IP Concerns are very real; I’ve had a couple of customers bring them up in the past. It boils down to trust; It doesn’t matter if you and a thriving community have written the best code in the world; without someone to vouch that all proper measures were taken, there is an increased risk associated with your project.
I never used to think about clean IP. I knew that some organizations, such as the Apache Foundation, make committers sign contributor license agreements, but as I am not an ASF contributor, it wasn’t something I had to deal with.
That’s changed now that I’m at eBay.
Last June, we announced that we were going to open source our Windows and Java SDKs. These are wrappers around our Web services for developers that make it easier to write code that links up with eBay. There’s nothing fancy about them, so the benefits of open sourcing them far outweigh the risks.
However, all of a sudden I have a whole new set of issues to worry about:
- What open source license will I use?
- What about eBay IP that might be part of the SDKs?
- What if someone contributes something they don’t own the rights to, or is under a non-compatible license, or has a patent on, etc, etc.?
What a mess. It’s not easy open sourcing anything non-trivial when you’re a big company — especially when it’s part of an active project.
I must admit our legal team was surprisingly clueful when it came to open source. Somethings they knew. Others they didn’t, but they found a firm to assist who knows a lot about open source licensing and issues.
I had a long conference call with four lawyers, and at no point was I forced to explain that all open source licenses were not like the GPL. Actually, that’s unfair because these guys not only said smart things, they asked smart questions, and had smart answers to my questions.
The original license I suggested was the good old MIT License. However, that didn’t pass our internal IP test. The MIT License was written in a world where software patents weren’t a major legal issue, and for better or worse we no longer live in that world.
So, to protect ourselves, we moved away from the MIT License. At first, our legal team wanted to write their own custom license, but I pushed back and asked them to explore the Apache 2.0 and CDDL. Apache 2.0 didn’t work for them, but the CDDL did. (Much to their surprise. Big shout out to the Netscape and Sun lawyers for writing something the eBay team was happy with.)
Things are not 100% final, but I hope that we’ll be able to release our code under the CDDL late this year or early next year.
Of course, that had some additional side effects, as we had to scour our existing code to make sure there were no license incompatibilities with the CDDL. Apache Axis uses Apache 2.0, which looks to be okay.
Unfortunately, we had spent some time writing an example that hooks up to a MySQL database using MySQL Connector/J. Frankly, I’m not sure if it was ever legal for us to bundle the MySQL code or even publish the sample code given MySQL’s interpretation of the GPL. Anyway, that code is out. It’s not worth it for me to get a commercial license from MySQL and I can’t tell what is or isn’t allowed.
Actually, if someone from MySQL can update their FLOSS exemption page to include the CDDL, we may be good. Since CDDL is similar to MPL, I hope they don’t have any problems doing this. But my lawyers don’t enjoy me playing with GPLed code, so we may not be good after all. We’ll see.
In the reverse direction, we patched Apache Axis with some improvements. However, I believe we just supply the patches with our SDKs as standalone files, and we’ve never contributed those back to the main trunk. I don’t know why. I don’t know if it was for technical or legal reasons, or just because we were lazy. But I would love to figure out what I can do to help share these changes with the extended Apache Axis community.
It just goes to show how licenses and IP really do matter, and big companies really do take this seriously. This is a good thing, and only goes to strengthen open source licenses. However, I think it’s come as a surprise to some open source developers.
I always see open source developers worry immensely about mashing up GPL code with BSD code, yet, at the same time, they don’t bother to check to see where their commits are coming from and if they’re clean. Therefore, they’re even more surprised when a big company cares.
Again, I think this is another big step in the right direction for open source. We all know free refers to more than just cost. It’s also the freedom to modify and redistribute code. At the same time, the cost of something is more than the purchase price. It’s also the risk associated with it. By reducing risk in all forms, we make the code even more free.