On Cane Toads, Fire Ants and Patents
By webmink on Feb 13, 2005
My first distillation of discussions on Groklaw1 concerns mainly patents. Asterisks show links to sample comments on Groklaw, just in case you think my examples are imaginary. My aim is to explain rather than to attack so please read things that way and e-mail if you think there's an attack snuck in.
Groklaw theories on why Sun created the Common Development and Distribution License (CDDL) included active tactics like "undermine the GPL", "set up a walled garden of development\*", "attack Linux\*\*", "copy Microsoft Shared Source\*" as well as passive diagnostics like "not getting open source\*", "being clueless" and so on. Actually, the team led by Claire Giordano understand open source really well and had none of those motivations. It was obvious from day one that any future software licensing would need to use OSI-approved licenses rather than indulging in the sort of experimentation that was possible for Sun in the late 90s. Experimentation with licenses to form communities around software was all valuable back then2. Sun and others learned a great deal from trying bold licensing ideas like SISSL and SCSL, including their flaws. Since then, it's become clear that each experiment can live for ever as we now extract ourselves from modern dislike of those licenses untempered by a view of their historical significance.
Moreover, license proliferation has now run rampant. As it turns out, a huge amount of the proliferation is revisions to the otherwise excellent Mozilla Public License (MPL) caused by the hard-wiring of some of its clauses. People change the company name and jurisdiction in the MPL and then don't seem to be able to stop themselves adding a little something extra too, thus creating yet another license with reciprocal terms that fragments the license space (as Larry Rosen has pointed out). As Mitchell Baker's MPL is so popular (and rightly so), it was used as the starting point for the new license that seemed inevitable once the factors below were understood. In an effort to reduce license proliferation, it was decided to make the license generic and re-usable rather than specific to Sun. Hopefully we'll see a reduction in reworded MPL variants being brought to OSI, not least as people seek to join the defensive patent pool created by the CDDL.
A number of factors showed the team the problem space Sun faces:
- First, there are patent terrorists3 around, even in the most unlikely guises. Until a reform of US patent law results from the brave resistance of citizens in Europe4, we can expect attention to detail over patents to become more rather than less important.
- Second, Sun is heading towards a greater empowerment of all its communities of deployers and ISVs - there will be more open source projects, it's a societal shift not a passing trend. It will be necessary to have a license that allows for the blending of code with licenses from the various geological eras of software history as each one goes open source.
- Third, while a do-as-you-please approach was widely appropriate in an earlier and gentler age, today it's often important to encourage all users of a code base to make an ongoing commitment to engage rather than seeing open source projects as a parts shop with no checkout desk - "shared development", not just "published source".
Looking at the current range of OSI-approved licenses it became clear that none of them was a perfect fit and that a new license would be needed. The GPL was pretty popular with many people in Sun, but its most obvious failing was in issue 2 - it doesn't allow mixed licensing5. For something like OpenSolaris, that's essential. While Sun's legal team has done amazing work over the last five years renegotiating licenses from the various geological eras, there's still a variety of licensing in the huge code-base that is Solaris and indeed there are likely to be modules that will need to stay binary only, at least at first.
Toads and Ants
None of the licenses looked at really seemed to have a good answer to patent terrorists, and this was a primary motivation in the design of the CDDL. Patents on methods are like cane toads or fire ants. In the habitat where their natural predator is present, they are irritating but containable, but allowed to roam elsewhere they are a menace that threatens the otherwise defenceless native species. For patents, the natural predator is the patent portfolio backed up by the will to fight and the cash to do so. To provide a good defence, that portfolio needs to encompass the whole code-base it applies to - if it can attract a diversity of co-operating owners, all the better.
Usually that's a matter for the company developing the software product, who file patents as they go along, but for an open source community it's harder and so far no-one has created a mechanism to build the defences. The idea of the CDDL is to seed a patent portfolio for the code-base involved, and then ensure that as contributions are made over time each contributor also supplies the community with the patent rights necessary to defend their work.
Consequently, paragraphs 2.1 and 2.2 of the CDDL make every contributor grant all necessary rights for their code in a blanket grant, and then section 6 binds them in a 'patent peace' arrangement so that any patent litigation leads to a loss of rights - an idea pioneered in the GPL and MPL. At a minimum, paragraph 3.2 ensures all contributors declare they have rights to their ideas, just as the original licensor does by the act of creating the original work.
Scattering or Building?
Groklaw people are fond of asking "why doesn't Sun do it right like IBM\*\*" but IBM's approach of gathering a small selection from their huge patent portfolio and hoping someone can do something good with them is much less focussed - a fine gesture of openness and generosity nonetheless. People preferring IBM's approach presumably regard patents as a seed-idea from which to be creative under an OSI-approved license. That approach requires study of each and every patent both by the donor and the recipient - something only those with access to specialist legal advice will find comfortable. However patents may have been conceived in earlier times, they have become the protective barbed wire around corporate products.
