Advocacy Prompts Reconsideration of Anti-GPL Letter

Many people have noted that there has been a reaction (see also this AP story) to the story posted a few days ago about the GPL in government. (More links: Wired, Newsforge.) This is good, I guess: Congress should consider carefully how the government licenses the code it funds, because it's an important public policy question: it shouldn't be decided by a backroom push from business lobbyists (the lead Representative listed, Adam Smith, represents a district fairly close to but not including Microsoft headquarters). There are certain things that bother me about this whole story though, and I'm going to try to trace the trajectory of it below.

As far as I can tell, it started with this Newsforge story (Newsforge is also part of OSDN, Slashdot's corporate parent). The Newsforge story was excerpted and copied by an Australian newspaper, and from there, it was off and spreading. The headline chosen, "Washington State Congressman attempts to outlaw GPL", is not particularly accurate, but it did a great job at stirring up outrage. Outlaw the GPL! Over my dead keyboard!

From there it really started making the rounds. It was repeatedly submitted to Slashdot with all sorts of flaming, incorrect commentary - in fact, after reading a dozen different submissions, I didn't think any of them were even close to accurate. I picked one and posted it, trying to do my best to a) provide an accurate headline and b) provide an accurate summary of the issue at stake in a few sentences. To recap again: when the Federal government creates computer code (or any copyrightable work) directly, it gets no copyright whatsoever and the work is true public domain (quirk of the U.S. copyright laws - the 50 states, corporations, individuals, and other legal entities all get copyrights automatically, but the Federal government does not). If you want to copy, reproduce, or sell an .mp3 of the U.S. Congress singing "God Bless America" after September 11, go right ahead: there is no copyright on it whatsoever. (Actually, the song itself is still under copyright, but Congress' performance of it wouldn't be...)

However, when the Federal government hires a non-employee to create code or copyrighted works, there is no clear rule regarding the copyright status of the work. Sometimes the contract calls for rights to the work to be assigned to the Federal government (the Feds don't get original copyrights, but if someone else gets an original copyright, the Feds can acquire it). Sometimes the contractor keeps the copyright and gets to do whatever they want with it. Sometimes the contract doesn't specify. Note that this is NOT a BSD-vs.-GPL dispute, not by a long shot. Very little code financed by the Federal government is ever licensed under either of these two licenses - the choice is basically agency-proprietary (the Federal agency asked for the rights in the contract, and kept them) or company-proprietary (the agency didn't ask for the rights, and the contractor kept them).

And most of the time it doesn't matter. I've written code for the Federal government as both a contractor and an employee, and 99% of it was so specific and customized that it would be of use to no one else, regardless of its licensing or copyright status. Probably the majority of code written for the Federal government falls into that category - internal use software for very specific needs.

But some of it is undoubtedly useful. Some major projects funded by the government in conjunction with academia have escaped from licensing purgatory, typically through the efforts of the researchers working on them who approach the issue from an academic freedom viewpoint and want to see their work widely adopted. GRASS is one major one that I know of. A commenter pointed out ADA as an example. For code which is useful to others, either a BSD-like or GPL-like license would be truly beneficial and easily defensible as a public policy choice. In the non-code world, the government makes choices like that all the time - it might choose to purchase a particular piece of land and commit to making it available to everyone forever by declaring it a National Park and committing to maintain it, a GPL-like philosophy; alternately, it might choose to just dump a particular piece of property on the market, putting it up for auction and letting the purchaser do what he wills with it, a BSD-like philosophy.[1] Either of these two options might be optimal; but paying for code which ends up remaining proprietary is like buying a new stadium to benefit a very specific corporation which owns a very specific sports team: the type of use of public funds which is generally seen as sleazy and the opposite of good governance.

Either of the first two choices can be appropriate in certain situations. What does not seem appropriate is paying for proprietary code, although this is generally what happens when the government contracts for code. Since the government has the ability to provide a benefit to the public (open code) at essentially zero cost, it should do so. An example which has struck me several times over the past few years: every airport in the world has the same problem, coordinating planes taking off and landing and keeping them from running into each other. Yet each nation (and often each airport) solves the problem over and over, paying heavily for custom-designed, one-shot software development. Imagine if the world's airports could simply install GNU-AirTrafficControl 2.7, and have a complete, working, bug-free and cost-free air traffic control system. It would cost every nation less to do it this way, but it would also make a lot less money for the consultants retained to develop these systems.

But leave off the advocacy for moment - I was following the story itself. As noted above, the outcry has prompted many of the other Representatives who originally signed the letter to reconsider. The AP story even suggests that some of the signatories were actively misled - that the letter they thought they were signing didn't mention the GPL at all. However it actually played out, some good has been done.

That's good. What's not so good is that much of the outcry was probably generated by stories titled "Washington State Congressman attempts to outlaw GPL". The right outcome occurred, but for the wrong reasons and in the wrong manner. I am left wondering whether the community would have made the same sort of response on this issue if every story that had been posted about it was 100% accurate and non-inflammatory.

