FOSS License Proliferation Adding Complexity

E5Rebel writes "Business is embracing open source like never before, but the effective demise of SCO's claims against Linux doesn't mean an end to licensing problems, an analyst warns. The debate on Slashdot seems to focus on the GPL and its virtues, but there are 1,000-plus open source licenses (according to analyst Saugatuck), and businesses face having to manage multiple licenses within a single open source product. What can be done to minimize multiple-license pain for corporate open source adopters?"

Open source has a long ways to go

Open source has a long ways to go to match the number of different closed source licenses and eulas. Amateurs....

When using them, all the licenses say the same thi

[Tyger]

Why does the large number of licenses have to be a management problem? Most the proliferation in business is the usage, not the development of open source, and a bulk of the open source licenses say you can use it however you want, it's only when you distribute it (Modified or unmodified) that you have to start worrying about exactly what is in the license.

1000+ ???

[someone1234]

I'm pretty sure there are no 1000+ OSI approved licenses.
10 OSI approved licenses probably cover 90% of all open source.

Re:1000+ ???

[Tyger]

If you count all the subtle variations (For example, BSD license with who gets credit changed) I can see it being 1000+. But that is taking a very strict definition of different FOSS licenses, and not a realistic definition that all those are basically the same thing.

Re:1000+ ???

[CastrTroy]

How many different closed source licenses are there? Probably about 1 for every application.

Re:1000+ ???

[Knuckles]

And they are written in caps.

Can you say FUD?

[morgan_greywolf]

Yeah, I knew you could. The average Linux distribution doesn't have anything close to a 1000 licenses in it. Stop being ridiculous. There is pretty much BSD/MIT/X11, GPL, LGPL, Mozilla, Artistic, and maybe a couple of others, depending on what apps are installed.

And in the end -- so what? FOSS licenses break down into two categories: BSD-type and GPL-type. That's it. They're all pretty much the same, especially ones that conform to the Open Source Definition, so who cares?

Re:Can you say FUD?

[Ant+P.]

A quick check (ls -1 /usr/portage/licenses | wc -l) gives me 861. Not over 1000, but not exactly nowhere close either.

Re:Can you say FUD?

[LiquidFire_HK]

I wrote a quick script to find the most-used licenses (this is from Gentoo's packages, which is a fairly representative sample, with nearly 12 000 packages).

$ eix -v | grep License | awk '{print $2}' | perl -e 'while(<>){ chomp; $licenses{$_}=0 unless $licenses{$_}; $licenses{$_}++ } for (sort {$licenses{$b} <=> $licenses{$a}} keys %licenses) { print "$_ $licenses{$_}\n" }' | head
GPL-2 6710
BSD 711
as-is 579
LGPL-2.1 511
|| 428
Artistic 344
MIT 259
LGPL-2 229
public-domain 138
PHP 124

You can see the full list here. As you can see, a huge amount of the packages (85%+) use GPL or one of the other very popular licenses. "||" means multi-licensed, and most of those are Artistic/GPL. You'll notice that after the top 30 licenses, none are used in more than 10 packages. Of the 863 licenses, 729 are used in 5 or less packages, and 629 of them are used in only one package. Many of the one-ofs are fonts or closed-source licenses.

So while I agree there are many licenses, the vast majority of projects use one of the popular licenses.

Do what everyone else does

[CaffeineAddict2001]

Ignore it.

number of licenses

[mattb112885]

Its no different for proprietary software, in which the number of licenses is basically equal to the number of pieces of software you have ordered.

No, just use OSI-approved licenses

[Infonaut]

They cover a broad range of licensing needs. If there are hundreds of different licenses out there, it's only because the lawyers working for the firms involved have sold these companies on the notion that they need a custom-crafted license.

Re:No, just use OSI-approved licenses

[Nibbler999]

There's about 60, which is still too many to try to interoperate.

Strawman

[fishthegeek]

Check out Microsofts License-o-rama! If Microsoft as a corporation can't stick to even a few licenses what on earth makes anyone think that thousands of FLOSS programmers will share enough commonality among them that they would be willing to use fewer licenses.

Microsofts licensing site doesn't even address the individual EULA's for products. Each MS product has a license that is nearly always unique to that product. So I say let those that do the work decide on how they would like or not like to share it.

The un-problem

[MisterBad]

The vast majority of businesses will never trigger _any_ of the provisions of the licenses for their Open Source software because they will not publicly re-distribute the software in verbatim or modified form.

For those businesses that do, it is highly unlikely that they'll deal with more than the GPL or BSD licenses. Other licenses are important only for a single package or cluster of packages (e.g. the MPL, the Artistic License, or the Apache license), and companies that deal with these packages tend to be specialists in that area.

This just really isn't a practical problem for most businesses. It's an issue that software aggregators like distros or SourceForge need to deal with, but not your normal everyday business.

Do not distribute.But use is free!

[leuk_he]

If you use open source software, and not redistribute it you can mostly ignore the open source license. You can use it on as many computers as you like with many strange license combinations. For closed commercial software you have to track all the licenses, for open source you do not have to track the number of uses.

