Open Source Activism

Open Source, or the general idea of a software commons, has always had echos of a progressive viewpoint independent of the simple notion of "free code".  I have heard it described many different ways, but the the general theme tends to circle around software quickly becoming so integral to even the most basic functions of society that the benefits of public crowd sourcing development efforts fundamentally out weigh a business model approach favoring software as a proprietary investment.

However, I have never seen such a direct attempt to use the tools and artifacts of the open source community to impact public policy as described by this NPR article.  It is a fascinating account of how technical workers in China's censored society have chosen to leverage a GitHub repository to influence corporate behavior regarding working conditions.  The name "996.icu" indicates a frustration that despite Chinese labor laws to the contrary, many technical workers are required to work 12 hour days (9 to 9), 6 days a week, in order to keep their position, and the attempt to keep such a grueling schedule can result in a hospital visit to the intensive care unit or "ICU".  Apparently GitHub was chosen as the medium of expression as unlike more traditional social media channels, it is very resistant to government censorship given the importance to so many corporate and academic institutions.

Even more fascinating to me is the development and inclusion of the "Anti 996 License", which is a derivative of the standard MIT license.  In it licensees are required to:

"strictly comply with all applicable laws, regulations, rules and standards of the jurisdiction relating to labor and employment where the individual is physically located or where the individual was born or naturalized; or where the legal entity is registered or is operating (whichever is stricter)"

And it appears that many in the open source community see the value in such an approach because in just a few days many projects have adopted the license.  See here for a current list.

Of course the enforceability of such a clause probably varies by jurisdiction and to my knowledge has not yet been tested anywhere, but it is an intriguing juxtaposition of the technical world and social activism.

Would you ever consider such a licensing approach for one of your projects?

6 Reasons for Making the Open Source Argument

"Next time you're in a conversation about open source software, you'll know just what to say."

 From my opensource.com article published this morning....

If your organization is struggling to take advantage of the open source software (OSS) market, here are some proven ways it can help you achieve truly transformative success particularly if you are implementing DevOps.

1. New opportunities

Commercial software and OSS both provide common capabilities as a commodity to all competitors in a market. However, OSS is distinguished in at least two important ways:

• Having the source code enables an OSS user to create derivative works resulting in market-differentiating, value-added services.
• Appropriate governance provides an OSS user the opportunity to create business-focused features that may influence industry patterns of practice.

2. New business models

Use market position to your advantage by deciding which OSS capabilities should be standard and open to anyone and where you would like to compete with proprietary offerings. You can continuously alter the competitive landscape to benefit your customers. Effectively, your OSS product strategy can define and maintain the boundary between the "red and blue ocean" for your industry's core technology.

• NextGen Connect offers one example of this business model narrowly focused on healthcare data interoperability. Its product offerings range from OSS to proprietary appliance-oriented options, with the latest features appearing first in the proprietary versions. The line between OSS and commercial/proprietary is constantly shifting with market demands and opportunities.
• The commercial-to-OS software continuum also supports trends that focus on the monetization of data and services rather than software license revenue.

3. Self-determination

Commercial vendors strive to offer products and services that are attractive to the widest market and deepest pockets. This often results in overly complicated and resource-intensive software bloated with unused features. Products developed to offer specific capabilities can morph into "platforms" trying to serve every need. Vendor lock-in through customization, vertical integration, and proprietary operational processes creates a barrier to change that can be cost-prohibitive and restrict the ability to quickly pivot to new market opportunities.

In contrast, OSS components and solution stacks allow a much finer degree of control and ability to abstract underlying technologies from business processes. Your roadmaps become your own, independent of a vendor's feature and release schedules.

4. Responsiveness

Two critical areas where timely reaction and intervention can avert problems are security issues and bug fixes. Commercial vendors strive to be responsive when addressing such issues but, by definition, they are serving multiple customers with varying needs, sensitivity levels, and sophistication, which can impede their time to deploy a solution.

OSS communities tend to coalesce around deploying the simplest solution in the shortest amount of time. Having access to components' source code allows direct, rapid intervention if needed. The response to the Heartbleed vulnerability incident of 2013 is a good example. Open source based applications consuming affected components could be patched quickly because there was no need to wait on an official vendor supported patch. Users could independently weigh risk and patch as they determined best.

5. Time to market

OSS culture emphasizes self-reliance and naturally leads to DevOps processes and associated organizational alignment. DevOps can be fostered with public cloud infrastructure where appropriate. Open frameworks comprised of OSS stacks and public infrastructure increase your overall velocity and ability to realize value sooner. DevOps and OSS complement each other by emphasizing the importance of just getting started to begin seeing results.

6. Cost-efficiency

There are solid opportunities in OSS to drive hard dollars out of solutions and operational transaction costs if you are willing to pursue supporting strategies ruthlessly. Unlike OSS, commercially licensed products often struggle to differentiate by feature or performance. Bottom-line: with commercial products, often you are paying extra for a trademark's reputation, software-as-a-service delivery, or a support contract—rather than demonstrable added functional value over OSS solutions. 

---

Making the open source argument is worth the effort. Community-based software development has proven its value in some of the most challenging spaces. Marketplace competitive forces suggest that any business turning a blind eye to the open source movement is ceding a significant advantage to competitors. Just as low-cost, shared resources on the internet have dramatically reduced the barrier to entry when it comes to infrastructure, the rapidly evolving breadth and quality of open source components will quickly alter the competitive landscape across many vertical marketplaces.