[1] If you're not familiar with the BSD-like and GPL-like classes of software licenses, this won't make a lot of sense to you, so please read up if necessary.

Flawed analogy

[lpontiac]

In the non-code world, the government makes choices like that all the time - it might choose to purchase a particular piece of land and commit to making it available to everyone forever by declaring it a National Park and committing to maintain it, a GPL-like philosophy; alternately, it might choose to just dump a particular piece of property on the market, putting it up for auction and letting the purchaser do what he wills with it, a BSD-like philosophy.

I think this analogy is completely flawed. Under the BSD license, the original piece of code will always remain free for everyone to use. When the government sells a piece of property, it's no longer available to the public. FreeBSD didn't go away when Apple incorporated pieces of the code into OS X.

Both the BSDL and GPL keep the original code free for all, the difference is in the derived works - the GPL stipulates that they, too, must remain free, wheras the BSDL doesn't. I think a more appropriate analogy would be: the BSD license would allow a photographer to take a picture of the sunset in a national park, and retain all rights to it. Under the GPL, the photographer could still make and sell the photograph, but he couldn't stop people who bought the photograph from making copies and giving them away, or selling them.

Define "very little"

[JordanH]

• Very little code financed by the Federal government is ever licensed under either of these two licenses - the choice is basically agency-proprietary (the Federal agency asked for the rights in the contract, and kept them) or company-proprietary (the agency didn't ask for the rights, and the contractor kept them).

NASA uses and produces software under the GPL license.

Any number of of projects funded by NSF, and other Governmental Agency, grants end up licensing software under the GPL.

There is an aspect to this discussion that I don't think gets enough play. The GPL is a great boon to academics who don't have to purchase costly software, and risk throwing obstacles in the way of those who would reproduce their work, or reinvent wheels. This boon comes with the very small cost that the software so produced should be shared with others. I think that this is in harmony with the spirit of Scientific Research, the "standing on the shoulders of Giants" as Newton said.

Nu Uh

[dilute]

You can't "license" rights that you don't have. The person who takes under a BSD and re-releases under a GPL does not own the copyright - she is not the author, it is not her original work. The only thing the second person can restrict with the GPL is that which she owns, i.e., her own ADDITIONS and CHANGES to the work (if any).

Re:Nu Uh

[GigsVT]

I think you are confused. You can release other people's BSD code under whatever license you want. That is why the GPL was created, because the BSD does not require you give the people you distribute BSD code to the same rights you had.

You are correct, you don't own the copyright, and you must comply with the BSD in acknologeding the copyright holder, but that doesn't prevent you from taking every piece of BSD code out there and distributing it under whatever license you want.

Re:BSD Should Be Used

[eXtro]

It's not just your own code, corporations pay a lot of taxes as well. BSD is probably the more appropriate Open Source license under these circumstances. You, as a tax payer, are entitled to the code which was produced using your taxes. You can then modify it and hoard it or set up a server and share it or charge for your improvements. Corporations, as tax payers, can also take this code, modify it and hoard it, or set up a server and share it or charge for its improvements. At no point does the original work paid for become encumbered, but derivative works might become encumbered.

Re:A short summary

What idiot modded this as a troll? He's making a joke, morons!

Re:BSD Should Be Used

[Stonehand]

Yes, you're missing the boat -- or perhaps being deliberately obtuse.

If it's BSD licensed, not only can a company get the code but YOU can get the code with all the rights the company had. Ergo, the company has NOT taken the code away or restricted your rights to the code "you" (more likely, people wealthier than you, paying a larger percentage) paid for. What you AREN'T necessarily getting is exactly what you DID NOT pay for (even if you're in the highest tax bracket...) -- the additional work done by the company.

Now, considering that this incredibly obvious and correct point has been made before, you're either deliberately trolling or not reading any responses in order to maintain your pro-GPL ignorance.

Re:Interesting notes

[dh003i]

Opinions can be wrong and/or right when they're opinions of fact.

Saying that the GPL is bad for business is a incorrect assertion of fact. In fact, it is not. My GPLing software doesn't hurt any businesses. If businesses want to use GPL'ed software to base their code on, that's their choice, but they have to release the modification under the GPL; they made an informed decision, weighing out the advantages and disadvantages. If companies only have "one line" of GPL'ed code, it should be no problem to come up with an original replacement. In short, its not bad for them, but can only (in some cases) help them. This is not preventing them from protecting their intellectual property, as you assert; if they want to license their IP under a EULA, they can simply find a replacement for the GPL'ed code, or code a replacement themselves.

Yes, MS likes the BSD license. Of course they like a license which allows them to take but not give back. MS is a parasite to OSS and FS communities.