The real question begins if you want to distribute a packet of open source software and want to know if they are license compatible. ANd the real trouble starts if you want to use a loophole of some license to sell it bundled it together with your own commercial software.

Re:Do not distribute.But use is free!

[also-rr]

Excellent point... especially when you consider that if you *are* distributing it will pass through your commercial department.

I have been doing commercial work lately on over 100 contracts, each with unique terms and conditions. Even if we had projects running that used every single OSS license out there it wouldn't tax us to an unreasonable level. That is kind of what specialists are for... businesses pay programmers to programme, and the commercial department to read contracts.

The best bit is that unlike technical issues your PHB probably appreciates the importance of contracts! I can't think of a single director (even the engineering directors) where I work who couldn't assimilate the GPL in five minutes or less - and the GPL is one of the more complex licenses. They deal with stuff far more weird than this every day.

All you need is to know how to state the benefits in their language. My humble effort is here - and I would welcome additions.

Re:Just use the GPL

[Brian+Gordon]

Why does everyone love the GPL? By forcing users of the code to obey the hacker ethic, it's breaking the hacker ethic. Code is code, and it doesn't make any sense to put restrictions at all on it, even if they're just copyleft restrictions. BSD for me- it's basically public domain (the best solution IMO) but it strokes my ego by making sure my name is included in the code :)

How about commercial?

[GrEp]

How about commercial licences? At least with FOSS you have a few major ones. With commercial every one is unique and usually much more complicated.

I don't get it

[tie_guy_matt]

Don't most open source licenses have one thing in common: you can use the software and install it on as many computers as you want free of charge. The problem comes up when you modify the code and then want to redistribute it. My question is how many businesses are modifying tons of different programs so that they have to worry about tons of different licenses? And if your company is big enough that you are modifying tons of programs then don't you have legal department with an army of high priced lawyers who would love to do nothing else but make sure you dotted all your i's and crossed your t's when it comes to the licenses? Maybe I missed something.

Open Sources Licenses for sale

[infonography]

Dear Friend,

My late father was the finace minister for the pervious administration in Nigeria, in his weill he bequitehd me the income from meany open sourse licenses however since the new government crackdown we have had difficulites in tranparting themo out of th country. A reputable frind who can transport them out of the country for me needs a small advance to pay for expenses once we have these open sources license on the open market we can realize great proifit.

I have a limited introductory offer for any software you want at a low low rate per seat. Comes with Complemetary Viagra from te late presidents presonal stores.

Please send to my paypal account darl.mcbride@sco.com

Re:You can't hook things together...

[jhantin]

See the flamewar on the OSI mailing lists; all the above concerns and more have been aired.

No, seriously... large complex component-based software system + GPL = instant holy wars, because the line where one work ends and another begins is no longer clear.

"Dammit Jim, I'm an engineer, not an attorney!", but it seems to me that in practice, the GPL's process-boundary condition becomes little more than a performance issue because you have to use message passing over some kind of communications link instead of loading in-process. For additional flavor, release the "client side" of the message passing bits under the AFL or similar, and the "server side" obligingly under the GPL.

Re:If you write software...

[antiNeo2000]

You're oversimplifying things. Some free software is gratis (free of charge), some is libre (free to modify), some is both, some allows commercial distribution, some doesn't, and the list goes on. Since people own the copyright, people are allowed to write their own software licenses, no matter how weird they might be. Some projects need to be commercially viable in order to be accepted as standards (X.Org and the X11 license), while others would rather be shielded from commercial abuse (GNU and friends). Diversity in software licenses, even if it might be a bit confusing, is a lot better than the alternative.

Well, yes and no.

[jd]

Yes, you're absolutely right that there are only a few "core" licenses that others are derived from. NASA's Open Source license is based on the GPL, for example. However, there ARE a lot of licenses out there. It would be far, far better if there was some sort of inheritance mechanism for licenses. That way, it would be clear what had borrowed what from what, lawyers would be dealing with change sets (which they're familiar with) rather than re-written texts, and instead of a long linear list, we would have a much more compact tree.

Would this reduce the number of licenses? Initially, no. You'd simply reorganize them into a structure. Would it improve understanding of the licenses? Yes. Understanding would increase exponentially, rather than linearly, as a person worked their way through. Would it eventually lead to a reduction in the number of licenses? Yes. A lot of them have trivial or insignificant change sets and making this obvious to all would create pressure to consolidate where appropriate.

Ok, but doesn't the sheer number also create pressure? Yes, but it may NOT always be appropriate, and there may be unexpected and undesirable results. Make thing clear FIRST, and THEN make changes, not the other way round.

Would be cool to do it automatically

[radarsat1]

I've had the idea for a while that it would be cool to design some kind of formal language to describe licenses, so that you could apply logical rules to cancel out conflicting requirements and determine whether licenses are compatible with each other.

Sure, legalese is pretty "formal", but it's not computer-science *formal*. How cool would that be to encode laws and legal conditions such that they are provably effective?

Someone must have done something like this...

(That said, I've never really understood why people choose licenses other than BSD or GPL, since these seem to express some basic viewpoints on how F/OSS should work, but I guess people have their own reasons, which is fine with me actually.)

a lawyer's view

[faceword]

I represented an company that had developed a closed source software product that had incorporated several open source (but not GPL'ed) libraries, each released under a different license.

There was a transaction cost, in that the company had to pay my law firm to review each license to be sure the distribution of the product did not violate the license. Some of the licenses had attribution requirements, including one which required the verbatim reproduction of the open source license within the distribution. I advised my client as such, and they included that license within a readme file, complete with the glaring typos that were in the original.

The cost of a junior lawyer spending a few hours reviewing six different licenses (approx $300 per hour) was lower than recreating the code from scratch -- so it is hard to argue that the proliferation of licenses is problematic. My client was still better off than if it had to spend an extra week of development time authoring the libraries.

Re:Just use the GPL

[fsmunoz]

I disagree with you in the hacker ethic part[1], although I can see your point. More importantly though is the fact that I agree with you and disagree with parent when he said "just use GPL". *I* am all for the GPL but can perfectly see why people would prefer some other license, especially a BSD/MIT/ISC one (free, non-copyleft with attribution). This "license proliferation" thing is not IMO something terrible. It can be a bit overkill, especially in the non-copyleft ones (many licenses ammount to the same with different wordings) but if people use them then clearly they have a good reason to exist. It should especially not be used as a way to promote "unification" around a single license: there are reasons for using the GPL, which I personally think are good ones, as there are reasons for using the BSD license, and that's all there is to it. Conditioning choice in the name of simplification is not the way to go at all.

[1] Pardon my laconic answer but I think that everyone is up-to-date in what regards the differences in perspective about the GPL and the BSD licenses from each "camp" :)

Re:copying is copying

[Ohreally_factor]

Wrong: Internal distribution is fine and doesn't really count as distribution regarding the GPL.

This article is semi-FUD, anyway. FTFA:

Business users of open source software should review their Open Source licensing agreements, audit their use of Open Source and create formal policies for managing source code, especially mixed-source code. Which a business that is distributing code is doing anyway, via their legal department, outside counsel, and/or consultants.

This issue has been highlighted in some open source discussion forums, but it is largely being ignored by IT and business leaders. Because the licenses are generally human readable by IT leaders, and business leaders have lawyers to handle that.

The general attitude in the OSS world that I'm picking up is that license proliferation is not a major problem. Choice is supposed to be good, no? Find the license that best satisfies your needs, or write your own. The two camps that seem to have the most concern about too many licenses are the FUD-spinners trying to damage OSS or the Free-bies that are trying to steer everyone towards GPL 3 and FSF hegemony. (Yes, I'm a bit biased.)

Re:Cry me a fucking river.

[Chandon+Seldon]

There are two completely separate cases:

Using Software

With Free Software, this is always allowed. No problem.

With Proprietary software, this can be pretty complicated. Each piece of software has its own license with its own requirements, be it per-user licensing, per-seat licensing, per-CPU licensing, per-year licensing. Better hire a dedicated lawyer to make sure you have all your licenses lined up right.

Modifying/Redistributing Software

With Free Software, this can be pretty complicated. There are a number of licenses - some of which are incompatible with each other. You'll probably want to put some effort into license tracking, or even hire a lawyer if your situation is especially complicated.

With Proprietary software, this is always prohibited. No problem. (unless you screw up somehow, then you're liable for millions in damages.)

Object oriented licencing?

[IPFreely]

So what we really need is a smaller set of base licenses that include object oriented features like inheritence, interfaces and templates.

I can see it now:

public MyLicense extends BSD implements Attribution;

or

public NPL extends GPL implements OwnerTakeback;

Re:Just use the GPL

[einhverfr]

So? Look for opportunities to drive up the asshat's costs. You offer it for free, he charges, so he must be adding value. If he is not, then let him have the suckers......

If he is adding value, then you still have some options. The first is to look for features he includes and reimplement them in your project free. THis drops his value to $0. The second is to get the community development rolling fast enough that he is effectively forced to fork and move on or start contributing back so as not to be buried in trying to merge his changes back into the code.

Most of the large BSDL projects I have been around have a few players who do sell versions with a few new features. Most of the time, the community doesn't *want* those features, such as EnterpriseDB's Oracle compatibility stuff. PostgreSQL, of course, has such a pace of development that none of these companies actually want to maintain any more patches than they have to. Hence they contribute everything possible back.

In short, you contribute to a GPL program becaue you are required to. YOu contribute to a BSD program to drive the competition's prices up and yours down. They both achieve similar ends. Why care?

Re:copying is copying

[watchingeyes]

See that....that's the point flying 15 feet over your head.

Pretty much every single open source license allows unlimited usage and copying, even to third parties. I'm not aware of a single one that limits this. I'm also not aware of a single one that places restrictions on copying modified versions internally.

Unless there's one I'm missing, the only limits any open source license places on a licensee is when they create derivative works, and then distribute said works to third parties.