Cannell.org/blog

This is the fourth in a series of blog posts intended to help IT managers understand open source licensing and its implications. In this post I cover the risk of inadvertently licensing proprietary software as open source by mixing it with a GPL-licensed product.

Recall that my research focuses on the use of communication, collaboration, and content management (3C) solutions within enterprises. As it turns out, a large number of the leading open source 3C products are licensed under the GPL. So care must be taken if organizations choose to integrate these products with enterprise systems. The concern has to do with the GPL’s Copyleft provision, which states that a system must be licensed under the GPL if any GPL-licensed source code was used to create it and it was distributed. A previous blog post discussed hereditary and permissive open source licenses in more detail.

But let’s say this up-front, if your plans do not include modifying the source code of (or integrating with) a GPL-licensed product, or if you have no intention to distribute any software which involves GPL-licensed software (either linked or integrated with another system) then you should have nothing to worry about.

The issue I want to highlight here is where organizations are considering integrating a GPL-licensed product with an enterprise system. In some cases it is fairly straightforward to determine if a piece of software falls under the GPL. For example, if a developer links their source code with GPL-licensed source code then the resulting program is considered a derived work and would have to be licensed under the GPL, if it were distributed.

In her book “The Open Source Alternative: Understanding Risks and Leveraging Opportunities” Heather Meeker does a good job describing the “border dispute” of the Copyleft provision in the GPL. The problem is the GPL itself is not always clear as to what defines a program that is considered derived from GPL software. Meeker is very good at setting the scope of the issues and then exploring a number of scenarios regarding the applicability of Copyleft.

However, while Meeker’s background and analysis is interesting I don’t intend to explore the legal issues brought on by the GPL in cases such as loadable kernel modules in Linux or proprietary operating systems running within a Xen host. What I want to briefly touch on here are the issues surrounding the use of GPL-licensed software within enterprise environments, most notably those which may have to integrate with corporate systems.

So let’s explore these issues by going through two scenarios:

1. Configuring Drupal to use an enterprise’s directory system. For example, an enterprise uses Microsoft Active Directory as a central source of usernames and passwords. Should we be concerned with integrating Active Directory with a Drupal installation via an LDAP interface using the LDAP integration module?
2. Surfacing data originating from an enterprise system within a sidebar on a blog running WordPress. For example, the latest sales numbers are displayed on a blog written by a marketing director, via a plugin which pulls data from their proprietary sales tracking system.

At first it may not be obvious that either of these scenarios would qualify as a derived work and be subjected to Copyleft. In both cases the GPL-licensed products involved (Drupal or WordPress) would probably not run on the same computers as the proprietary systems with which they are communicating.

To get some guidance we can refer to the Free Software Foundation. As Meeker says in her book: “The Free Software Foundation (FSF) is in some ways the de facto enforcer of the GNU General Public License (GPL).” To help clarify these types of questions about the GPL, the FSF has a frequently asked question list on their website. The answer to the question “I'd like to incorporate GPL-covered software in my proprietary system. Can I do this?” provides some illumination as to how the GPL applies to the above scenarios. It says in part:

“However, in many cases you can distribute the GPL-covered software alongside your proprietary system. To do this validly, you must make sure that the free and non-free programs communicate at arms length, that they are not combined in a way that would make them effectively a single program.”

In other words, it matters a great deal how a GPL-licensed program integrates with a proprietary system, regardless of whether they are on the same system (and, we should also note, given the pervasive connectivity of the Internet, it doesn’t matter if the two systems are on the same network of even in the same company). If they operate as a single program then the FSF considers them a single program now subject to Copyleft.

So, the key is to be able to demonstrate that the two systems involved can still be considered separate. In the first scenario (Drupal using Active Directory) communication between the two systems is done via a well-known protocol (LDAP). All of the software used in the Drupal system can operate as a separate entity by connecting to any LDAP-compatible directory, not just this particular Active Directory. The two systems are clearly separate programs.

The second scenario is less clear. In her book Meeker suggests “to focus on the spirit of the GPL rather than its letter” and goes on to say the degree in which the proprietary code can be considered a “black box” will help clarify whether there is sufficient “arms length” (as the FSF describes it above) between the two.

If the proprietary sales tracking system was custom-written by company employees and the company wrote a custom extension to serve the data along with a custom WordPress plugin to pull the data and display it within the blog, then this sounds like two systems performing as a single program and subject to Copyleft, if either of the two were distributed.

On the other extreme, let’s say the company purchased a widely available sales tracking system, which provides sales data in RSS feed, and an RSS feed is fetched by a WordPress RSS plugin (which can be used with any RSS feed) that simply displays the feed items on the blog. This certainly seems to qualify as a “black box” and the two systems can be considered separate.

In closing, while is makes sense for enterprises to use GPL-licensed software (after all, a large number of the leading open source 3C products are GPL-licensed) care must be taken when integrating them with proprietary systems.

