With some fanfare, the CodePlex Foundation launched itself late last week (http://www.codeplex.org). This has generated quite a bit of discussion on blogs, twitter, email lists, podcasts, and everything else.
I’m optimistic, with some reservations about how this will play out.
I’ll preface this discussion with the obvious disclaimer: I am not a lawyer. My knowledge of copyright law comes from asking quite a few questions of editors and attorneys before signing the contracts for the books and articles I’ve written. This is not legal advice. It can’t be because I’m not licensed to practice law.
The Barriers to Open Source Adoption
In my day job, I work with a number of large companies. Many of them have explicit policies against using Open Source code. In addition, some ask for indemnification against IP claims for purchased closed source software. That’s a reasonable action, given the current state of our legal system, the very small number of people that understand software, and the amount of cash that large companies need in order to operate. (It takes a lot of money to make payroll for 100,000 employees).
The probability of using stolen IP is small. That’s why many smaller companies accept that risk (sometimes without thinking). But, the cost of being wrong is very high. Furthermore, because of the way copyright law works, the users of open source software are at risk. If you incorporate stolen IP into your business, it doesn’t matter if you did it knowingly or not, you are at risk of civil penalty.
So imagine you’re the CIO of a big company. You no longer want to spend your days looking at code. You’ve got important meetings to attend. What’s the answer to using Open Source? Do you have someone perform the research and due diligence to satisfy your fiduciary duty? Of course not. You (as CIO) are still responsible. It’s easier to just say no. Sure it costs more money to reinvent something. But it’s legal. Sure it costs more to pick a commercial solution. But you can ask for indemnification in exchange for buying the licenses.
In short, the risk of outsized penalties keeps commercial software developers from benefiting from, and therefore participating in, open source projects.
Purchasing Indemnification
But wait you say. Isn’t Linux used in many large organizations? Certainly. In many of those cases, the large enterprise has purchased the software. Or, more accurately, the company has purchased indemnification against lawsuits. The company providing the software (RedHat, IBM, etc) and the license is accepting the risk, and is using the fees to do what they need to minimize their own risk.
This is pure opinion. I believe that part of Microsoft’s motivation for the CodePlex foundation is to make it easier for large enterprises to use .NET based Open Source projects. Note that many of the Open Source projects in widespread use today are championed by IBM, and run on the Linux Operating System. I believe Microsoft wants to enable the CodePlex Foundation to make a stronger ecosystem for .NET projects. Those .NET projects that are part of the CodePlex Foundation may find better adoption rates at large enterprises.
Copyright Assignment
One of the items on the CodePlex Foundation that is causing lots of concern is the sample license agreement that assigns copyright to the CodePlex Foundation. Here, I’m leaning heavily on my experience with publishers.
First of all, the only way you can assign copyright to another party is if it is yours. OK, that’s obvious, but I think lots of people are missing that. When I sign the contract for a book with a publisher, I do assign the copyright to the publisher (in return for some considerations). The publisher needs me to warrant that the work is *my original work*. The same would be true for Open Source software projects. Hypothetically, for me to assign my OSS project’s copyright, I would have to assert that it’s my original work.
There is another way to assign copyright, which will be necessary for CodePlex and OSS to work. If you ask everyone that contributes to your OSS project to assign the copyright to the project (or you), you do hold the copyright, and therefore you can assign it. (The Apache Foundation Individual Contributor License Agreement contains language necessary to assign the copyright over.)
Note that you can (as the original author) grant a non-exclusive license as an alternative to assigning the copyright. That’s also common in many OSS contributor agreements. I’m not sure how much weight that gives in IP legal entanglements, but it seems to work for the Apache Foundation, and the MySQL organization. I’ll defer to others with more knowledge.
I’d imagine you could grant an exclusive license, but I’ve never seen that.
What the Codeplex Foundation can accomplish
Here’s the funny bit, and why the CodePlex can be a very strong positive force. The originator of a work can’t assign copyright to ‘a project’. Copyright must be assigned to a legal entity. That means a person, a corporation, some other business entity, a non-profit organization, or government entity. The CodePlex foundation is a legal entity, and can be the recipient of a copyright assignment.
