Special report Last year, lawyer Van Lindberg drafted a software license called the Cryptographic Autonomy License (CAL) on behalf of distributed development platform Holo – and submitted it to the Open Source Initiative (OSI) for approval as an Open Source Definition-compliant (OSD) license.
The debate over whether or not to approve the license, now in its fourth draft, has proven contentious enough to prompt OSI co-founder Bruce Perens to resign from the organization, for a second time, based on concern that OSI members have already made up their minds.
“Well, it seems to me that the organization is rather enthusiastically headed toward accepting a license that isn’t freedom respecting,” Perens wrote in a missive to the OSI’s license review mailing list on Thursday. “Fine, do it without me, please.”
Perens, for what it’s worth, drafted the original OSD.
Another open-source-community leader familiar with the debate – who spoke with The Register on condition of anonymity – claimed Lindberg lobbied OSI directors privately to green-light the license, contrary to an approval process that’s supposed to be carried out in public.
“I don’t think that’s an appropriate characterization,” said Lindberg, of law firm Dykema, in a phone interview with The Register. “I think there are number of people who from the beginning made up their minds about the CAL. You’ll see a lot of people jumping onto any pretext they can find in order to oppose it.”
“With regard to this idea of lobbying, there have been procedural-type communications that I think are entirely reasonable,” he added. “But all the substantive debate has been on the license review and license discussion forums.”
In an interview with The Register, Pamela Chestek, chair of the OSI’s license review committee, said she was not aware of whether Lindberg had approached other OSI board members to lobby for the CAL.
“I do know people seemed to think there was something going on what wasn’t going on,” she said.
Chestek explained that the OSI board is generally happy to consult with parties in advance of a license review. “I did have a phone conversation in that context to help him understand what the issues are with the license,” she said. “I think that communication may have been misunderstood.”
Perens, in a phone interview with The Register, explained that the OSI has existed for 21 years and has been approving software licenses during that time. There are more than 100 such licenses, he said, and having that many is harmful to the community because when you combine software with multiple licenses, that creates a legal burden.
“Most people who develop open source don’t have access to lawyers,” he said. “One of the goals for open source was you could use it without having to hire a lawyer. You could put [open source software] on your computer and run it and if you don’t redistribute or modify it, you don’t really have to read the license.”
Perens contends the CAL breaks that model. “The reason it does is if you are operating software under the CAL and you have users, you have the responsibility to convey the user’s data back to them under certain conditions,” he explained.
The reason for this, he said, is that Holo expects to oversee a network of CAL-licensed applications, and they don’t want those creating clients for the distributed platform to sequester data from users to lock users in.
As Lindberg explained in a post about the CAL back in March, “You must refrain from using the permissions given under this License to interfere with any third party’s Lawful Interest in their own User Data.”
Holo’s software is “a hashchain-based application framework for peer-to-peer applications.” It’s essentially a platform that allows software developers to create distributed applications secured by cryptographic code. The reason developers might want to do so is that distributed applications spread infrastructure costs among network participants rather than saddling the developer with the cost of a centralized server.
According to Holo co-founder Arthur Brock, distributed peer-to-peer software needs a license that addresses cryptographic key rights, which is why the CAL has been proposed.
“We are trying to say: the only valid way to use our code is if that developer’s end-users are the sole authors and controllers of their own private crypto keys,” he wrote in a post last year.
Lindberg said the CAL is applicable to current web applications but it more meaningful in the context of distributed workloads and distributed computation, which he contends will become more important as people seek alternatives to the centralization of today’s cloud-based systems.
“A lot of people are very concerned about this concept of owning your data, owning your compute, having the ability to really control your computing experience and have it not be controlled by your cloud provider,” said Lindberg.
Perens said, “It’s a good goal but it means you now need to have a lawyer to understand the license and to respond to your users.”
Perens said he resigned because the OSI appears to have already decided to accept the license. He said he’s headed in a different direction, which he called “coherent open source.”
“We’ve gone the wrong way with licensing,” he said, citing the proliferation of software licenses. He believes just three are necessary, AGPLv3, the LGPLv3, and Apache v2.
Beware losing your data
Chestek said the OSI has been aware for years that it’s undesirable to have too many software licenses, pointing to the organization’s long-standing anti-proliferation policy. The CAL, she said, has some novel aspects, specifically its data provision requirement.
“If someone uses this license to provide services, they also have an obligation to provide data,” she said. “That’s an entirely new concept for open source licenses.”
“It’s interesting because we are having a merger of data and software,” Chestek opined. “It’s getting harder to tell where the line is. I think it’s worthwhile for the OSI to consider this.”
In response to the concern voiced by Perens about that software licenses show signs of mission creep by attempting to address aspects of behavior traditionally addressed through public law or other mechanisms, Chestek acknowledged that’s a matter of ongoing discussion at the OSI.
“What is it that’s appropriate for a software license to do?” she said, pointing to another license facing OSI review, the Vaccine License, which “requires that users vaccinate their children, and themselves, and that user businesses make a similar requirement of their employees, to the greatest extent legally possible.”
Asked whether the OSI plans to approve the CAL, Chestek said she doesn’t yet have an opinion. “It’s still under active discussion,” she said.
Licence to grill: A year on, MongoDB’s Eliot Horowitz talks to The Reg about SSPL
However, she said that Lindberg has made a great effort to work with the OSI during the review process. “It has taken a long time,” she said. It’s a very painful process to go through. That’s the way the system is supposed to work.”
Even so, there are those who would see the process take longer still.
“[T]he policy implications of OSI volunteers interactively drafting a very novel copyleft license with a for-profit entity’s lawyer and then approving it quickly really concern me,” wrote Software Freedom Conservancy policy fellow Bradley Kuhn, in a post to OSI’s license review list.
“Licenses function as legislation of our community. Yes, lobbyists often write our legislation, but that rarely generates good outcomes for the Republic and its people.” ®
Rojenx is a leading concept artist who work appears in games and publications
Check out his personal gallery here