[License-discuss] [somewhat OT provocation] justifying the commercial no-discrimination clause
rick at linuxmafia.com
Wed Mar 1 23:27:12 UTC 2017
Quoting Luis Villa (luis at lu.is):
> So... if someone asked you to justify OSD #6, what's the best rationale
> you've seen (or could provide yourself)? I'd love links or answers.
OSD #6 draws a line preventing resumed use of the oldest and most
persistent abridgements of open source of all: Commencing the process
of proprietising a codebase by withholding/encumbering the right of
I would remind OSI readers of the state of publicly redistributable
software in the 1980s, and specifically the software emerging from
academia. Out here on the Left Coast of the USA, we had Computer
Science Research Group, producing BSD. On the other coast, a group at
MIT was producing X Window System and Kerberos. But those were the two
The standard model at universities was that the source code would be
made available to the public for non-commercial use in order to make it
useful and ubiquitous, but the university regents would retain copyright
title and monetise the commercial rights by selling separate
At the beginning of the 1990s, you could see this situation if you did a
survey of security software.
(I won't be getting to my main point until I discuss the history of PGP
and SSH, but first, some security-scanning and IDS packages.)
o COPS (Computer Oracle and Password System) vulnerability scanner:
Written by Dan Farmer and Gene Spafford when they were at Purdue
University. Now obsolete. Purdue sold commercial-usage rights
o SATAN (Security Administrator Tool for Analyzing Networks). Dan
Farmer and Wietse Venema's follow-on to COPS, a similar tool,
likewise now obsolete. Used same licence model.
o SARA (Security Auditor's Research Assistant), competitor, also
obsolete, same licence model.
o SAINT (Security Administrator’s Integrated Network Too), same story.
o Tripwire, a Gene Kim and Gene Spafford production at Purdue,
initially using the standard univerity reservation-of-commercial-rights
with the same model (IIRC). In the late 90s, Gene Kim bought the
copyright from Purdue and (IIRC) stopped releasing source code at all.
(The history is more complex than this. I have notes with the full
course of events on my Web server, but think they're not that
interesting, here.) Some years later, he and Tripwire, Inc. executives
approached my employer VA Linux Systems in some concern (2000),
aware that they were massively losing mindshare to open source
competitors such as AIDE, Samhain, Integrit, and Prelude-IDS.
Tripwire, Inc. at this point started maintaining 'Tripwire
Academic Source Release' under GPLv2, functionally equivalent
to the binary-only product but without some extras, with help from
my firm making the codebase ready for public release again.
The likes of COPS, SATAN, SAINT, and SARA have all been unable to
compete with open source Nessus, nmap, and the above-cited Tripwire
competitors, among others.
o PGP. Originally open source, but the first thing that changed after
Phil Zimmerman sold the rights was very gradually clamp down on rights,
starting with reserving rights for commercial use, then various other
restrictions culminating with stopping the release of source code
entirely starting in the year 2000.
o SSH. Tatu Ylönen's (SSH Communications Security's) original version
was open source (permissive licence), but around 1995 SSH Communications
Security signed a commercial distribution
agreement with Data Fellows, Ltd. (now F-Secure Corporation).
Ylönen's 1.2.13 came out 1996-02-10 (increments ssh version to 1.3).
1.2.12 came out 1995-12. SSH 1.0 issued 1995-07-12. Right around the
issuance of 1.2.13, the files for 1.2.1 through 1.2.12 were removed from
the main SSH ftp site and its mirrors. Some restrictive licensing
wording was added to version 1.2.13. The licence was changed again
starting with 1.2.28, requiring payment for any use in a commercial
setting. Eventually, source code availability was removed
How we ended up with a thriving market for open source SSH
implementations is, I think, instructive: Someone named Björn Grönvall
in Sweden found a third-party-hosted tarball of source code for
Ylönen's SSH v. 1.2.12, the final open source version (i.e., the
removal of 1.2.1 through 1.2.12 tarballs hadn't found them all). He
updated the code and maintained it as a fork he called ossh. OpenBSD
Foundation noticed Grönvall's worked, and forked his fork to create
OpenSSH and Portable OpenSSH, developing ssh protocol v. 2.0 modules for
Newer open source workalikes such as Dropbear, LSH, FreSSH, Erlang SSH,
Twisted.Conch, Paramiko, and PuTTY have been able to build on, study,
and borrow from Grönvall's and OpenBSD Foundation's work.
I would maintain that the history of SSH shows that the _first_, most
obvious, and most remunerative move taken in proprietising codebases is
very typically quietly adding a reservation of commercial rights --
which is also why proprietary-leaning concerns like Canonical, Ltd.
typically ask for assignments of copyright title on code contributions,
so that they remain sole copyright holders and can start withholding
rights and monetising a 'commercial version'.
> An ideal answer would address the perceived ongoing challenge of building
> sustainable models for maintainers/projects (possibly including the
> challenge of bringing the less economically privileged into our
> I'm writing/thinking about this topic right now and want to make sure I'm
> not arguing with strawmen, so the best/most serious answers will be deeply
Above is obviously not your ideal answer. However, I hope its review of
some relevant software history will be useful to you.
Cheers, "The crows seemed to be calling his name, thought Caw."
Rick Moen -- Deep Thoughts by Jack Handey
rick at linuxmafia.com
More information about the License-discuss