...making Linux just a little more fun!

Follow-up Developments in the "Exhibit B" Licensing Issue

By Rick Moen

[ This is actually a series of exchanges between Rick Moen and several other people concerned with this issue that has been converted to an article. E-mail headers, etc. have been removed; original layout has been preserved as much as possible; a bit of extra punctuation has been added to denote meta-content.
-- Ben ]

[ RM adds: For context, at this writing, Microsoft Corporation has pending a very high-priced hostile bid to purchase Yahoo Corporation, which owns Zimbra. ]


Quoting Don Marti:

> Dick Morrell on the impact on Zimbra:
>  https://blog.dickmorrell.org/?p=532 
> 
> Wikipedia article on the future of Zimbra:
>  https://en.wikipedia.org/wiki/FoxPro_2 

(Will forward this post to Dick, whom I think I've known even longer than you have, Don. I've [also] asked Dick Morrell's permission to publish any remarks he might have in response. Will forward, if he has anything to say and is willing.)

The true, functional acid test of whether a codebase is genuinely open source as claimed is forking: It must be possible, when push comes to shove (e.g., the company producing it being bought out by Microsoft) to fork off a copy, independently develop it, and continue to use it for any purpose and redistribute it without charge (or with charge, if the redistributor prefers).

So: Questions about whether Zimbra is really open source may soon get resolved -- the hard way.

The right to fork includes the right to create arguably foolish, annoying forks for bad reasons, e.g., the IPcop fork of Dick's Smoothwall project. It's natural that developers like Dick would inherently feel ambivalent about the right to fork, feeling the attraction of licensing restrictions that "would have stopped IPcop in their tracks" (Dick's wording). It's only when you need to fork that the right to use code in any fashion, including removing runtime advertising, can become essential.

I have a feeling that Dick assumes, as I did, that Zimbra's still under the "Zimbra Public Licence" aka ZPL (MPL 1.1 + a mandatory runtime advertising clause often called "Exhibit B"). It's not. I've only recently caught up on this myself: It's now under an even newer licence called Yahoo Public License (YPL) v. 1.0.

ZPL was one of about two dozen clones of SugarCRM's MPL 1.1 + runtime advertising clause[0], each deployed by about the same number of thinly capitalised Web 2.0 startups, many of them with interlocking Board of Directors and Advisers[1]. Each such licence required that "each user interface screen" of the application bear the company's trademarked logo, advertising text, and linkback -- and at the same time specifically denied recipients a trademark licence. Each such licence was loudly proclaimed to be open source, but, if you asked why the firm was consistently failing to submit it for OSI certification, you got silence or evasion.

The truth of the matter was: They were all carefully avoiding so doing, because they knew their licences would be rejected as violating (at least) OSD provisions #3 (derived works), #6 (discrimination against particular fields of endeavour), and #10 (technological neutrality).

Advocates asserted that they were merely trying to ensure "attribution" -- which was transparent rubbish: The right to retention of author attribution in software source code is already automatic in copyright law and doesn't require any licence provision[2], but SugarCRM, Zimbra, et alii actually wanted something more than, and different from, that: They wanted to require that all derivative works retain their runtime advertising displays, placed in front of the user's eyeballs on "each user interface screen". These firms then made the non-sequitur claim that their licence was automatically open source because its terms were the result of combining two OSI-approved licence, MPL 1.1 and the extremely obscure "Attribution Assurance License" aka AAL.[3]

They called their aim merely "attribution" and implied that it was a just claim. Bruce Perens, an early critic, politely called it a "badgeware" restriction. I, covering the issue for Linux Gazette, became over time rather more blunt, and characterised it as mandatory runtime advertising.

One of the more cooperative of the firms, Socialtext, finally set up a rather tentative trial balloon with OSI, something called the "Generic Attribution Provision" aka GAP[4], a paragraph they asked OSI to certify as open source if appended to some unspecified subset of the 65-odd OSI-approved licences.[5] Note that, as usual, Socialtext did not submit the "Socialtext Public License" that it was in fact using for its commercial wiki-software product: It wanted OSI to commit to a different licence it did not use, to test the waters.

