February 4, 2021

Compliance Industrial Pulpitsomeone tell the enterprise about Open Source 2.0

This post is part of a series, Killjoy.

New, stronger copyleft licenses raise corporate compliance alarms. Companies, especially big companies, will have to update open source policies, training programs, and employee supervision to avoid stepping in the new license. Big, industry-wide hassle. Not worth it!

Wait just a minute now. A loose, distributed online movement is steering what thousands of firms say to thousands upon thousands of employees, many of them developers? How is that not a massive opportunity? What kind of movement passes that bullhorn, and lays low?

I strongly suspect most biggish companies approach mass compliance more or less the same way. Everything under common permissive licenses like Apache 2.0 is fine. Anything under a weak-copyleft license like LGPL or MPL is good to use, but not to hack. A few famous projects under strong-copyleft licenses, like Linux, GCC, and GNU coreutils, are also fine, as long as you use just as directed. Everything else is no-go. E-mail Legal.

In outline, this is more or less the starter policy from Blue Oak Council. Fleshed out, it’s more like the company policy from Blue Oak Council.

Totally understandable. It’s the 80-20 approach to open source. Maximum value for minimal trouble. Which is exactly why Blue Oak published those policies, so nonprofits and small firms without open-savvy lawyers can have them.

But 80-20 is woefully incomplete. It’s teaching open source as read-only, not read-write. It’s pitching Open Source 1.0 and, yeah, it’s kind of lame. The 20% folks are getting misses the point.

On the receiving end of the gospel of low-effort compliance, as a newbie, you’d never hear the good news that open source comes from schmucks like you. You’d never learn that at some companies, even very proprietary software companies, kicking a patch back to an LGPL library, or hanging out in the GitHub repo of a GPL project, is everyday stuff. You’d never get word that a lot of the projects you’re downloading, drive-by, would be glad to have you hang around, even if you’re not a credentialed computer scientist, even if you’re just starting to code. You’re not even really told that copyleft requires sharing alike. You’re just hearing it’s a no-go. Becuase It’s Complicated.

There are many reasons open source takers outnumber open source makers. We can’t entirely blame in-house compliance programs. But teaching a one-way, take-only version of open source at enterprise scale can’t be helping.

Neither can the state of copyleft.

Dig around the websites of free software activists, you’re bound to run into the idea of “copyleft as excuse”. In some cases, which GPL fans love to retell, the requirement to share back under a license has given an in-house developer leverage to get their legal departments to consider and approve code release. They didn’t wanna at first. Or rather, they didn’t want to think about it. But having been dragged into it, they can end up glad they did. And not just to dodge a license violation.

That doesn’t happen much when the copyleft license only covers secondary, relatively rare use cases for the software under the license. Copyleft doesn’t require much sharing back then. It might also happen that the developer wants to share a patch, but the bothered lawyer finds a little-known exception—like “private changes”—in the text, ending the conversation about release.

Speaking of license violations, and to the credit of the Free Software Foundation and friends, I get the impression the kind of training they require offending companies to give their people, as part of settling license violation claims, would do a lot better job of emphasizing read-write than the corporate norm. The set and setting could surely be better. A mandatory meeting is a mandatory meeting. But the sitters these organizations are going to send wouldn’t be the type to miss something so fundamental.

Maybe the firm ticks the box, does the training, and immediately bans all free or open source forevermore. Once bitten and all that. But maybe half the folks in the training end up working somewhere else six months later. They take their open minds to friendlier shores.

Are there quality, ready-made, copyleft-positive corporate training materials out there? Is anyone pushing them before there’s a problem? If not, why haven’t movement people seized that opportunity? Get ahead of one-sided corporate training with two-sided community training.

As we’ve all learned, firms can indeed be cajoled into doing what’s good for them. Especially, and maybe only, if those things are made ridiculously, Hell-why-not cheap. If every company is going to roll its own open source program internally, of course they’re going to be lean, even scraggly, and reflect Legal Department engineer aversion more than holistic, top-down cost-benefit analysis. Give them something better, even with an activist bent, and I suspect a great many would take it. They might even pay for it.

Come the day we see a really compelling, copyleft-licensed software project that doesn’t exempt its primary use case from copyleft—a kernel without a user space exception, a compiler without a compiled-code exception, a library under strong rather than weak copyleft terms—they might even bang down doors for it.

Your thoughts and feedback are always welcome by e-mail.

back to topedit on GitHubrevision history