Tesla & Open Source

Just in case you didn't realize that Open Source Software is truly ubiquitous across industries, here is a story about Tesla releasing software to comply with GPL licensing terms.  According to the story this has been a thorny issue from some of the affected copyright holders, but at least it appears things are moving in the right direction.

Just think, third parties will be able to experiment with Tesla add-ons, as well as discover bugs and security flaws much quicker through a community approach.  I do hope Tesla releases a set of virtual services for testing and publishes a clear contribution path so we don't have hacked cars running down the road.  Some day there may be an annual Tesla software conference!  Imagine the t-shirt that accompanied the status of being an official Tesla Open Source contributor :-)

In the end, Tesla's steps toward compliance are a win across the Open Source spectrum and will encourage community development practices to flourish.

Oracle v. Google in Android Dispute

Oracle and Google are at it again.  The dispute was sent back to a federal trial court by the U.S. Court of Appeals for a damages determination this week.

At issue is the nature of Google's use of various java API code in the ubiquitous Android operating systems found on so many phones and hand held devices.  Google had earlier prevailed on a "fair use" argument before a federal jury, successfully arguing that the Android implementation of java API code was exempt from copyright law.  Now, the appellate court's opinion all but assures a continuing battle for years to come given the potential for billions in damages at stake.

Regardless of the ultimate outcome on this case, most corporate and academic environments today are flush with java based applications.  Here is how I am able to offer some reassurance to most clients:

1. Oracle's primary claims revolve around their contention that the Android java implementation was used to create a competing platform by embedding java in a mobile operating system distributed all over the world.
2. Oracle does not seem to have a problem with the use of the java environment as a base upon which to build business applications which do not duplicate, attempt to replace or alter core java functionality.  In fact, the core licensing documents for java, often referred to as the "Oracle Binary Code License Agreement for Java EE Technologies", specifically anticipates this use case.

Since use cases conforming to #2 are far and away the most prevalent in the business and academic space, I feel confident continuing to recommend java based application development.  However, if a client desires to embed java within a device for further distribution, e.g. a new refrigerator or toaster, I would be more inclined to approach Oracle for an appropriate commercial licensing agreement. 

This Bloomberg Technology article was a good source of reference for this post and is recommended reading. 

The case is Oracle America Inc. v. Google Inc., 17-1118, U.S. Court of Appeals for the Federal Circuit (Washington). The trial court case is Oracle America Inc. v. Google Inc., 10cv3561, U.S. District Court for the Northern District of California (San Francisco).

Patent and Copyright Trolls

Patent and Copyright Trolls are often called non-practicing entities.  These descriptions refer to actors who legitimately own intellectual property in the form of current patents or copyrights, but rather than using them to further commerce or science through research, development or licensing activities, they actively seek opportunities to profit through aggressive infringement litigation and settlement strategies.  These players are annoying at best and expensively dangerous to progress at worst.  The public policy behind intellectual property ownership is designed to reward innovators and creative efforts with government protection while ideas and forms of expression can be fully developed to move society forward.  Large corporations often devote significant capital and time into accumulating large patent portfolios of their own largely as a defensive mechanism against the various forms of Troll organizations.  Here is an earlier post discussing an example for a unique customer offering from Microsoft with its Azure platform regarding intellectual property defense.

This article by David Thompson is an interesting read around the potential role of the open source community to address this problem and is well worth your time.

Open Source for Voting?

I ran across this article in the New York Times recently.  It presents a fascinating juxtaposition of modern thinking on software security vulnerability approaches based on open source software with the very real need to ensure confidence in our electoral process. 

I have often made this argument myself in the corporate world but always in the context of saving money and increasing system resiliency.  I am not always successful but at least these are arguments that have some traction in most business organizations.

This spin on why community supported open source can be such a valuable resource to the democratic principles of society is both enlightening and encouraging.

What is Package Management and why do I care?

Package Management is now almost ubiquitous in modern software development circles due to the layers upon layers of dependencies between software components which are pulled together to achieve an end result.

For a simple overview of the topic, start with this Wikipedia entry.

This is especially true in the open source world where the very nature of community and crowd source development encourages re-use of code at every opportunity.

From a licensing standpoint, this code combination and inheritance phenomenon has the potential to introduce wrinkles when investigating the provenance and or applicable licensing for a particular component.

Two of the most common package repositories for open source components are:

1. The Maven Repository containing almost 7 million artifacts as of the date of this post
2. The NuGet Gallery currently hosting about 1 million artifacts concentrated on the Microsoft development platform.

I was recently researching the licensing for a component automatically included in a project when a developer using the Microsoft Visual Studio IDE was working on a web based application.  In effect, this "package" was pulled into the developer's work without their direct knowledge or choice from the NuGet Gallery repository.  Apparently it was necessary for some foundational functionality related to processing java script.

Upon investigation, I discovered the original component was released by the copyright holder under an MIT license, but had apparently been bundled together and re-released by Microsoft under its own NuGet license.  Nothing in the MIT license restricts this practice as long as primary attribution is maintained and promulgated, however there are additional terms in the NuGet license a consumer of this component might be more concerned about than when taking the code under the pure MIT license.  For example, the NuGet license specifically grants Microsoft the right to collect certain information from a package consumer's computer and or project as a condition of use.

The lesson here is that package management can impact a user's rights to open source code if used indiscriminately. Depending on the use case, it might be worth some investigation to determine if a component is available under more benign terms.