[License-discuss] [somewhat OT provocation] justifying the commercial no-discrimination clause

Rick Moen rick at linuxmafia.com
Wed Mar 1 23:27:12 UTC 2017

Quoting Luis Villa (luis at lu.is):

> So... if someone asked you to justify OSD #6, what's the best rationale
> you've seen (or could provide yourself)? I'd love links or answers.

OSD #6 draws a line preventing resumed use of the oldest and most
persistent abridgements of open source of all:  Commencing the process
of proprietising a codebase by withholding/encumbering the right of
commercial use.

I would remind OSI readers of the state of publicly redistributable
software in the 1980s, and specifically the software emerging from
academia.  Out here on the Left Coast of the USA, we had Computer
Science Research Group, producing BSD.  On the other coast, a group at
MIT was producing X Window System and Kerberos.  But those were the two
great exceptions.

The standard model at universities was that the source code would be
made available to the public for non-commercial use in order to make it
useful and ubiquitous, but the university regents would retain copyright
title and monetise the commercial rights by selling separate
commercial-usage licences.

At the beginning of the 1990s, you could see this situation if you did a
survey of security software.  

(I won't be getting to my main point until I discuss the history of PGP 
and SSH, but first, some security-scanning and IDS packages.)

o  COPS (Computer Oracle and Password System) vulnerability scanner:
   Written by Dan Farmer and Gene Spafford when they were at Purdue
   University.  Now obsolete.   Purdue sold commercial-usage rights

o  SATAN (Security Administrator Tool for Analyzing Networks).  Dan
   Farmer and Wietse Venema's follow-on to COPS, a similar tool,
   likewise now obsolete.  Used same licence model.

o  SARA (Security Auditor's Research Assistant), competitor, also 
   obsolete, same licence model.

o  SAINT (Security Administrator’s Integrated Network Too), same story.

o  Tripwire, a Gene Kim and Gene Spafford production at Purdue,
   initially using the standard univerity reservation-of-commercial-rights
   with the same model (IIRC).  In the late 90s, Gene Kim bought the 
   copyright from Purdue and (IIRC) stopped releasing source code at all.  
   (The history is more complex than this.  I have notes with the full
   course of events on my Web server, but think they're not that
   interesting, here.)  Some years later, he and Tripwire, Inc. executives 
   approached my employer VA Linux Systems in some concern (2000), 
   aware that they were massively losing mindshare to open source 
   competitors such as AIDE, Samhain, Integrit, and Prelude-IDS.
   Tripwire, Inc. at this point started maintaining 'Tripwire 
   Academic Source Release' under GPLv2, functionally equivalent
   to the binary-only product but without some extras, with help from
   my firm making the codebase ready for public release again.

   The likes of COPS, SATAN, SAINT, and SARA have all been unable to 
   compete with open source Nessus, nmap, and the above-cited Tripwire
   competitors, among others.

o  PGP.  Originally open source, but the first thing that changed after
   Phil Zimmerman sold the rights was very gradually clamp down on rights,
   starting with reserving rights for commercial use, then various other
   restrictions culminating with stopping the release of source code
   entirely starting in the year 2000.

o  SSH.  Tatu Ylönen's (SSH Communications Security's) original version 
   was open source (permissive licence), but around 1995 SSH Communications 
   Security signed a commercial distribution 
   agreement with Data Fellows, Ltd. (now F-Secure Corporation).  
   Ylönen's 1.2.13 came out 1996-02-10 (increments ssh version to 1.3).
   1.2.12 came out 1995-12. SSH 1.0 issued 1995-07-12. Right around the
   issuance of 1.2.13, the files for 1.2.1 through 1.2.12 were removed from
   the main SSH ftp site and its mirrors.  Some restrictive licensing
   wording was added to version 1.2.13.  The licence was changed again
   starting with 1.2.28, requiring payment for any use in a commercial
   setting.  Eventually, source code availability was removed

How we ended up with a thriving market for open source SSH
implementations is, I think, instructive:  Someone named Björn Grönvall
in Sweden found a third-party-hosted tarball of source code for 
Ylönen's SSH v. 1.2.12, the final open source version (i.e., the 
removal of 1.2.1 through 1.2.12 tarballs hadn't found them all).  He
updated the code and maintained it as a fork he called ossh.  OpenBSD
Foundation noticed Grönvall's worked, and forked his fork to create
OpenSSH and Portable OpenSSH, developing ssh protocol v. 2.0 modules for

Newer open source workalikes such as Dropbear, LSH, FreSSH, Erlang SSH,
Twisted.Conch, Paramiko, and PuTTY have been able to build on, study,
and borrow from Grönvall's and OpenBSD Foundation's work.
I would maintain that the history of SSH shows that the _first_, most
obvious, and most remunerative move taken in proprietising codebases is
very typically quietly adding a reservation of commercial rights --
which is also why proprietary-leaning concerns like Canonical, Ltd.
typically ask for assignments of copyright title on code contributions, 
so that they remain sole copyright holders and can start withholding
rights and monetising a 'commercial version'.  

> An ideal answer would address the perceived ongoing challenge of building
> sustainable models for maintainers/projects (possibly including the
> challenge of bringing the less economically privileged into our
> communities).
> I'm writing/thinking about this topic right now and want to make sure I'm
> not arguing with strawmen, so the best/most serious answers will be deeply
> appreciated.

Above is obviously not your ideal answer.  However, I hope its review of
some relevant software history will be useful to you.

Cheers,                 "The crows seemed to be calling his name, thought Caw."
Rick Moen                                     -- Deep Thoughts by Jack Handey 
rick at linuxmafia.com 
McQ! (4x80)        

More information about the License-discuss mailing list