OSI's outside advisors, including me, unanimously found the "GAP" proposal to fail OSI standard by a country mile[6] -- and the firms using modified-MPL licensing for their Web apps started feeling more public heat over their questionable claim of producing public source, and their evasion of the OSI.

About this time, I also started pointing out an even more peculiar aspect of this situation: The firms obviously had been attempting to do copyleft, i.e., requiring that third parties deploying derivatives of their Web apps share back code, but had picked MPL, a totally unsuitable licence lacking an "ASP clause" to enforce code shareback on hosted applications.[7] Leaving aside OSI approval for a moment, I asked, "What the Hell are you guys trying to accomplish? You go out of your way to pick a copyleft licence to modify, but then pick one (MPL) whose copyleft clause doesn't work in your market. You claim you just want "attribution", but ignore people who point out that preservation of real attribution (in source code and docs) is already mandated by law, and all you've really done is ensure that third-party commercial users need to carry your advertising and live in fear you'll sue them for trademark violation. That sort of impaired usability you call open source?"[8]

Quite a long time later, to their and attorney Mark Radcliffe's credit, Socialtext did come up with a much more modest (still MPL 1.1-based) mandated runtime advertising licence, Common Public Attribution License 1.0 (CPAL).[9] CPAL's runtime encumbrance is so very mild, and so careful to avoid the earlier problems with OSD #3, 6, and 10 that it easily passed OSI approval, and was adopted by most of those couple-dozen Web 2.0 firms -- but not Zimbra.

Zimbra got bought by the same Yahoo that is now Microsoft's daily blue-plate special, which somewhere along the line changed the Zimbra codebase to YPL 1.0 -- which turns out to have gratuitously different wording from SugarCRM/Socialtext/etc.'s original and problematic MPL 1.1 + mandated runtime advertising licence, but manages to replicate and perpetuate all of its problems, including the implied threat of trademark suits.[10]

If Dick thought ZPL was open source, it's likely he considers YPL to qualify, too. Getting back to the original point, I figure we'll find out who's right, within the next year or two.

My prediction: The noxiousness of the "attribution" (in English: mandated runtime advertising) requirement, combined with the trademark threat that will now be backed by Microsoft Corporation's cash, will kill any forking efforts, and (unless a miracle happens and Microsoft continues to back it, or sells its rights, or fails to acquire Yahoo at all) the Zimbra project will die -- or at least all YPL-covered code will have to get rewritten from scratch before it can live again.

(So, Dick, you're wrong. Nyah-nyah. ;-> )


[1] I won't name any names, but I've seen a couple of these people writing in the IT industry press to, for example, tout the alleged buyout market value of firms with which they had insider status (and that they didn't see fit to mention).

[2] Well, sort of. That is absolutely true in most of the world. Most EU member states and Australia, for example, recognise that right as what is called "authors' moral rights" in the European civil law tradition. One major industrialised country's copyright statute lacks such a specific clause: the USA.

The Visual Artists Rights Act (1990) amended the USA's Federal copyright statute (title 17 of the United States Code) to create 17 U.S.C. 106(a), creating an explicit right of correct author attribution for visual works only (e.g., film, television). Software is considered a "literary work" for purposes of US Federal copyright law. (Until recently, I'd misread section 106(a), failing to notice its scope restriction.)

The international Berne Convention treaty (article 6bis) mandates protection of "moral rights" for in-copyright works, but the USA, although a signatory, declined to enact any such explicit protection at the level of Federal copyright law, on the extremely shaky theory that the matter is adequately covered in other applicable law.

That is not to say that authors to whose works others wrongly claim authorship have no recourse: It just means that it's a weak point in US copyright law. Authors would have to use other theories of law. For example, The SCO Group sued Novell in Utah state court for the business tort of "slander of title" (and is still in the process of massively losing). Here is Pamela Jones of Groklaw, four years ago, explaining that tort: https://www.groklaw.net/article.php?story=2004021116125699&query=slander+of+title

In short, there is an automatic right to retain author attribution in most countries copyright statutes. The USA is an exception, in which software authors can protect that right, but by methods outside of copyright law.

[3] This claim was widely accepted until I bothered to compare SugarCRM's (and other similar firms') mandatory-advertising clause with AAL and found that this widespread claim of having merely reused AAL's wording was, in fact, obviously wrong.

