OS Licensing for SaaS

    July 12, 2007

Open Source came before, if not provided a platform for, Software as a Service.  Open Source Licenses have a big loophole for the most common method of software distribution today.  Tim O’Reilly addresses this while making yet another argument for open data.

Linux Magazine’s article The GPL Has No (Networked) Future recognizes a point that I’ve been making for years: that free software license requirements to release source code are all triggered by the act of distribution, and that web applications, which are not actually "distributed," are therefore not bound by these licenses. (See, for example, my 1999 debate with Richard Stallman at the Wizards of OS conference in Berlin.) 

The article describes how during the GPL v3 discussions, there was a move to close the "SaaS loophole" by including some of the provisions of the Affero General Public License or AGPL:

the FSF supported the creation of the Affero GPL and attempted to integrate it into the early drafts of the GPL3. However, that plan backfired and the FSF not only struck the text that would extend the GPL to software delivered as a service but clarified just what "to ‘convey’ a work" actually means.

Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

In other words, software delivered as service is now officially not covered by the GPL.

…the community forced the provision out as indicated in the FSF’s 61-page rationale document [pdf] that accompanies this latest draft.

We have made this decision in the face of irreconcilable views from different parts of our community. While we had known that many commercial users of free software were opposed to the inclusion of a mandatory Affero-like requirement in the body of GPLv3 itself, we were surprised at their opposition to its availability through section 7. Free software vendors allied to these users joined in their objections, as did a number of free software developers arguing on ethical as well as practical grounds.

The article concludes that while this is the right decision, it places real limits on the long-term significance of the GPL: "The future is networked. The GPL isn’t."

Bryan Richard’s article is a great analysis and the implications of keeping the loophole open for SaaS are significant.  There are both practical and philosophical reasons to close this loophole with a network use clause:

If you’re unfamiliar with the SaaS loophole, it’s probably best described by a license that actually covers it. Fabrizio Capobianco, who created the Honest Public License describes it as such:

Some people interpret distribution of software as a service not as distribution of software (because GPL v2 was created before web services were on the horizon and therefore did not address them in the license). They believe that they can use open source software to offer services to the public, without returning anything to the community.

As to why you might need it, the creators of the Affero General Public License have this to say:

We believe that certain software can extend the bounderies [sic] of a person, and therefore should not be out of the control of the individual. We believe that people’s freedom should be protected. We believe that this includes their digital interface to others.

Affero and the Common Public Attribution License (CPAL)

Many OSI Certified licenses were developed before the web became a common method of distributing an application to users. Making an application available for use over a computer network, such as an email service accessed and used like GMail, should be treated the same as compiling it, burning it on a CD-ROM, and mailed out that CD-ROM. We sought to address this issue when developing the Common Public Attribution License (CPAL). Some licenses use the Affero Network Use clause to this effect, but we chose the External Deployment clause from the Open Source License (OSL) because it is more technology-neutral (OSD #10) and future proof, and is clearer about the philosophy behind the requirement.

The other issue is the Affero license, while widely known and used, is not OSI Certified, whereas OSL is.  My hope is that CPAL, an MPL plus APL plus OSL license, is approved by the OSI at their next board meeting at OSCON at the end of the month and I can write sentences with less acronyms.  But my other hope is that there is a license accepted by the community that provides Attribution like GPLv3, but also closes the SaaS loophole.