When the reforged GNU General Public License, Version 3 (GPLv3) was finalized and released to an expectant public on June 29, 2007, the most important decision may have been one postponed. With the third iteration of the most popular open source license, the Free Software Foundation tackled weighty questions relating to software patents, license compatibility and hardware restrictions. But the question on the minds of many in the public comment period was whether they would tackle the considerably more problematic issue of the so-called “ASP loophole.”
They did not.
Simply stated, this refers to the fact that Software-as-a-Service or Web 2.0 applications fail to trigger the most important reciprocal protections afforded by the GPL because they are not, according the GPL’s definition of the term, “distributed.” What this means in practice is that companies such as Amazon, eBay, Google and so on – Application Service Providers, as they might have been called in years past – are free to consume GPL assets and make modifications to them without the obligation of sharing them under the same terms. Traditional software distributors, on the other hand, have no such luck. If Canonical, Novell, Oracle, or Red Hat want to make modifications to their respective Linux distributions, they are required per the terms of the license to share those changes with their competitors. Amazon or Google, meanwhile, are not.
And therein lies the problem, to some. Tim O’Reilly, for one, has argued that this limitation arguably makes open source licenses obsolete (I didn’t agree). Fabrizio Capobianco has called the loophole “the cancer of open source.” Matt Asay, meanwhile, was “honestly upset” when he discovered that v3 punted on the question of distribution. And most recently, Jeremy Allison – the noted SAMBA developer and Google employee – described the loophole as the GPL’s “fatal flaw.”
Are they right? They may well be, they are smart people all. Personally, however, the evidence does little to convince me that we have a problem.
Part of my issue is that I focus on the fact that the GPL – as popular and important as it is today – is just one license among many. So although Tim and the rest of the objectors are unquestionably correct when they assert that the GPL’s reciprocal provision is powerless against the changing nature of distribution, it is equally true that there are a great number of projects that do not have any reciprocal provision attached to them. Permissively licensed assets (which impose few if any restrictions on developers as far as usage), in fact, make up the other half of the high visibility LAMP stack – the Apache licensed Apache webserver and the permissively licensed Perl/PHP/Python languages to balance the reciprocally licensed Linux kernel and MySQL database. A variety of complementary but important infrastructure projects, such as the BSD-licensed memcached, also decline the distributed protections that the GPL affords.
Yes, network delivered applications skirt the protections of the GPL by redefining the nature of distribution. And yes, the license’s role and protections are materially different in a networked age than prior. But “the GPL is the new BSD license and that Google is the new Microsoft,” as the former executive director of the FSF Bradley Kuhn said? That’s going a bit far, in my view. As I’ve said before when arguing that open source licenses were not made obsolete by the loophole:
First, and most importantly, all software is not Web 2.0. It would be difficult to make the argument, in fact, even that most software is Web 2.0…The fact is that the world’s top two or three largest software vendors are not fueled generally speaking by Web 2.0 applications or software as a service. Nor are the hundreds of millions of desktops or billions of mobile devices powered – at an OS level – by SaaS. Until those things change, open source licensing – to me – will be far from obsolete.
I’m as big a believer in Web 2.0 and SaaS as you’re likely to find in the analyst ranks, but last I checked both needed operating systems and browsers to function. And last I checked both OSs and browsers are subject to traditional distribution, and therefore licensing restrictions.
But let’s assume that Kahn’s correct for a moment, and that the GPL is the new BSD. What could or should be done about it?
Nothing, in my view. We have a variant of the GPL in the Affero GPL which effectively closes the ASP loophole, and it’s available for those projects that wish to adopt it. Barring the Funambol or Laconica, however, few projects have. Ohloh, as one example, has 102,645 projects at present using the GPL and 1,189 on the GPLv3 against 110 for the AGPL and 49 for the AGPLv3.
When it comes to license styles and trends, I tend towards laissez-faire, to be sure (e.g. my apathetic response to the license proliferation crisis). In this, the ASP loophole question is no exception. If the market – open source projects, in this case – believes that Software-as-a-Service or the cloud represent a clear and present danger, they have the option to choose a license that will offer the same protections that the GPL does for traditionally distributed today. At present, however, I see little evidence that they are choosing it, and even less that they should.
Would it be nice if Google, as an example, was required to distribute its changes to GPL assets? Fabrizio, for one, thinks so, saying:
One company benefiting from [the ASP loophole] is Google, abusing open source software for their benefit (aren’t you interested in seeing the modification to the Linux file system they did to run their gazillion of servers? I am In fact, they pushed for the ASP loophole to be ratified in GPL v3 and they submitted it to OSI for approval. They love the loophole. They made a business around it (and what a business!!). They got GPL v3 OSI approved…
And maybe he’s right; it’s impossible to say what, precisely, Google holds back for competitive advantage purposes. But looking at their involvement in various GPL assets would indicate that they do contribute on some level. The GPL licensed MySQL? Well, here are your patches. How about Linux? Google’s contributions here are more meager, though from 2.6.11 to 2.6.24 they did contribute 965 changes back to the kernel, behind the likes of IBM, Novell and Red Hat but ahead of HP (source: The Linux Foundation).
It’s tempting, then, to ask what problem is being solved by the Affero GPL. But that would be facetious, and would serve to trivialize what could be a real problem for some projects. Projects that are considerably less visible than Linux or MySQL, for example, might require the protection that the AGPL affords. For them, closing the loophole might seem like a life or death matter. The difficulty will be in determining which the license will guarantee: even as AGPL licensed protects are protected from those that would use them without contributing, it also represents an insurmountable barrier to entry for some potential players.
I’m glad then that the Affero GPL is an option, but I’m with Mark Radcliffe: I wouldn’t look for it to compete with the GPL any time soon.