I just received a press release from Intalio who is engaging in what I'd consider to be more slight of hand when it comes to vendors claiming that they've released code under an open source license when that isn't the case, at least according to the people who have written the commonly accepted definitions for free and/or open source software (free software, Free Software Foundation-style, is open source, but not necessarily vice-versa). According to the press release:
Intalio to Release Entire BPMS under Open Source License: Intalio, Inc., The Open Source BPMS Company, today announced that Intalio|BPMS Community Edition will be released under the Mozilla Public License (MPL) amended with the Generic Attribution Provision submitted to the Open Source Initiative (OSI) earlier this year.
Buyer beware. Intalio is throwing around the phrase "Mozilla Public License" in a way that obfuscates what is really going on here.
First, a refresher on what just recently happened. There's a handful of vendors -- one of which is SugarCRM -- that say they are open sourcing software under an open source license. For the gory details, check out my podcast interview with SugarCRM co-founder and CEO John Roberts. When you ask more questions, the claim is that the license being referred to is a merger of two existing open source licenses: the Mozilla Public License and the Author Attribution License. For starters, that's really not the case. Upon close examination of the "attribution" part of this new, supposedly open source, hybrid-license, there are big differences in the text. And, if you've ever looked at a legal document, it's relatively impossible to remove a dot from an "i" or at cross from a "t" without changing the document's intent or nature. So, the claim that these new hybrids are open source licenses themselves because they represent a merger of two existing open source licenses is patently false. They do not represent a merger of two existing open source licenses. Period.
Next comes the rather cavalier use of the phrase "Mozilla Public License." To the untrained eye, when vendors say they have released some body of source code "under the Mozilla Public License (MPL) amended with [some provision]," they're essentially trying to make it seem as though they've released their code under the Mozilla Public License. But in reality, they've done nothing of the sort. Outside of the people who work or who have done work for the companies that are adding these ammendments to the MPL, I haven't found one open source expert who agrees that once these ammendments are added to the MPL, that the resulting license can still be called the MPL. Period. Outside of these hybrid-license issuing vendors, everyone I've spoken to agrees that the license is essentially an new license and it's also their opinion that it's not an open source license. So, when Intialio uses this very carefully crafted wording, they're hitching a free ride on the good name of the truly open source Mozilla Public License.
But Intalio's infraction, in my estimation, goes even further. It mentions the "Generic Attribution Provision submitted to the Open Source Initiative (OSI) earlier this year." What's the OSI's role? Today, it is the organization that the open source community relies on to say whether a license is an open source license or not. It's not a perfect process. But it is a public one and it's the only one the community has today and so, for the time being, everyone turns to the OSI. And, it is indeed factual that a Generic Attribution Provision was submitted to the OSI for approval as a truly open source provision. But earlier this year? Try two weeks ago.
And the OSI isn't even remotely close to approving the provision as is. In fact, the discussion taking place on the OSI's public mailing list shows that everyone involved is trying to find some workable compromise. In contributing to that discussion Ross Mayfield, founder and CEO of Socialtext (one of the companies that has released code under the aforementioned hybrid style of license -- a style SugarCRM's Roberts refers to as "commercial open source") has been both conciliatory and diplomatic in seeking an acceptable compromise. Kudos to Mayfield on that.
But today, not only is the provision in question -- the one under which Intalio is releasing code -- definitely not open source (according to the OSI), as it is worded there is a zero percent probability that it ever will be. Intalio's press release alludes to the fact that the provision isn't yet approved, but it does this in a very deceptive fashion. Says the release:
More and more commercial Open Source vendors are adopting versions of the Mozilla Public License amended with simple attribution clauses," said Mark Radcliffe, a partner at DLA Piper Rudnick Gray Cary US who also serves as outside General Counsel to the Open Source Initiative (OSI). "Intalio's decision confirms the need for a generic attribution provision, and I urge OSI to ratify the one recommended by Socialtext."
To me, this wording is designed to fool people who aren't deeply familiar with the underpinnings of the open source community and the Open Source Initiative. On the surface, it adds legitimacy to what Intalio has done by citing Mark Radcliffe's association with the OSI. But Mark Radcliffe has also served as legal counsel to the companies coming up with these hybrid licenses. In hope of avoiding a conflict of interest or any sense of impropriety, Mark Radcliffe has excused himself from the OSI's deliberations over whether the attribution provisions in question should be approved by the OSI. In other words, his position with the OSI when it comes to this particular matter is irrelevant.
But, by making the Radcliffe-OSI connection that Intalio made, it just proves a point I've been making here on ZDNet. Avoiding the conflict of interest is impossible for Radcliffe and, at this point, he must step down from his role as general counsel to the OSI. As long as he his consulting to companies that refer to their hybrid licenses as open source licenses without forcing those companies to disclose that their licenses (where ever they appear) are not yet OSI-approved, he is not protecting the best interests of the OSI which, as its outside General Counsel, is his job. It's not that he shouldn't be allowed to perform in both roles. The OSI is basically volunteer work. As one board member put it, no one gets rich working for the OSI. So, it is customary for everyone at the OSI to be making money elsewhere and prior General Cousels to the OSI such as Larry Rosen have done just that. But for him to remain in that dual mode, the vendors using the hybrid licenses that he has either written or blessed in his role as counselor to them, must be accompanied by some blatant disclosure.
Finally, to make my position on this matter clear, I am neutral on the issue of whether pervasive attribution (attribution on every user interface screen of a Web-delivered app), which is what's at issue hear, has a place in the open source world. I could easily argue for and against based on what I've heard from people on both sides of the debate. I personally wouldn't have a problem displaying such attribution if I was hosting one of the applications in question. But then again, that's just me. I'm not a developer and probably won't be looking to modify source code the way other developers might (and the way other developers may find pervasive attribution to be an impediment to their efforts). So, what bothers me and what doesn't is irrelevant. What I have routinely suggested is transparency. Where ever a vendor uses the phrase open source with relation to a license that is not yet approved by the Open Source Initiative, it should be disclosed that the license has yet to be approved by the OSI. So far, I haven't seen any vendors heeding this simple request (although it's possible some have started to do it and I just haven't seen it yet).