One of the hidden gems of the free and open source software world is the Free Software Foundation-Europe’s annual Legal and Licensing Workshop, an event for members of the group’s legal network mailing list.
Held now for a little over a decade, the workshop is a great way for invitees to stay current with the open source legal world. This year’s three-day conference just wrapped up, so I thought I’d share my thoughts on it as a long-time attendee.
The conference operates under the Chatham House rules to allow for more candid discussion. In keeping with that rule, this blog post generally won’t name speakers unless they explicitly waived the application of the rule.
Licensing, licensing, licensing
The conference may touch on other themes, but in general discussion always comes back around to one thing: the many ways you can think about licensing.
New tooling and data standards
One aspect that is always discussed is how to better manage licensing information. A full, top-to-bottom license analysis of just the Linux kernel can generate a few hundred thousand discrete pieces of information, with each file having associated license information, copyright information, and related analysis.
All of this needs to be tracked—and managed again for the next release of the upstream project, the downstream product, or both. So aggressive license compliance, a must-have for the biggest software companies, is a big cost.
In this vein, several tools came up quite a bit—some newer and some older:
- sw360: Originally a Siemens internal tool, this new Eclipse project aims to track information about software artifacts inside large enterprises, so that it can be efficiently reused.
- Reuse: This new FSF-E project is an attempt to combine the best of human-readable and computer-readable license metadata—an admirable, if difficult, goal.
- SPDX: While there were no presentations solely on SPDX, it remains a key building block for many different tools and approaches. As a result, it came up repeatedly throughout the conference.
- FOSSology: This is one of the oldest tools in the scanning world, but I picked up a renewed sense of momentum around it this year. An increasing number of tools seem to be using it as a reference or integration point, which can only help the project in the long run.
- Quartermaster: This tool for managing compliance information is still in very early days (0.1!) but doing some interesting things. In particular, it is attempting to ensure that license information matches with the source code that is actually used—a change that potentially could streamline a lot of compliance work.
Simon Phipps speaking about the success of open source
Older systems working to keep up
Despite all the new tools, and the ongoing surge of interest in open source, many older systems and groups are still relevant.
- Open Source: We tend to take the Open Source Initiative and the Open Source Definition for granted as rocks that have underpinned so much else for twenty years. Simon Phipps of the OSI spoke on how that organization has (and hasn’t) changed over the past twenty years, while McCoy Smith of Intel used the past 20 years of license approvals to suggest that the Open Source Definition may not always be clear—even to the experts who think they know it best.
- Copyleft: More than 30 years after Richard Stallman coined the phrase, we’re still debating copyleft. One workshop asked how copyleft might respond to the vast changes in the industry in the past decade (I spoke on this topic at FOSDEM). Unfortunately, the workshop did not report any amazing solutions, but I’m still glad that this important discussion is starting.
On the flip side, James Bottomley, the most-bowtied Linux kernel developer, gave a presentation on how to work with the copyleft we’ve already got by explaining copyleft to businesses. This is still a challenge after all these years, and James’ positive approach was refreshing.
- Literally old systems: In a first, the conference included a workshop on estate planning for floss developers—increasingly relevant as the first large wave of open source developers ages!
- License explainers: FSF did a workshop on updating its licensing materials to better explain the GPL. My understanding is that some low-hanging fruit were found—not surprising given the extent of that documentation. I’m glad the organization is paying attention to the ease of use of their licenses, and hope it continues.
Better licensing compliance
Besides tooling and data, there are a lot of other paths to better license compliance. Some things that came up:
- Sharing metadata: Virtually every large company doing open source spends a lot of time cleaning up licensing information; but there is very little sharing of the results, which seems counter-intuitive in a movement based on sharing. I understand this conundrum much better after an excellent workshop about Oliver Fendt’s “sharing creates value” project.
