Do we need to protect open source from the cloud?

I'm out at JavaOne in San Francisco this week and one discussion I've heard popping up with some regularity is, "Do we need to do something to protect open source in a cloud computing world?" I've written about aspects of this topic at length previously. However, given that this is an area that is buzzing up a bit, I thought it would be useful to boil down the key issues and give my personal take.

The nub
Copyleft licenses, such as the GPL used for the Linux kernel and the majority of other open-source projects, require that the source code for enhancements and other modifications to GPLd code be made available to the commons if the modified software is distributed. Distribution is the key here. If the modified code is only used within a company, that's not distribution. Germane to our purposes here, neither is access to services provided by that code over a network. In other words, offer access to a CRM or content management system built from a GPL foundation solely in the form of a hosted service and there you can make any proprietary changes or extensions you like and there's no requirement that you make the source code for those available.

A loophole?
Some view this as a simple loophole to be plugged. The GPL was originally written very much within the context of Unix programmatic and operating system interfaces. Therefore, the reasoning goes, the only reason the GPL didn't encompass access via Web services is that there were no Web services--at least in anything like their current form--when the GPL was created. That the new GPLv3 specifically doesn't address this "loophole" either was more a matter of practicality than principle by this view.

And, in fact, one approach to eliminating this loophole is a straightforward enough approach. The Affero GPL is a straightforward extension to the GPLv3 license that essentially expands the definition of distribution to encompass the delivery of services over the network.

Questionable assumptions
My take is that the "cloud computing as loophole" school of thought rests on some questionable assumptions.

The big implicit assumption is that without adequate license protections, corporations will strip mine open source and the entire communal development process will just wither away over time. A favorite proof point in favor of this argument is how Linux (which uses the copyleft GPL license) largely triumphed over BSD Unix (which predates Linux and was more capable early on, but which uses a far more permissive license that doesn't place any restrictions on proprietary extensions or use).

However, BSD has a lot of problems as an exemplar. Early BSD development was mired in all manner of fractious argument between distributions (before they were called that) and, certainly not least, a prolonged legal battle with AT&T, which owned the Unix copyrights at the time. It is, therefore, an open historical question whether the GPL was the magic ingredient that led Linux to success or whether all manner of legal, community, and timing matters weren't ultimately much more important. And, in support of the contrary view, I'd note that Linux aside, some of the most important open-source projects--such as Apache--do use BSD or BSD-like licenses.

Even more fundamentally, I see more than a little contradiction when some of the strongest open-source advocates argue that open source needs licenses that protect it thoroughly. After all, if open source truly is a superior model for development and adoption, aren't companies that go down the proprietary path only hurting themselves?

Practical problems
Finally, I see extending the concept of distribution to cover Web services as problematic from a practical perspective. Distribution in the GPLv2 and GPLv3 licenses draws (mostly) a hard-edged line. If you're an enterprise using software internally, anything goes. If you're using GPL code in software you're selling to the public--whether downloaded, on a CD, or in embedded firmware--you must make the relevant sources available. However, as more and more companies of every stripe make parts of their computing infrastructure available to their customers--think online banking, for example--where does it end? The boundaries become very fuzzy--which would inject lots of uncertainty into just about any use of open source in an enterprise environment.

Ultimately, as folks such as Tim O'Reilly and Simon Phipps have discussed, there are many other issues of "freedom" in a cloud computing world. Matters of data portability and privacy for example.

For my part, I'd argue that open source has demonstrated that it can stand on its own without heroic measures to prop it up. Sure, continue to evangelize the benefits of open source and maybe even take a stick to any gross violators. But the more interesting, and important, questions lie elsewhere.

[Tony McCune]

I think it's a mistake to assume SaaS providers won't be regular contributors to OS projects. We have a video training service (http://www.digitalchalk.com) and we are extensively using OS. Our development team looks at ways to contribute back to the community in a way that will foster development in the direction we hope the application will go.