[4]https://blogs.zdnet.com/BTL/?p=4124
https://crynwr.com/cgi-bin/ezmlm-cgi?3:mss:11896:200611:jfkjkakegkfbihlhcbbn

[5] Some licences specifically do not permit modification of their terms by licensors. Socialtext apparently never noticed this and a number of other fundamental problems, including the fact that OSI certifies only actual licences, and what they'd submitted was a patch.

[6]https://web.archive.org/web/20070219093912/https://www.buni.org/mediawiki/index.php/GAP_Against

[7] Hosted Web apps intruded the novelty that you can fully exploit their use without distributing them to their users. Therefore, terms in conventional copyleft licences like GPL (v. 2 or 3) or MPL that require code shareback do not have the intended effect for hosted aka ASP (Application Service Provider) aka SaaS (Software as a Service) aka Web 2.0 apps. (FSF and other copyleft licence authors assumed that substantive usage would entail distribution, and so tied the copyleft shareback obligation to the distribution right.) However, several other licences would have met their needs, Funambol's (Fabrizio Capobianco's) Honest Public License, Affero Public License, Apple Public Software Licence (APSL), and Open Software Licence (OSL).

Questioned as to why they used a licence that lacked an ASP clause, and so completely failed to meet their business needs, advocates stammered quite a bit and said all existing ASP-oriented licences lacked OSI certification, and so they'd cobbled together the best one they could by combining to OSI-approved licences, MPL and AAL. I responded that (1) actually, both ASPL and OSL are OSI-approved, and (2) no, their assertion of having merely reused AAL's wording had, to put it politely, turned out not to be the case. (Basically, they screwed up -- shooting their own copyleft aim in the foot by omitting one type of clause, and torpedoing their claim to open source by including the usage-encumbering one.)

[8] Until SugarCRM's SugarCRM Public License aka SPL 1.1.3 (the first mandatory runtime advertising licence) came out, and SugarCRM, Inc, claimed it to be open source, nobody had even considered banning usage restrictions in the Open Source Definition, because it never occurred to us that anyone would have the effrontery to try, those being so obviously alien to the intended concept. However, that proved sufficiently well implied by OSD provisions #3, 6, and 10 (see footnote 6) to block GAP and similar proposals.

Most recently, SugarCRM, Inc. has switched from SPL to GPLv3 -- ironically, also a copyleft licence whose copyleft wording is non-functional in SugarCRM's market segment, for lack of an ASP clause.

[9]https://www.opensource.org/licenses/cpal_1.0

[10] Some would say that the requirement to use trademark-encumbered logos creates an implied trademark licence, and that's what defendants would argue in court. They might win; they might lose. Point is, the clause specifically denying a trademark licence raises that concern, and one cannot help suspecting that such instilling such fears in third-party commercial users, to deter them, is a deliberate aim.

Talkback: Discuss this article with The Answer Gang


Bio picture Rick has run freely-redistributable Unixen since 1992, having been roped in by first 386BSD, then Linux. Having found that either one sucked less, he blew away his last non-Unix box (OS/2 Warp) in 1996. He specialises in clue acquisition and delivery (documentation & training), system administration, security, WAN/LAN design and administration, and support. He helped plan the LINC Expo (which evolved into the first LinuxWorld Conference and Expo, in San Jose), Windows Refund Day, and several other rabble-rousing Linux community events in the San Francisco Bay Area. He's written and edited for IDG/LinuxWorld, SSC, and the USENIX Association; and spoken at LinuxWorld Conference and Expo and numerous user groups.

His first computer was his dad's slide rule, followed by visitor access to a card-walloping IBM mainframe at Stanford (1969). A glutton for punishment, he then moved on (during high school, 1970s) to early HP timeshared systems, People's Computer Company's PDP8s, and various of those they'll-never-fly-Orville microcomputers at the storied Homebrew Computer Club -- then more Big Blue computing horrors at college alleviated by bits of primeval BSD during UC Berkeley summer sessions, and so on. He's thus better qualified than most, to know just how much better off we are now.

When not playing Silicon Valley dot-com roulette, he enjoys long-distance bicycling, helping run science fiction conventions, and concentrating on becoming an uncarved block.

Copyright © 2008, Rick Moen. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 148 of Linux Gazette, March 2008

Tux