This is a repost of a blog originally posted on the Collaboration and Content Strategies Blog

John Tropia says “What’s happening is that wikis are actually replacing a process, they are becoming a new way to do group work.” I think the explanation is simpler. To me, wikis represent documents and people understand documents. However, wikis store documents on a web page rather than within a file.

Wikis are tapping into a schema which people already use. After a little introduction it’s easier for people to understand wikis than other social software because they are based on something familiar.

So wikis aren’t necessarily replacing processes but they are replacing directories of documents (and improving navigation among them). People understand documents. They are necessary to get much of their work done. Documents are built into existing processes.

I may hate files, but I absolutely need documents. What I am hoping we will see is a redefinition of document.

Why wikis have more adoption?

What sparked today’s post is a post from Sameer, 2009 is the year of Enterprise 2.0? Hold your horses….

In his post we see that Wikis are gaining more traction. I think this is because they are more:

• group based tools
• based around a task (an environment of certainty)
• help with process failure, and
• don’t require network effects like blogs and social networks …ie. wikis and forums don’t need lots of people to take off, all they require is a small group of people.

Library clips: Do group tools get more traction due to not requiring network effects, and being in the context of certainty

This is the third in a series of blog posts intended to help IT managers understand open source licensing and its implications. In this post I cover the roles an open source product can play in an enterprise vendor’s business (which are enabled by open source licenses) and what this means for the enterprise itself.

A previous post discussed the four key levers of open source licensing that can support a vendor’s business model:

1. Hereditary versus permissive licensing (and the impact of Copyleft)
2. Source code ownership rights
3. Limitations around attribution
4. What defines “distribution”

These levers are important to enabling the roles a vendor intends a software product to play in support of their business objectives, which are listed below. I’ll go through each of these in detail:

• Commoditizing a Function
• Increasing Accessibility to Code, But Retaining Ownership
• Sustaining a Community
• Delivering Services
• Providing Support

Commoditizing a Function: This role is enabled by permissive open source licenses. For example, the Apache web server has commoditized basic web serving. Large companies like IBM have been the biggest contributors to these types of projects, often supplying the most developers and even contributing code that becomes the basis of new projects.

Nearly all open source products benefit from these products since they provide the foundation for other opportunities (e.g., LAMP-based solutions). IBM benefits by incorporating these in commercial product offerings, enabling contributions to come from a wider audience of developers (thereby sharing some cost), providing a forum to explore new technologies and standards (reducing risk and increasing interoperability), and reducing the chance of competing technologies from becoming standards (for example, the Apache web server has remained the most popular web server despite efforts from companies like Microsoft).

Increasing Accessibility to Code, But Retaining Ownership: This role is enabled by dual licensing of software. In particular, companies have licensed software they own with both a proprietary license and a hereditary open source license, such as the GPL. The classic example of this is MySQL. In the content management market, Alfresco is a good example.

The key to enabling this dual licensing approach is having ownership rights to the source code. For example, take a look at the Sun Contributor Agreement. The author of a contribution that makes it into the core product must give ownership rights to Sun.

In this role the GPL discourages competitors from incorporating MySQL source code into a proprietary product (since distributing the resulting product would require it to be licensed under the GPL) while also increasing visibility enabling others to interoperate with it. Nearly every Linux distribution comes packaged with the GPL version of MySQL, making it an easy choice for many developers to use. I’m sure Alfresco would love to have the same type of relationship with Linux at some point.

Sustaining a Community: For all of the complaints made against the GPL (mostly by commercial software vendors) it is hard to dispute the success of a number of communities supporting GPL-licensed products. For example, the  Drupal community has over 350,000 members and the Wordpress community has produced over 4,200 plugins. These are extremely active communities and are examples of what many established commercial vendors have been striving to build for years.

None of the main commercial entities involved in these products (Acquia for Drupal and Automattic for Wordpress) control the source code, nor license it separately. The GPL seems to level the playing field, enabling community members to compete on aspects other than proprietary software offerings. Rather, community members use the source code as a basis for competing in downstream markets such as custom website development, various types of services, and support. The result is a robust open source product that incorporates cutting-edge innovations at a pace commercial software vendors have difficulty matching.

Delivering Services: One of the ways Acquia and Automattic leverage their open source products is to provide services and support. For example, basic hosted Wordpress.com blogs are free. But, Automattic also provides premium blogging services as well as software support for enterprises. Acquia also provides support and later this year will offer site hosting and a premium site-search service (based on Solr, an Apache-licensed product, and provided via a Drupal module). Of course, many online service providers use open source software. The most recognizable being Google and Yahoo.

Providing Support: Although community leaders (such as Acquia, Alfresco, and Automattic) offer paid support services for their open source products, there are also companies that provide support for a broader selection. These include OpenLogic and SpringSource. For example, OpenLogic provides support for MediaWiki (the software which runs Wikipedia) as well as hundreds of other open source products including development tools.

Most enterprises will need some type of commercial support for open source products, unless they intend to maintain a staff with sufficient skills to do it themselves. So which type of support should you use, a contract with a community leader or a support-only vendor? Each situation can be different but, in most cases, I would first consider going with the community leader (since this contributes to the long-term viability of the product), unless the use of the product is limited and the risk of problems low. Either way, I think there is room in the market for both types of open source vendors and their positioning will be sorted out over time.