I also disagree with your implied assertion that the GPL'ed license isn't truely free. In the real world, Freedom does not mean "no restrictions". In the real world, without any restrictions at all (anarchy), there is no freedom; I don't see why restrictions automatically make something unfree in the software world. The GPL was designed to gaurantee the end-user freedom, and to ensure that that freedom isn't taken away by modificatioins to free software which are themselves licensed under non-free licenses.

Lets do a real-world analogy to help you understand. First, an analogy to the BSD license. A city has a well in the middle with a chalice from which to obtain water from the well; the only rules are that anyone may use the chalice to obtain water from that well, so long as they put it back. Anyone can add onto the well and make it better; but the person adding on can impose a fee for others to use that enhancement. Hence, a public resource -- originally free -- may over time be transformed into something divided up among private owners.

Now, compare that to the GPL. In this case, anyone can add on to the well also; but they must not put any more restrictions on the usage of their addition than were on the usage of the original well. Hence, a public resource is free and will always remain free.

That's the difference between the BSD and GPL licenses. The GPL license is truely free -- perhaps more so than the BSD license, since it gaurantees freedom in the future for any modifications, so a proprietary modification of a GPL'ed program cannot replace that GPL'ed program and take away the users freedoms.

In short, the BSD philosophy regarding freedom seems to be that "freedom means the freedom to take away other people's freedom (i.e., add a EULA to modifications of BSD-code)". The GPL philosophy regarding freedom seems to be that "freedom means the freedom to do whatever you want, so long as you don't take away other's freedom".

Re:SETHROB

[swillden]

Although your post included hints that obscurity is sometimes of use in security, you didn't say it outright, so allow me:

The relationship between security and obscurity is a complex one. Naive people often equate them, slightly more educated people make more complex errors, but errors they remain.

The fact is that obscurity can be a valuable impediment to potential attackers, but only if adequate effort can be applied to make sure that the underlying security is good. Most companies, for example, do not have the resources required to adequately ensure the security of complex systems (i.e. pretty much anything running on a computer), which means that they're far better off publishing and allowing the public security community to find their holes for them.

However, public scrutiny is not a magic bullet, because it's not uncommon that something gets published but it doesn't get that much attention. In the case of an organization like the U.S. Government, the resources are available to hire teams of top analytical talent and have them focus 100% on a particular system for years on end, or even in perpetuity. No published code gets that kind of scrutiny.

For example, the NSA practices obscurity but have you ever met a cryptographer who thinks they'd be better off publishing their cipher designs for the community to pound on? The NSA has a huge pool of very talented people and is perfectly capable of doing thorough security reviews completely internally. Adding a layer of obscurity on top of that has all sorts of bonuses for them, such as allowing them to avoid revealing their capability in cipher design (which would imply things about their capabilities in cryptanalysis, for example).

I think the case of the ICBM C&C system is comparable. The DoD can afford to have extensive review by talented people, and then keeping the software secret adds an additional layer of complexity for any would-be attacker. Even more important, of course, are the policies, procedures, clearances, vault doors and armed guards that stand between a potential attacker and the system, and various security and obscurity mechanisms applied to those.

I work a great deal with another class of systems in which obscurity is important. Obscurity slows the defect-discovery process for both white and black hats, and that's usually a bad thing because when white hats find a problem, even though the black hats also find out about it, it gets fixed and is no longer a problem. But what about when you know in advance that if someone finds a defect it will not be *possible* to correct it? White hat security research will essentially hand the keys to the system to the black hats because we can't update the system to correct the problem.

So the logical approach in this case is to (1) do as good a job on the security as you can, (2) keep the software secret, to slow the inevitable discovery of defects, (3) keep an internal team of security analysts working continually to find defects (they can see the code and are more efficient than the black hats, even though they're probably vastly outnumbered) and (4) devise and integrate audit procedures into the initial system security design so that if a bad guy does break it (a) you will find out, so you can try to respond and (b) you have an evidentiary trail that can lead to arrest and prosecution of the attacker.

not BSD, not GPL, but wxLicense

[Nicolay77]

I like the license of wxWindows more than BSD or plain GPL, and it is another alternative to those being discussed here.

It basically consists of full GPL protection for source code, but with the freedom of use any licensing in binaries, that is, permiting commercial use of it. Developers happy, and companies happy.

As in everything, all extremes are evil, and for me the RMS/GPL is just the other extreme of MS EULAs. Any good and usefull license should be somewhere in the middle of them both. Of course the devil is in the details, but that's what lawyers are for.

Re:BSD Should Be Used

[Sivar]

It's not just your own code, corporations pay a lot of taxes as well.

This is less and less true every day.
You are aware that many companies, including General Motors (one of the biggest companies in the world) haven't paid corporate "income" taxes for years? There are some very juicy corporate tax laws which allow corporations to reduce and in some cases eliminate most of their taxes by using such tricks as funelling it to their employees under certain guises. Interesting stuff.

It's a great time to be a corporation.