Critically, when risk is high, highly-detailed metadata is not enough. You must also trust the process that creates the metadata, and sharing this is much harder than merely sharing data. Oliver’s project attempts to tackle this in a variety of ways, but the most interesting to me was a standardized, agreed-upon checklist of review steps, so that all participants would know the same basic steps had been taken.
- OSADL checklists project: The problem of “what steps must be taken to comply with a license” is practically the oldest problem in open source compliance, but this set of checklists takes the problem to a level of rigor I have not previously seen. I suspect it will be useful in a variety of ways, especially as open source’s complexity grows and rigorous, automated approaches become more valuable.
- The Linux kernel’s file-level metadata efforts: The Linux kernel’s effort to radically improve license metadata information is very impressive, and came up in almost every workshop I attended. It is exciting, but also intimidating: the amount of time and effort that has gone into the project, which is not yet complete, is going to be difficult to scale.
With all the talk of progress and improvement, there are a few lurking challenges that came up repeatedly throughout the conference. A couple seem particularly worth noting:
- Better for who?: While we often spoke of things getting better, I rarely saw the question asked who is this better for? The assumption is often that anything that leads to more precise and accurate compliance is better for both enterprises and authors. Given the growing costs of compliance, and the extreme rarity of enforcement by authors, I increasingly wonder if this assumption is accurate.
- Tension between simplicity and compliance: Containers have solved many problems for developers, but Dirk Hohndel of VMware spoke persuasively on the problems they cause for compliance. This is the latest example of tools that make using open source easier, but also unintentionally break compliance by disposing of metadata or source code. Hopefully this time we can resolve the tension more constructively.
- Motivation: A common thread throughout many of the discussions was the assumption that maintainers would welcome and embrace all the new license-related work that companies are asking of them. I’m not sure that this is correct. Of course, every maintainer I’ve ever met wants their software to be used more—but many are also skeptical of new commitments that seem to primarily benefit the largest users of their projects, with little additional value for the developer or median user.
- Fatigue: It is great that open source lawyers are constantly talking about licensing, because it indicates a lot of concern for the intent of open source maintainers. But it is also such a dominant theme in the open legal world that it can be tiring. This year, this was reflected not just in the hallway track, but in a full workshop on licensing fatigue. I wasn’t able to attend that workshop—but I understand the feeling!
Beyond software licensing
The conference often covers quite a bit of ground outside of licensing, especially when topics are “hot” outside of open source. This year, three themes were mentioned in passing, but maybe not with the level of focus you might expect.
- GDPR: Many conference attendees missed sessions because of frantic client calls about the EU’s new General Data Protection Regulations. But it only came up directly in one talk, about the EU’s requirements for “algorithmic transparency”: i.e., the requirement that companies explain certain algorithms that process user data. In theory, open source should shine here, since all the algorithms are public, but explaining what is going on may still be hard. Given how many open source projects are currently working on GDPR compliance (like Wordpress) it is too bad this wasn’t a bigger topic of discussion.
- Blockchain: Besides a formal workshop on blockchain project governance, the hallway track featured the same refrain as many other tech conferences in 2017 and 2018: “can you do this on the blockchain?” This question was surprisingly useful, because it focused discussions on trust in a constructive way, even when the answer was clearly not “do this on the blockchain.”
- Diversity: The law is generally more diverse than technology—more than half of law school graduates in the US are women. But women drop out of the profession at higher rates than men, and underrepresented minorities face a variety of challenges, including potential implicit biases in work evaluation.
Unfortunately, at this year’s conference, slightly less than 20% of speakers were women, and the attendee count was similarly skewed. While I don’t believe this reflects any ill-intent by conference organizers (indeed, this is still the only legal conference I’ve ever attended that has an event code of conduct), it does suggest we all need to continue to press forward. (And there were no talks about diversity or codes of conduct, despite it being a growing challenge for open source projects—hopefully something we can remedy next year.)
Law moves slowly, but the lawyers who work around open source do an admirable job trying to keep up with the movement of open source. As always I look forward to next year’s conference to see what we’ve collectively learned (or forgotten) in the intervening year!