[License-discuss] comprehensiveness (or not) of the OSI-approved list

Nicholas Matthew Neft Weinstock nweinsto at qti.qualcomm.com
Mon May 20 20:19:13 UTC 2019

Hi Van, in pondering your claim that only portions of Debian can be called "Open Source" based on whether they are under an OSI Approved License.  I think the logic is backward.  I agree that everything in the list of OSI Approved Licenses is Open Source, but I don't think that means that a license can't be Open Source unless it is in the list of OSI Approved Licenses.

The OSD is, literally, the definition of the phrase "Open Source."  It's not the OSBMQ (Open Source Bare Minimal Qualifications), nor the OSFC (Open Source Factors for Consideration).  It is a published definition. If a license fits within that definition, it should be able to be called the phrase being defined.  In this case, "Open Source."

The OSI Approved License list is very helpful because any license on the list has been reviewed by the maintainers of the definition and confirmed to be within that definition.  But if a license isn't on the list, that doesn't mean that it doesn't fit the Open Source Definition.

Let's consider your statement a bit more...

If Debian includes portions that cannot be called "Open Source" then how would you refer to the Debian project as a whole?  Are you saying that Debian shouldn't be called "Open Source"?  What should it be called?  "Partially Open Source"?  "The project formerly considered to be Open Source"?

What would you call the parts of Debian that are not under an OSI Approved License, but their license objectively fits the Open Source Definition?  For example, there are components/files under the FSF Unlimited License (https://spdx.org/licenses/FSFUL.html).  Would you claim that portions under this license should not be called "Open Source"?


Let's take this thought exercise to a broader context.

There are some licenses that OSI had approved at one time but are no longer on the list of OSI Approved Licenses.  These include Apache License 1.1, Artistic License 1.0, GPL 1.0, LGPL 2.0, and the Sun Industry Standards Source License.  As of right now, I confirmed that OSI still has pages for all of these, but they're not directly accessible from their list of licenses.

What if a project was released under one of these licenses when it was still on the list of OSI Approved Licenses?  Should the project get to be grandfathered in, so we call it "Open Source" even though its license is not on the list?  Did the "Open Source" characterization change on the date that OSI, an unaffiliated organization, changed how it characterizes the license?

What about a project that only migrates to the newer license for releases moving forward?  For example, OpenSSL has only changed to the Apache 2.0 license as of the 3.0.0 release, but the older versions are still under the OpenSSL license (https://www.openssl.org/source/license.html).  Would you say that the older versions of OpenSSL are not "Open Source"?


Nicholas Weinstock

From: License-discuss <license-discuss-bounces at lists.opensource.org> On Behalf Of VanL
Sent: Monday, May 20, 2019 11:11 AM
To: license-discuss at lists.opensource.org
Subject: [EXT] Re: [License-discuss] comprehensiveness (or not) of the OSI-approved list [was Re: [License-review] For Legacy Approval: LBNL BSD]

I was just going to move this to L-D, and I see that Luis beat me to the punch.

On Fri, May 17, 2019, 10:59 AM Richard Fontana <mailto:rfontana at redhat.com> wrote:

I can't find the tweet but on Twitter recently Van Lindberg expressed
the view that for distros like Debian or Fedora, the only portions of
them that can legitimately be called "open source" are those that are
licensed under an OSI-approved license. I do not agree with this at
all, and if the legacy approval mechanism can help respond to this
sort of viewpoint then it can only be beneficial to OSI.

I did write this, and I would say it again.

But this is not an attack on the OSI. You are unlikely to hear such a thing from me; you will scarcely find someone who will defend the OSD and OSI more vigorously. 

In contrast to some other comments, I *do* write in contracts that open source licenses are only those that are approved by the OSI. The definition is important. It allows me to understand that there are certain guarantees that I can make about Open Source software.

At least for now, and unless the OSI fumbles the ball so severely that it cannot be recovered, I believe that OSI *is* the arbiter of what is Open Source, just like the FSF is the arbiter of what is Free Software. That is a reflection of my perception of the OSI's authority - actual or potential - due to its development and stewardship of the OSD and its ongoing process to certify licenses against it.

I know of some people who have written of the OSI and the OSD. I think that is dangerous for the organization and would be a huge loss for the whole community if we did not have an official definition.



More information about the License-discuss mailing list