451 Research special report on managed open source now available. DOWNLOAD NOW

Open source licenses: 2019 year in review

Luis Villa
by Luis Villa
on January 23, 2020

2019 was the most active year in open source licenses in a very, very long time, with news from China to Silicon Valley, from rawest capitalism to most thoughtful ethics. Given all that, I thought it would be worth summarizing the most interesting events, and sharing some reflections on them.

Growth in China

China has been a slowly, but steadily growing factor in open source for quite some time. Last year saw one of the first GPL enforcement lawsuits in China, and 2019 saw two more important steps.

The first was the publication of the 996.icu license in late March. It is now the second-most starred repo in all of GitHub. More about it below (including why it isn’t open source per se), but for a new license like 996.icu to have one-quarter million stars, much less a Chinese one, is a significant cultural milestone for open source.

The other big milestone in 2019 was the first formal submission of a Chinese-language license by a Chinese entity to the Open Source Initiative. Putting aside whether translated licenses are a good idea, this license submission is a sign that China continues to integrate itself very fully into the open source community—not just in development work (which has been going on for many years now) but on the legal side as well.

Organizations changing

The Open Source Initiative and Free Software Foundation remain the two most important organizations in the licensing space, and both had notable years.

OSI’s evolving process

The Open Source Initiative’s license-review process has been, for a long time, fairly informal. When I chaired the process some years ago, I introduced a few procedural reforms, but they were ultimately fairly minor—and published at a time when few genuinely controversial licenses were reaching the OSI.

In the midst of a challenging wave of new licenses and critiques of the OSI (more later on this), board members have been pushing the organization towards a more structured licensing process (January, May). This work should be celebrated, both because it will make the process more fair, and because the additional transparency may help the OSI effectively grapple with some difficult issues.

OSI’s new board

In related news, March 2019’s board election led to an OSI board that is much more inclusive of a new generational wave of open source than ever before, with representatives from big companies and the first publicly elected candidate from outside the US and Europe. The membership’s election of an entirely female slate of candidates was also a clear repudiation of the sexist harassment some of the candidates faced.

The FSF’s rough year

Unfortunately, these improvements at OSI come at a time when the Free Software Foundation is undergoing extreme challenges. Richard Stallman resigned from the FSF in September, but the board remains mostly comprised of  long-time associates of Stallman’s—a stark contrast to the fresh, publicly elected OSI board. Indeed, instead of bringing in new blood, the board has almost completely lost its younger board members, with Bradley Kuhn and Mako Hill resigning in October, following Matthew Garrett (who left before this latest crisis).

This leadership problem is not incidental to licensing. When GPL v3 was released in 2007, the FSF had a commanding position in the licensing landscape, stewarding the most popular license in FOSS. In the decade-plus since then, that position has been lost—GPL v3 has not seen adoption by significant projects, nor had a substantial impact in preventing widespread adoption of DRM (arguably the most significant policy goal of GPL v3). 

During that same period, under Richard’s direction, the organization failed to effectively address the rise of network services, the creation of entire new toolchains like Kubernetes, or important social questions like contributor diversity and financial sustainability. Given these significant failures, Richard should have stepped aside—even if he hadn’t been a serial harasser of women.

This vacuum left by FSF’s lost decade is in large part responsible for many of 2019’s other licensing trends—as I’ll discuss next.

Challenges for the OSI

It’s worth noting that, despite the positive progress made by the OSI, the year has also seen several explicit rejections of the OSI’s work.

One of these has been the “Commercial Open Source Software” coinage and event. More on it below, but the core of the challenge is based on the notion that the OSI is no longer representative of the broader open source movement, and licenses that explicitly prohibit competition should still be welcome in some definition of “open source.”

Relatedly, Kyle Mitchell, perhaps the lawyer who has most embraced the open source ethos of “release early, release often,” has explicitly rejected the OSI process for his (many) new licenses and licensing-related experiments. The list of licenses and licensing-related projects he’s written or contributed to in the meantime is lengthy

(I should disclose here that Kyle and I work together quite a bit, and I co-authored a license with him in 2019—the Blue Oak Model License—that I volunteered to submit to the OSI as a guinea pig to test any improved processes.)

To some extent, these challenges are inevitable—there’s never been a large, growing movement of human beings that has not eventually fought over definitions and structures. So while this fragmentation may not be ideal, it is also a sign of growth and evolution—much better than a movement that is dying!

An open question for the leadership of both FSF and the OSI is how they react to this growth. Do they demand respect on the basis of things that were written and created a literal generation ago? Or do they see these changes as an opportunity to respond with persuasion, education, and activity? I hope for the latter, of course, but particularly for FSF, 2019’s leadership challenges may be too great to overcome.

This question isn’t just important for these organizations. Everyone in software (especially the movement’s corporate beneficiaries) should be asking whether they benefited from the licensing stability of the past fifteen years, and if so, what they can do to extend it. As the events of 2019 made clear, this situation can’t just be taken for granted—we will need active work to maintain it (or conscious, careful work to reassemble it constructively).

The rise(?) of “ethical” licenses

The question of how “political” open source licenses should be is one that flares up every once in a while. For example, I wrote about a backlash against GPL v3 for being “too political” in 2007, and Kyle Mitchell wrote something similar in September. In 2019 though, the push for increased ethics in licensing was active and sustained in a way that I don’t think we’ve ever seen before.

Lerna and ICE

This discussion was (re)started in late 2018, when the Lerna project briefly blocked use by ICE and other US government agencies. While that particular license change was quickly revoked, it set the stage for a larger discussion in 2019 (including discussions that spilled over from licensing into corporate behavior).

996.icu

The first big news item of the year in this area was the 996.icu license, in which Chinese developers attempted to use licensing to combat rampant violation of Chinese labor law. Putting aside for a moment whether or not this was effective, or even a good idea, there are several important takeaways: 

  • This was perhaps the first example of a huge, bottom-up developer-led licensing movement in quite some time—and it came from China, not the WEIRD countries
  • The leaders of the movement explicitly said they were inspired by free and open source’s history of “programmers fighting for rights” and said that they felt the license was ”exactly the embodiment of the spirit of free and open source software.” 
  • One-quarter of a million people supported it on GitHub. 

Unfortunately, the formal leadership of the free and open source movements gave, at best, tepid support to this literally unprecedented show of interest—a squandered opportunity to build bridges and interest, in my opinion.

Hippocrates and beyond

Another significant moment in the year’s discussion of ethics in licensing was when Coraline Ada Ehmke (author of the extremely popular and useful Contributor Covenant) published the Hippocratic (aka Do No Harm) License. Coraline is also actively organizing a group of people interested in the ethics problem, outside of the OSI and FSF. My take is that it is very complicated to write this sort of license, but Coraline’s work is the most serious (non-996) attempt to challenge FSF/OSI’s hegemony that I can recall in a very long time.

Other licenses have taken up this torch as well. During the year, the OSI saw requests for comments on the Working Class License and a license “respecting European values” like privacy, both of which are roughly what they sound like on the label. There is also now an anti-carbon license, and I’m sure others I have not yet seen. We should expect to see more of the same in 2020.

Responses from the OSI and FSF

It’s perhaps not surprising that OSI and FSF have responded coolly to these new licenses. As Christie Koehler pointed out in a summary of the situation, the OSI and FSF have an unambiguous history of arguing that source should be usable by everyone, even the “bad guys,” and she shared some pretty good (though not iron-clad) reasons why that still makes sense.

At the same time, many of those discussions happened two decades ago—and since then the OSI and FSF have not done a particularly good job (re-)articulating why those libertarian principles should apply in a world where ethical and political questions have become more salient on a daily basis for many of us.

One ethical license written in 2019 appears to have been specifically created to force the OSI to reckon with this history. The anti-vaccine license submitted to the OSI was relatively carefully drafted, and then submitted pseudonymously by someone who appears to have enough experience to know it would be forcefully rejected.

So why write it, knowing it would be rejected? The author says that “[t]here is a rising sentiment in the Open Source community that we give too much and ask for much too little”, and then asks the OSI to come to terms with that. The OSI can view this as an opportunity, using its improved process to make clear why the organization feels these rules are still important and relevant, and perhaps even elaborating constructively on OSI’s mid-year statement on morality in software. But whether or not OSI takes advantage of the opportunity remains to be seen.

Money, money, money

Inevitably, as open source has “won,” money has become ever more central to how it functions. It turns out it is hard to sustain the entire software industry on a part time basis! Licensing has not played a central role in this discussion, but 2019 gave several examples of how licensing and money are entangled.

Explicitly commercial standardized licenses

Part of the Kyle Mitchell License Avalanche of 2019 was an uptick in adoption of his License Zero, an explicitly commercial (not open) licensing system with built-in payment mechanisms. (Kat Marchán has written about her adoption of it, as has Tidelift participant Feross Aboukhadijeh.)

A group of attorneys also published a set of standard, but again very explicitly commercial/not-open, licenses as the Polyform Project.

While the lawyers involved in these (including Kyle, Heather Meeker, and me) would be the first to tell you that these licenses aren’t open source, I include them here because they bear two key similarities to open source licenses.

First, they explicitly aim to simplify and reduce the cost of licensing by standardizing it. This standardization is, in a very real sense, a legal technology pioneered by open source, and in 2019 finally being systematically made available to other parts of the legal-tech industry. Secondly, particularly for License Zero, the audience of these licenses is developers and small shops—groups traditionally well-served by open source and ill-served by the legal industry. It’s possible that this approach will appeal to them.

Commercial “open source”

In late 2018, Mongo submitted the Server Side Public License to the OSI, intended to replace the AGPL with a license that was more aggressive and protected their business from cloud vendors. In 2019, this trend accelerated and turned into a movement of a sort, with Redis using a new source available license. These discussions eventually snowballed into something calling itself Commercial Open Source Software, centered around an Open Core Summit.

The entire thing was a little odd, given that open source has (from literally the time the phrase was coined!) been pro-commerce, and that also since the nominally pro-commerce COSS folks appeared to be arguing primarily for licenses that...oppose commercial use. 

While I think some of the readings of this have been uncharitable, suffice to say that this messaging has been at best very confusing and at worst perceived as an active attack on the definition of open source by venture capitalists who want Red Hat-like returns without putting in the effort.

Regardless of the confused messaging, I expect we’ll see more of this in 2020—in both good and bad faith.

New network copyleft, and going beyond copyright

Over the past decade, the FOSS movement has not had a particularly coherent response to the industry’s shift from self-hosted services to the corporate-hosted clouds. FSF’s AGPL v3 was the last major attempt to address this, but FSF has failed to advocate for (or improve) the license in a sustained, systematic way.

2019 saw three serious attempts to address this gap.

CopyleftConf

In February 2019, following the annual FOSDEM conference in Brussels, the Software Freedom Conservancy hosted the first “CopyleftConf.” This was an attempt to reinvigorate copyleft by getting advocates for it together in one place and share ideas for the future.

Meetings can only do so much, of course. But the existence of the event is a good sign that many people realize that copyleft is not a self-fulfilling prophecy, and must (like any software product!) be constantly refined and promoted. I look forward to attending the next one.

Cryptographic Autonomy License

Shortly after presenting at CopyleftConf on the “maximum allowable scope of copyleft,” Van Lindberg published the first draft of the Cryptographic Autonomy License, with the stated goal of “protect[ing] people’s rights to their data.”

There’s a lot of interesting innovations in the CAL, but the one that is perhaps most interesting is exactly that up-front goal: the expansion of copyleft to data. In this vision of copyleft licensing, data is nearly as important to users as source code—if one can’t export data from a service, then full source code access is arguably useless.

This clause is both a very modern issue, given the proliferation of software-as-a-service, and a very old one. GPL has long recognized that source code that can’t be installed is not very useful, requiring installation scripts in GPL v2 and potentially cryptographic keys in GPL v3. CAL takes that to the next logical step, understanding that for many users a service with source but no data is useless.

CAL has faced a lengthy approval process, which is still underway and controversial as I write this (nine months after the initial submission). This is not surprising, given how aggressive the license is, but still somewhat disappointing. In particular, Van’s motives have been repeatedly questioned, and at least some discussants of the license have essentially proposed conditions that would block any extension of copyleft unless done by the FSF—which can’t be healthy for the future of copyleft. 

Parity

CAL is a lawyer’s license, similar in complexity to other existing strong copyleft licenses. Parity, from Kyle Mitchell, is an attempt to go in the other direction: an extremely broad copyleft, in extremely straightforward language, designed to appeal to developers rather than attorneys. It saw two releases in 2019 (6.0.0 and 7.0.0). I’ve long been an advocate of simplified drafting, so it will be interesting to see whether this path yields significant adoption in 2020.

2020 will be more of the same

Open source has, in many important ways, won. Virtually everyone who writes software uses it. But that also means that everyone who writes software has a stake in what open source is and can mean. 

In a politically charged moment (spanning the gamut from Chinese labor to global carbon extraction to Silicon Valley VC), that growth in open source is inevitably going to lead to contestation of what the term should mean—and what our licenses should do. So expect more of the same in the year to come, as we continue to argue about what our legal tools can and should do.

New Call-to-action