The Sun approach results in a blanket grant to all patents found to be necessary and creates a project known to be protected. It's not about seeding ideas - but then modern patents do their best to gain protection while revealing as little as possible that's useful anyway. Both approaches to patents are good if we have to live with them, but it's like the difference between throwing a handful of coins into a crowd and hoping it will do some good versus endowing a charitable trust. The charitable trust is theoretically more restricted (not everyone can grab a coin) but in the end solves the problems in its charter better than any general approach.
A common objection is that developers are in some way more at risk\*\* from looking at the OpenSolaris source than they are looking at the source of some other commercially-derived open source project, because the patent grant only applies within the scope of CDDL-licensed projects. However, once you realise that most US technology corporations encourage developers to file patents as they go along, to build defensive protection for their products, you will also realise that it's likely all substantial corporate-origin open source projects are heavily encumbered6. Even smaller contributions from big patent holders are probably affected. Just because Sun has quantified it for OpenSolaris, that doesn't mean that it's any less safe to look at than any other open source project. If you use either the code or the ideas behind any code-base you are likely taking a theoretical risk, possibly a practical risk if you allow it to inform other, non-OSI-licensed projects. That's not an attempt to scare you - it's just a fact. Patents apply whether you know about them or not and reading people's code neither increases nor decreases your risk from them.
Of course, it's no comfort to know that you have always had a problem and that it's not gone away, and I suppose there are grounds for jealousy that CDDL projects will have something other OSI projects haven't got yet. Despite popular Groklaw accusations like "trying to entrap Linux developers to use Sun patents so they can be sued\*" and "misleading people by saying there's a patent grant but keeping it all for themselves\*", Sun is actually doing a new thing that solves rather than creates a problem, while doing no harm in the worlds of existing licenses. To suggest Sun is going to suddenly start patent suits against other open source community members is ludicrous. Like IBM, Sun has no intent of doing that. Unlike IBM, Sun also has no intent of turning its patents into a revenue centre from commercial developers. Sun has, like Red Hat and MySQL, accumulated its patent portfolio as a defensive measure against patent terrorist. The CDDL now gives Sun and others a way to extend that protection to others, through the specific wording of a specific license.
There's plenty more to say on this subject, but I'll end for now with a pointer to Greg P's recent comments on the subject. I personally think the steps CDDL takes with creating blanket patent protection are an essential step that the open source meta-community will have to take with other licenses in the future; maybe GPL v3 will take similar steps and thus become miscible (or at least safe to dual license) with CDDL, to the satisfaction of both the OpenSolaris and Linux communities?
- When I say "Groklaw" here and elsewhere I am referring mainly to the comments left by the readers of the site, rather than the stuff written by its owner.
- It's worth remembering that, when Sun created licenses for projects in the mid 1990s it was before the Open Source Definition was published, OSI formed or the term "open source" was in general usage. The licenses involved were genuine attempts to promote freedom on the part of their creators, as was the publication of the full source code to Java when it was announced in early 1995.
- Some folk have complained that using the word 'terrorist' here isn't appropriate. It's an extreme usage, I agree, but (1) I didn't coin it, Richard Wilder did, and (2) it is no worse than calling people who breach the terms of a software license 'pirates' - a usage which is a demonstration of abusive framing in action. I'd probably use the term 'patent troll' otherwise.
- Not to overlook the brave citizens of South America here! Just recently, WIPO decided to censor NGO participation as observers on the assembly to discuss the proposal from Brazil and Argentina on IP reform, the so called "development agenda". They will soon need community support for their resistance to IP laws that promote patent terrorism, being introduced by stealth as part of "trade negotiations".
- People have responded to this by saying "well, dual-license then, like Mozilla does\*". That's fine all the time both of the licenses you are using provide the same protections in the areas that are most important to you, but unfortunately that's not the case here. Specifically, people have called for the use of a CDDL/GPL dual license. However, as the GPL does not have language to create a blanket patent grant, people would be able to opt for that license instead of the CDDL and evade their freedom-creating responsibilities as has happened elsewhere where a company was able to evade the share-alike requirements of the GPL by using the other half of a dual license that didn't have that requirement. That is clearly not appropriate; maybe under GPL v3 it will be possible to re-visit the issue.
- And I mean all. Netscape filed patents that affect Mozilla. Even Red Hat has defensive patents. When such things fall into the wrong hands through acquisition or bankruptcy it can be very serious. An enforceable antidote through a license seems the best protection against the future.