The foundation has deeper pockets than most Open Source project leaders I know. I imagine that will continue to be true. The Foundation will, I believe, defend those copyrights that have been assigned to it.
Every book author knows this drill: if your book is successful, websites will spout up that let people download an electronic copy for free. When I find one of those, my only action is to let my publisher know about it. Some of the sites disappear, so it’s clear that the publisher’s attorneys have taken some action. I expect the CodePlex foundation to take similar action (and to take defensive action) when legal issues of IP ownership arise for those patents that have been assigned to it.
My opinion is that the CodePlex Foundation is enabling ownership of copyrights in order to provide an umbrella to protect users of its projects.
Note: I have no idea what, if any, recourse the Foundation, or a project owner, would have regarding a non-exclusive grant of use. See IANAL disclaimer at the beginning of this post.
Why do I care?
We just released an alpha of our first Open Source project (http://elevate.codeplex.com). I didn’t know what to expect. The experience was very positive. I enjoyed the project. I enjoyed the attitude that this project engendered even more.
The most interesting attitude change working with Open Source was that you view the source as the product, rather than the the object code. Often when you’re working, and a ship deadline approaches, you may feel pressure to defer work that isn’t necessary to meet the shipping deliverables. Maybe there’s some refactoring that doesn’t happen. Maybe there are some algorithms that don’t get updated to use a more modern technique. You have to ship, and no one sees the underlying code, so maybe that work gets delayed.
Working on Open Source gives you a different perspective. The source is the product. It must work. That’s necessary, but not sufficient. People are looking at the source in order to evaluate your project. The quality must show in the source, and in the test code. This change in the deliverable manifests itself in a change in our collective attitude toward work. We release in different (smaller) cycles. We focus on the internal source quality as well as the external behavioral quality when we discuss release gates.
That won’t necessarily raise the quality of code. I’ve seen very bad Open Source code. I’ve used closed source products that have excellent quality. And yet, it’s hard to ignore my change in attitude while working. It had the best of both worlds. I enjoyed working on production code (which I don’t get while working on samples for articles and books). I enjoyed creating source that would help other developers learn (like writing books and articles). It really was the best of both worlds.
That makes me interested in working in more Open Source projects. It makes me want Open Source projects to succeed.
How to evaluate the future
One of the most promising aspects of the Soft Launch of the ColdePlex Foundation is that Microsoft has not released this ‘totally baked’. They are openly asking for opinions, participation, and intend to replace the interim board with a permanent (er, permanent for one term. see the bylaws) board. I would expect Microsoft to be represented, but I would not expect them to have a true majority.
I think the board of advisors (or a software due diligence committee) could be more interesting. Somehow, the CodePlex Foundation will need to make a decision on every project that asks to join the foundation. Should it be accepted? One of the most important tasks around that decision is to determine the pedigree of the code that makes up the project. As I said earlier, the probability is small, but the risks are great. One of the greatest services the Foundation could provide would be reference legal documents and accompanying procedures for running a project, accepting patches, and inviting contributors that minimizes the risk associated with IP ownership.
Furthermore, running their organization so that large enterprises feel confident using those projects that are part of the Foundation would be a huge service.
My criteria for measuring the success of the CodePlex Foundation in six months are these:
- The community is satisfied with the Foundation’s governance structure.
- At least 20 new projects in the CodePlex Foundation.
- At least one Fortune 50 company has adopted at least one CodePlex Foundation project.
If the CodePlex Foundation achieves that, I’ll be very happy.
My own Call to Action
I’m excited enough about the CodePlex Foundation to take action. Here’s my TODO list:
- Continue to participate in the discussions online, and in any other way that I can.
- Start or continue at least one project that gets accepted by the CodePlex Foundation. (I want to experience the process of getting a project accepted by the Foundation first hand.)
- Contribute to someone else’s CodePlex Foundation project. (I want to experience how the foundation treats external contributors first hand.)
- Convince one customer to use a CodePlex Foundation project. (Yes, this is probably predicated on the previous two items.)
What are you going to do?