Podcast: SugarCRM CEO says attribution in open source licenses is about fairness

Meet John Roberts. Roberts is CEO and co-founder of SugarCRM. To many SugarCRM is thought of as a provider of open source-based customer relationship management solutions. But is it? There's no question that SugarCRM provides a customer relationship management (CRM) solution. But is it an open source one? Roberts says it is. On the other hand, there are other open source advocates like the Open Source Definition's co-author Bruce Perens who disagree and refer to SugarCRM as "badgeware." The phrase refers to a proviso in the appendix to the SugarCRM Public License that requires licensees to make sure that a "Powered by SugarCRM" logo (the so-called badge) with a minimum size of 106 pixels by 23 pixels appears at the bottom center of every user interface screen that's driven by the Web-based CRM application.

Roberts doesn't see his logo as a badge but rather, see it as "attribution" and says that the SPL is nothing more than a merger of two existing open source licenses: the Mozilla Public License and the Attribution Assurance License. But upon further inspection of the SPL's appendix -- the part that's supposed to map to the Attribution Assurance License -- the truth is that the two are strikingly different. The SPL's appendix looks to be an adaptation of the AAL that's geared towards browser-based (Web-delivered apps); one that's more prescriptive than the AAL when it comes to attribution specifics.

For example, whereas the AAL refers to attribution only on an application's splash (startup) screen (normally associated with locally executed applications), the SPL's appendix refers to every screen (or Web page) a user sees in the course of using the application. In other words, attribution isn't splashed in front of the user once when the application starts. It's always there, no matter what the user is doing. Unlike a locally executable application where users are routinely exposed to a splash screen upon startup, many Web apps don't have splash screens and even if they did, users with pre-set bookmarks would dive right past them into the belly of their Web-based apps. Whereas the AAL's attribution proviso requires the author's name, professional identification, and URL to be displayed prominently on the aforementioned splash screen, the SPL's appendix is very clear about the required display of a logo, its size and placement (again on every screen). 

Perens and others at the Open Source Initiative (OSI) say that the minute a license becomes so prescriptive about what developers can and cannot do with a software's user interface, it's no longer open source because of how one of open source's most fundamental tenets is the developers' freedom to control the user interface. In my interview of him earlier this year, Eben Moglen, general counsel to the Free Software Foundation (the FSF) agreed with other critics that the requirements limit developer freedom and that developer freedom is one of the things that free software is all about. Perens and Moglen say there's no place for SugarCRM in the free (Moglen) or open source (Perens) worlds (the two aren't necessarily the same) as long as the license under which its source code is available -- a license that has never received the blessing of the Open Source Initiative (as all officially recognized open source licenses do) -- is so prescriptive about what developers' must do in the user interface. 

All this said, Roberts and his company SugarCRM have, for two years been referring to the SPL as an open source license without having the SPL blessed by the OSI and without being openly challenged. That was until I asked whether Sugar and a host of companies that followed Sugar's lead in drafting their own derivatives of the Mozilla Public License were abusing the term open source. Roberts responded to that post (both in the post's comment area and on an OSI mailing list). We seemed to be talking past one another. Roberts wanted to make his point about why attribution matters. I was simply after a reconciliation of the fact that there were licenses being hailed as "open source" licenses at the same time that those licenses were not listed on the OSI's approved list of licenses (nor had they even been pitched for consideration).

Shouldn't vendors who say their licenses are open source licenses footnote that claim with a disclosure that says the license is not an OSI-approved license? Eventually, I answered Roberts' comments with another post acknowledging that attribution may matter, but I said making the Open Source Initiative whole matters first. As long as vendors are claiming their non-OSI-approved licenses to be open source licenses, I felt as though a dangerous precedent was being set that could lead to the existence of so many of these unapproved licenses (some of which could reach far deeper into non-open source territory than the SPL will ever do), that the meaning of open source could end up meaning nothing and the OSI could end up marginalized as the guardian of the Open Source Definition and the keeper of the approved license list.

The exchange between Roberts and I led to a phone call between the two of us that, as it was taking place, I wished I was recording it. I invited Roberts back for another call so that this time, I could record it and post it here on ZDNet as a podcast interview. Another reason I thought it was important to hear Roberts' side of the story is because he and SugarCRM were the first. Off the air, Roberts asked if I was singling him and SugarCRM out as bad guys. I answered "no." In fact, during the interview, I pointed out that I personally wouldn't object to including such attribution if I was asked to do so myself. Roberts and SugarCRM were the first to come up with a derivative of the Mozilla Public License that requires attribution the way the SPL does, and several other companies including Socialtext, Scalix, and Zimbra followed suit. I don't know that there are any bad guys here. Just  users who could end up confused about what open source really is.

The interview is long at at times contentious. Roberts passionately defends each of the decisions he has made so far and believes in his heart that the SPL does indeed satisfy the OSI's official Open Source Definition. Perhaps the most interesting part is why attribution is so very important to him: Rather than offering some business rationale, Roberts says it's because its the fair thing to do. 

What follows are transcriptions of a few non-contiguous exchanges that took place between Roberts and me (just to give you a taste of the conversation's tenor). Using the Flash-based audio player above, the interview can be downloaded or streamed to your desktop. Or, if you're already subscribed to ZDNet's IT Matters series of podcasts, it should turn up on your computer and/or your portable audio player automatically (it just depends on how you have your podcatching setup). For more information on how to tune into ZDNet's podcasts, check our How-To.

ZDNet: Just because the OSI doesn't own the trademark to open source, does that mean then that anybody can go and say, well here's what we think the definition of open source is...at some point if more companies follow suit, and they redefine open source, wouldn't you agree that sooner or later open source ends up meaning nothing?

Roberts: No I don't, I disagree with you on that David. I'm not going to say anything negative about OSI. I'm a huge supporter of OSI. If you look through the Sugar Public License...it is the combination of two OSI approved licenses. The MPL and the [Attribution] Assurance License.

ZDNet: But you did receive an indication from the OSI that they weren't on board with the merging of those two licenses the way you just described...you just said so.

Roberts: As someone who founded a project and was living day to day on a project and fortunately that project was growing and getting validation, I felt, especially on changes like this, there's always going to be some debate. There's always going to be time where you need to think about it and not run to rash decisions on things .....My belief was, let's see if other people feel the same of other people who write software and open source license it....and feel they are absolutely abiding by the ideals of the definition of open source.  [Let's see] if they feel the same way. And if enough of them do -- you know that will take a little bit of time, we just happened to be the first -- then that will create the ground where we can show that there is common cause here and we can put the license [up] for approval. And that's exactly what's happening now David. But initially at the time, it didn't make sense.  My belief is that OSI will approve attribution because it is an important thing and then what will happen? Wow, Sugar will have been open source-compliant all along. In the interim, I don't think it was trying to rush a decision on something that I think needed some time to be thought through an validated by having projects also feel very strongly about it as I do.  It does take some time and that's exactly where we are today and that's why the license is going to OSI today.

ZDNet: What you're saying is that you didn't deliberately circumvent the OSI's process, but you clearly avoided it because the choices are either avoid it or follow it, I mean you can't...

Roberts: Avoid isn't the good word for it, let's see if consensus builds around this...and if there isn't consensus built around it, then we would have changed our position. Absolutely...