OSI Approves New Open-Source License

The Common Public Attribution License took nine months to win approval.

PORTLAND, Ore.—The Open Source Initiative approved on July 25 its first new license in quite some time: the Common Public Attribution License, which is essentially the Mozilla Public License with a new attribution clause.

But the road to approval was long and expensive, Ross Mayfield, CEO and co-founder of Socialtext, which submitted the license, told eWEEK in an interview at the OReilly Open Source Conference here.

The Palo Alto, Calif., company, which provides enterprise wikis, started the process some nine months ago with its original submission to the OSI, known as the General Attribution Provision, or GAP, with the goal of filling a gap that exists in open-source licensing around attribution, he said.

The reason for that submission was that there were about 40 Mozilla-like attribution licenses, none of which followed the OSI submission process, including SugarCRM, Scalix, MuleSource and Zimbra.


Many companies have created their own derivatives of the Mozilla Public License. Read more here.

Several of those licenses require developers to use "badgeware," a prominent display of the licensing companys chosen logo, if they use the code. In SugarCRMs case, that is a "Powered by SugarCRM" logo that must be at least 106 by 23 pixels in size. This, in turn, must link to the SugarCRM open-source Web site.

"At Socialtext, we wanted to follow the community process and try to get a license approved, which would allow us to say that we were OSI-certified and call ourselves an open-source company. If it was not approved, we had decided we would choose a less-than-optimal license based on what was then available," Mayfield said.

Mayfield also hoped that GAP would help the growing issue of license proliferation and out-of-date licenses. But having GAP added as a provision to the 50 existing licenses that allowed extensions to be added meant that those licenses would have to be resubmitted to OSI, he said.

"But our initial application caused a huge furor and debate, much of which was very emotional and involved concerns around the right to fork and whether it placed an undue burden on a developer," he said.

Socialtext failed to correctly follow the OSI submission process, as it did not submit a complete license as applied to a product. So the company took GAP and added it to Mozilla and to the widely used network use clause from Affero, which solves a big problem in the software-as-a-service model but which is not OSI-approved, he said.

"The vast majority of applications developed today are delivered over the Internet; thats part of the modernization of licensing to me," Mayfield said. "So if somebody delivers an application over HTTP, that should be the same as compiling and converting it on a CD. So we submitted that as the Socialtext Public License, which resulted in more debate and feedback."


Read here about how open-source licenses get categorized, not ranked.

"One of the valid concerns with the Socialtext Public License, as it was then known, was whether the license technology was neutral," he said. "For example, there are applications that do not have a user interface, but we were specifying that there had to be one. So that was a change that was valid and necessary."

There were also some concern about whether or not Affero was future-proof. It specifically referred to HTTP, but there could be another network protocol in the future and so the network use clause needed to be adapted to make it "future-proof," Mayfield said.

"Fortunately Larry Rosen, who wrote the Open Source License, gave us permission to include its external deployment clause, word for word, and we decided to give it a generic name, which is how CPAL was born," he said.

Asked if he expected those 40-plus companies with "vanity" licenses based on MPL to move to CPAL, Mayfield said he hopes there will be rapid adoption by those firms, adding that he has spoken to several of them and none has expressed any concerns or reservations about the license as it now stands.


SugarCRM went with a Microsoft license. Read why.

"I have spoken to SugarCRM, and they are going to take a good and hard look at whether CPAL serves their needs. While this license is similar to what they have, it has been vetted by the community and is different, but can meet their commercial as well as community needs. They will also get the benefit of being able to use the OSI-certified mark," he said.

Asked if the battle has been worth it, Mayfield said it has, even though it has been expensive in terms of all the legal fees incurred, while Socialtext has also taken a negative "reputation hit" as a result.

"Our position has hopefully now been validated, but, as with any policy change, there will be those who would have preferred another policy. But Im confident it will play out favorably," he said, adding that he could have communicated more effectively and done more legwork beforehand.


Build a Web 2.0 platform and employees will use it. Click here to read more.

Despite its licensing experiences, Socialtext is also working on something called "the social contract," which is an explicit exception that allows employees to make a contribution to any project they want, at any time, as long as that project is under an OSI-approved license.

"We have a pretty decent version of this, but it needs further revisions," Mayfield said, declining to put a timeframe on when that work will take place.


Check out eWEEK.coms for the latest open-source news, reviews and analysis.