Clearly, open source products need viable community leaders and these companies will likely provide the best support. However, enterprises can only be expected to maintain so many vendor relationships and there are literally hundreds of opportunities for enterprises to use open source (many, of which, do not have a commercial entities behind them) so the open source support vendors should have plenty of business to go after.

What does this all mean to enterprises wanting to use open source solutions? When considering a particular open source product,first understand the role it plays in the plans of vendors supporting it.

• Products with strong communities behind them will tend to be more innovative, likely have enterprise support options, and be around for some time.
• Those products without strong communities need to be assessed as if they were a commercial product being sold by the vendor providing support.
• If they have neither a strong community nor a viable commercial vendor behind them, either reconsider your options or proceed with caution and look for signs that the community will continue growing.

The key is understanding the long-term viability of an open source product, whether it is backed by a vendor or a community.

In my next post I will discuss some of the risks involved with open source licensing, thoughts on mitigating these risks, and open questions that still remain.

This is a repost of a blog originally posted on the Collaboration and Content Strategies Blog

A recent article from Bruce Perens, a leading open source advocate, entitled “How Many Open Source Licenses Do You Need?” reminded me of how confusing open source licensing can be for IT managers who aren’t plugged into the open source world. Although the article is published on a website intended to be read by IT managers it was clearly written for companies producing open source software. After writing down some of my own ideas for explaining open source licenses to IT managers I decided to turn these into a series of posts.

But first, some background. My research at Burton Group focuses on the use of communication, collaboration, and content management (3C) solutions within large enterprises. What this means is I don’t come to this topic from only a developer’s or a system or network administrator’s perspective. The 3C solutions we cover are usually considered infrastructure components that can be leveraged by applications. We tend to have a foot in both the infrastructure and application side of IT.

What we see driving IT management interest in open source is:

1. Saving money through lower licensing costs.
2. A desire to tap into innovative solutions, particularly those driven by active open source communities.
3. Using open source software to learn about emerging technologies (for example, much of what is called Web 2.0 was first built with open source)

The concerns IT managers have with open source software are:

• How well does the software work?
• Will it integrate with my existing infrastructure and applications?
• How well is it supported?
• Is it secure?
• Are there any risks with using open source software?

In my client dialogues about open source a topic that often drives discussion is licensing. One of the keys to effectively applying open source solutions is to understand a vendor’s business model and the role the software plays in their market plans. An open source license supports that role and business model. Therefore, understanding open source licenses is important because:

• They are an indication of the business model used by an open source company (and commercial software and services companies using open source software).
• Each of these business models has a different set of factors to pay attention to in terms of how they use open source and what they must do to succeed.
• They also influence how an enterprise might use an open source product. For example, maybe you are using an open source library in one of your applications or perhaps you are using a full product (like an open source blog) but are thinking of integrating it with an application. Each of these scenarios comes with a different set of opportunities and risk.

My next post will be an introduction to specific open source licenses, the levers they can bring to bear on a software market, and what they can mean to an enterprise using open source software.

This is a repost of a blog originally posted on the Collaboration and Content Strategies Blog

My daughters, and now my wife, listen to music on iPods and Apple sure makes it difficult to not to use iTunes for online music purchases. However, I’ve have been holding a hard line, insisting we only use iTunes for free promotional items and buy DRM-free music from Amazon. But I recently changed my mind (about Amazon, not DRM music).

This past couple of weeks I cleaned up my own music collection and started using Winamp to support a Sandisk Sansa player. Once that was straighten out  I wanted to buy some MP3s and so I went to Amazon. What a disappointment.  Amazon’s MP3 Downloads service has an astonishingly primitive interface for browsing and finding music.

So, yesterday I tried Rhapsody’s MP3 store (btw, I had previously used the Rhapsody subscription service and was satisfied with how well it worked). Finding music was a breeze and the Rhapsody download utility makes purchasing and transferring the audio files simple.

Customers can navigate Rhapsody via music genres (as does Amazon) but then takes it to another level. When reading information about an artist Rhapsody offers the customer three options for finding additional artists they may also like:

1. Contemporary artists
2. Followers (who were influenced by this artist)
3. Influencers (who influenced this artist)

Nice stuff. Not nearly as powerful as Pandora, but pretty good. It also helps that Rhapsody has a shopping cart (which, surprisingly, Amazon does not provide for MP3 Downloads). Even the music previews blow away Amazon’s simplistic samples.

Amazon hasn’t taken the online music purchasing experience forward since introducing DRM-free MP3 Downloads late in 2007. I am grateful for Amazon helping move the music industry towards DRM-free options and we have been happy customers of Amazon otherwise. This year nearly all of our online holiday purchases were from Amazon or through Amazon Marketplace.

But, Amazon’s MP3 Downloads needs some serious attention. For an online pioneer that provides incredibly effective navigation across a huge number of products, MP3 Downloads looks unbelievably dated.