this week include:
  • eyeEdu: eyeEdu is a web-based desktop (built from the eyeOS project), redesigned for the use of kids. Many applications are included that combine learning and fun, along with an intuitive kid-friendly interface.
  • AsmFile: AsmFile is a small and fast file manager written in assembler. It uses a two pane interface like "mc" and other file managers. AsmFile runs in a console or a terminal window.
  • Quakey: Quackey is a somewhat simplified but mostly feature-complete version of the Perquackey anagram word-building game.

Storage and Computing "on the cloud"
"Cloud services" such as online storage and computing resources have become a popular topic recently, with major players like Microsoft, Google and Amazon offering the use of fractions of their respective server farms to users. Amazon's Web Services ( http://www.amazon.com/webservices ) appears to be the heavyweight so far, offering unlimited computing and storage capacity and no monthly minimum service charges – you pay for what you actually use. However, it is oriented toward developers, not the regular consumer. Amazon's service is divided into a number of different functions developers might need, such as virtual computing environments, simple database querying, storage and a message queue service. These services are fully operational, not limited beta programs. Google's App Engine ( http://code.google.com/appengine/) is also available to developers, making Google's computing infrastructure available to them using Google's development tools. Google's App Engine is available only on a limited basis at this time.

A small sub-industry is developing around making developer-oriented resources like Amazon's available to consumers. Developers of products such as JungleDisk ( http://jungledisk.com/ ) an online backup and storage application, and DropBox ( currently in beta, http://www.getdropbox.com/ ), a content sharing and collaboration tool, write consumer-friendly front-ends to interface with Amazon's underlying cloud infrastructure.

Consumer-oriented storage services are also available. Microsoft's SkyDrive ( http://skydrive.live.com/ ), Microsoft's Live Mesh (coming soon - http://mesh.com/), AOL's Xdrive ( http://www.xdrive.com/ ) and Yahoo's Briefcase ( http://briefcase.yahoo.com/ ) are four examples from major players. These services are free, though storage space is limited (SkyDrive - 5GB, Live Mesh - 5GB, Xdrive - 5GB, Briefcase - 30MB) and allow users to upload files directly to the service, almost as if the service were an additional hard drive available to the user.

It will be interesting to see to what extent users and developers are willing to allow a third party store and manage their data and computing processes. One huge benefit to doing so is that users and developers have access to virtually unlimited computing and storage resources, available on-demand, which is paid for as it is used. No need to invest in your own server farm. It is unclear at this point whether any FOSS licensing issues will arise as a result of a user's local application interfacing with a cloud-based computing resource. For pure storage-type applications there doesn't appear to be any potential for FOSS licensing conflicts, but it is possible that a cloud-based infrastructure resource that plays a significant role in a tightly integrated computing process including local computing resources may warrant consideration of such licensing issues.

-Kevin Howard

References:
http://www.techcrunch.com/2008/04/15/cloud-file-services-springing-up-everywhere-but-wheres-my-gdrive/
http://blog.jungledisk.com/2008/05/06/another-cloud-storage-provider-enters-the-fray/
http://blogs.sun.com/jonathan/entry/opensolaris_amazon_mysql_and_glassfish


See you later! LGPL's "or later" may be right now at discretion of the user.
In July of last year, I posted an explanation of the reason that we give such significance to the "or later" option associated to the use of a GPL license. http://gpl3.blogspot.com/2007/07/gplv3-overwhelming-support-if-you-know.html. Matt Asay supported my well researched position on the impact of "or later". http://www.cnet.com/8301-13505_1-9798242-16.html

While I always want to believe that developers use our research and analysis of FOSS licensing, this is an example that was posted on the site. The biggest issue here is not that JasperReports is available under LGPLv3. the problem is that OSS licensing can be so complex that thinly staffed and over-worked development teams can unintentionally overlook how a license is implemented, the results of which can have unexpected implications.

As of this week, there are 6739 projects with releases licensed under GPL "or later". While I am sure that a number of these are representative of the support and solidarity that many developers have for FSF and GNU licenses, there may be a large number that are accidentally released under the latest GPL, at the user's choice.

***************************************************************************************************
Verified against version 2.0.5 on 5/16/08.
From JasperReport.java
/*
* ============================================================================
* GNU Lesser General Public License
* ============================================================================
*
* JasperReports - Free Java report-generating library.
* Copyright (C) 2001-2006 JasperSoft Corporation http://www.jaspersoft.com/
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
*
* JasperSoft Corporation
* 303 Second Street, Suite 450 North
* San Francisco, CA 94107
* http://www.jaspersoft.com/
*/
******************************
******************************************************************************

This is from the LGPL v2.1, found at http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

Note the specific language from section Titled "TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION", section 0 , which reads . . .

"Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. "

__________________________________

Taken from a comment posted on http://gpl3.blogspot.com/2008/04/gpl-project-watch-list-for-week-of-0418.html

Nick Halsey said...
A quick correction - JasperSoft has not yet adopted v3 of either the GPL or LGPL, though we are currently studying this option. Currently we license JasperReports under LGPL v2, and the rest of the JasperSoft Business Intelligence Suite under GPL v2.
April 23, 2008 7:36 PM
_______________________________________

After reviewing the information above, in this example, JasperReports version 2.0.5, licenses to a user to distribute and modify under the specific terms and conditions of the "GNU Lesser General Public License as published by the Free Software Foundation; either

version 2.1 of the License, or (at option) any later version", like version 3.

question: Is JasperReports release version 2.0.5 available under the terms and conditions of the LGPL v3?
While the developers chose to license the use of the software to be governed by the terms of the LGPL v2.1 and have not distributed an LGPLv3 release, it is possible that developers could download and redistribute JasperReports under LGPL v3.
answer: At the discretion of the users, as permitted within the terms of the license for JasperReports, maybe.

- Ernest Park


Thanks for the Continued Support and Contributions
Our database is partly maintained by our team of researchers as well by the contributions that are received from the community. Here is a submission we received last week through email:

****************************************************************************
Métamorphose

"Hello,

....ust wanted to let you know my program is now on gpl3 since the last release earlier this year. The newer alpha version is also on v3.

cheers

- ianaré sévi"

Description:
A cross platform file and folder mass renamer, allows many different renaming operations in a GUI. Features include search and replace (with RE), insert, numbering, date/time, id3 & EXIF tag read, change length, get all files in sub-dirs, undo/redo, etc.

Newest Release:
1.1.0 stable
****************************************************************************

We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Much Appreciated,

Palamida R&D Group


Notable Mention
Palamida actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to the almost 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.


The Research Group (rdgroup@palamida.com)
  • Ernest Park
  • Antony Tran
  • Kevin Howard
Posted by at No comments:
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)