The fight over open source 'leeches'

Open source is supposed to be all about community, but as commercial open source becomes the norm, fewer developers are giving back. Is that hurting open source?

"Leeches" -- that's how Dave Rosenberg, co-founder and former CEO of MuleSource, and now part of the founding team of RiverMuse, refers to companies that use open source technology but don't give back to the open source community. Companies like Cisco's Linksys subsidiary, whose routers rely on Linux. Companies like Amazon.com, whose Elastic Cloud Computing (EC2) service depends on Eclipse Foundation's open source offerings.

Your ear doesn't have to be pressed to the ground for long to hear angry grumblings in the open source community about leeches, vampires, or freeloaders.

[ Is the commercialization of open source eliminating the customer's advantage from access to the source code? InfoWorld's Open Sources blogger Savio Rodrigues explores the issue. ]

"The future of Eclipse is in danger," Michael Scharf, a member of the Eclipse Foundation's architecture council, said in an angry April blog post. "The problem is that there is no real pressure for companies to contribute back to the community and it is easy to use the Eclipse 'for free' for their own products. The Eclipse community should create peer pressure to prevent the freeloaders and parasites from getting away without punishment," he wrote.

Scharf likens the lack of contributions back to the community to the "tragedy of the commons," in which greedy individuals unthinkingly destroy a shared resource. And in an e-mail exchange, he put it this way: "The general mentality of the industry frustrates me; the attitude to take advantage of something like open source and not give back anything to the system."

Scharf's comments were not well received. Not only is Eclipse doing just fine, say his critics, but the whole notion of leeches and freeloaders is a relic of open source's Wild West era, when coding was a higher calling and free software a religion.

"You might call them parasites; I call them users and adopters," says Mike Milinkovich, executive director of the Eclipse Foundation. "The fact that we have millions of users is what makes Eclipse commercially interesting." Indeed, when major enterprises use Eclipse, with or without contributing code back to the community, they create a market for Eclipse plug-ins and services, says Milinkovich.

Even critics acknowledge the major exceptions to enterprises' freeloading ways. For example, Rosenberg notes that Bank of America, H&R Block, and J.P. Morgan not only pay for what they use, but contribute code back to various projects.

The polarized open source "community"
It's not surprising that the discussion has become so polarized. There's long been a tension within the open source community between those who have seen it as a movement and those who believe it is a business. To be sure, the gulf between those poles isn't nearly as wide as it once was. The increasing adoption of open source by mainstream enterprises has changed the terms of the debate and bolstered the community.

"Community"? For some, that's a fighting word. "Much is made of the importance of community in open source, specifically, and in software, generally. But 'community' is perhaps the most overhyped word in software, one that doesn't deliver nearly as much value as marketing people would like you to think," Matt Asay, vice president of business development at Alfresco, said in a post earlier this year.

Asay points approvingly to a 2006 article by John Mark Walker, a self-described "community dude," who wrote a post (and now an ongoing blog with the same title) called "There is no open source community." Walker argued that the notion that open source software is controlled by a core group of "ideological believers" pushes away commercial customers "who are afraid of running afoul of the 'open source community.'"

And Navica CEO Bernard Golden expresses some impatience with those who complain about freeloading. "If a license says anyone can use it, that's what they have to live with. Presumably they made an informed choice [to use a particular license]."

Like it or not, open source companies are embracing parts of the commercial model, offering paid, enterprise versions of their software. And that can lead to nasty disputes like the old beef between SugarCRM and vTiger, or the more current matchup involving Bascula Systems and Zmanda.

Hardware makers: The new open source scofflaws
With open source adoption on the rise in the enterprise, the community (if there is such a thing) is struggling to adapt to a different set of rules. "When it comes to open source communities, individuals are much better citizens than institutions. The enlightened self-interest that causes individuals to send back bug fixes, contribute ideas for new features, and write documentation is much harder to find in institutions," Dan Woods, CTO of Evolved Media, wrote in Forbes earlier this year.

True enough. There are companies that pay little attention to the GNU General Public License (GPL) commonly used by open source applications -- though others are embracing it -- and its requirement that open source code be attributed and enhancements to it made public.

[ A federal court decision protecting open source code is good for developers, but it could open the floodgates of litigation. ]

Why that happens isn't simply a matter of corporate villainy. "Of the small minority of companies that don't comply [with the GPL], it's generally a case of laziness or ignorance, rather than a malicious attempt to get around the license," says Brad Kuhn, technology director of the Software Freedom Law Center.

Although Kuhn says he prefers education to litigation, the SFLC has waged several important lawsuits defending the GPL. Increasingly they involve embedded software in routers and other relatively inexpensive devices. Given the complexities of global commerce, it's not hard to see why the hardware business lends itself to open source abuse.

In 2007, the SFLC filed a lawsuit against Verizon on behalf of open source software developer BusyBox. The complaint alleged that Verizon infringed on BusyBox's copyrights by distributing Actiontec wireless routers to Verizon's broadband customers without properly making the BusyBox code available.

Further complicating the case was the origin of the code used by Actiontec: an unnamed Asian OEM that embedded it in the router's integrated circuits. Similarly, Cisco purchased parts from a vendor in China containing embedded code that should have been shared under the GPL -- but wasn't, says SFLC attorney Aaron Williamson. And that led to a suit filed late last year.

It's quite possible that the Asian vendors had never even heard of the GPL, much less thought about complying with it, he says. Still, the ultimate seller bears responsibility for the actions of its suppliers, and when education and persuasion fail, Williamson and his colleagues are prepared to sue for clients who step forward.

He figures that similar issues involving firmware are likely to arise. The Verizon case concluded with a favorable settlement for the developers last year, and Williamson says the Cisco lawsuit is close to a similar outcome.

The provision of the GPL that tripped up Verizon and Cisco is known as "copy left," which requires that users make changes public to code covered by the license. But you won't find that provision in Apache's licenses.

"We feel there are enough enticements without holding a gun to someone's head," says Apache Software Foundation president Justin Erenkrantz. The Apache license, he says, "is hard to violate because it basically says you can do whatever you want as long as you don't use our name." IBM, for example, can't claim its HTTP server is Apache, but it can note it is "powered or based" on Apache.

Why many enterprises are open source vampires
Given the forgiving terms of the license, it's not surprising that Apache doesn't have many problems with violations, but Erenkrantz goes further, praising Sun Microsystems, Hewlett-Packard, Yahoo, and even Google -- often labeled a freeloader -- for making significant contributions. He's not alone in letting Google off the hook. Matt Asay puts it this way: "A year ago I was a vocal critic of Google, but they've come around."

Asay, though, doesn't give everyone a pass. "Enterprise IT is the biggest consumer of open source software, and it gives almost nothing back to the community," he said in an interview. Particularly galling to him is the fact that the worst offenders generally aren't technology companies that might reasonably worry about giving away a competitive advantage, but mainstream enterprises that don't have such an excuse.

Why not comply? "I spoke at a CTO breakfast and asked that question," Asay recalls. "Some said it was hard to get approval from their company legal team, which worried about liability issues. Others simply didn't see the benefit."

No benefit? Open source projects -- and there are more than 100,000 on SourceForge alone -- may or may not use a license that "requires" a user to contribute back, but those who don't contribute back lose a key advantage of the model: collective support for new code. Companies that go it alone have to spend time and development money making fixes to "forks" that could be handled by others -- a powerful incentive to play by the rules.

Even so, the culture of collaboration, which is really the ideal of open source, doesn't run very deep in most companies. Institutions, as Woods pointed out, simply aren't wired that way -- yet.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies