Saturday, February 27, 2010

Licensing is hard; let's go shopping!

While I was working on my recent Arduino project, I happened to end up looking at some of the code that's available. This was.... interesting? Scary? Depressing? I'm not sure exactly how to describe it, but I thought it was worth talking about.

I'm talking about licensing. Here's a header file from an optional, but common, Arduino add-on library. The copyright holder's (i.e. author's) name is elided, because my goal is not to call people out:

/*
  Foo.h - Arduino library for XXXXXXXXXXXXXXXX
  Copyright (c) John Doe.  All right reserved.




  This library is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/

With apologies to Inigo Montoya, "You keep using this license. I do not think it does what you think it does."

Obviously this developer's heart was in the right place, and he's properly protected himself by disclaiming warranty; so far so good. The problem, though, is three little words: "all right [sic] reserved".

By the brevity, I presume the author's goal was either to abdicate copyright to the public domain, or license it under a maximally permissive BSD-style license. However, that's not what's happened. This copyright actually isn't even a license at all, it's just a copyright header. This isn't a contract because the reader/user isn't agreeing to anything and there are no conditions. The author has reserved all rights to himself, and granted me none.

The bit about hoping it will be useful is nice I suppose, but since I have not actually been permitted to use it for anything, it's a moot point. Even if there were a grant of license in there somewhere, that clause is merely stating an unverifiable, irrelevant fact, and it is a total no-op as far as copyright and licensing is concerned.

So, okay, having made my point -- does it matter? This is an interesting question. The code itself is fairly simple, even trivial. What's more, the culture of the Arduino project is that a lot of... uh, let's call them "makers" (since many of them aren't professional software engineers) make various kinds of contributions. So the author of this particular piece of code manifestly knows how to write basic C++ but just as manifestly does not understand software licensing. From this I conclude he's more or less an amateur software developer, and that he probably doesn't attach a particularly high intrinsic value to the code he's contributed. And of course, he did contribute it knowing full well it would be publicly visible, after all. All of which is to say, it's almost certain he intended this to be open-source, in some form.

So there's very little practical legal risk of using this code. The likelihood that I would get sued for using this software in my personal little Arduino project is vanishingly small. If that were my only concern, then I wouldn't worry about it and carry on.

Unfortunately, that's definitely not the only concern.

Suppose I contacted the author of this software, with a polite message: "Hey, I don't think this header in this file is doing what you think it is; you might want to consider changing it." Let's assume the author is willing to fix it. In that case... fix it how?

If he fixes it by making it public domain or using a BSD-style license, then this story ends, and we all go about our business. However, most of the rest of the core Arduino software appears to be LGPLv2, so it would be quite reasonable for the author to also choose LGPL for his contributed code. If he were to do that, he actually would screw me.

See, my preferred license is Apache 2.0. I prefer this license because it's basically BSD-style with some anti-patent-burn language. Or to put it another way, it's essentially the maximally-permissive BSD license updated to address the various IP realities of our modern times. Unfortunately the patent clause also happens to make it incompatible with GPLv2, and (I'm pretty sure), LGPLv2. This means that if the author of this code chooses to license it under LGPLv2 -- a very fair and reasonable decision -- it means I either have to alter my own license choice, or else find or write some other software to use.  (Unless of course he chooses LGPLv3, which introduces a whole new set of complexities.)

My point here isn't to start a flame war about open-source licenses, by the way. I'm not saying that I'm right and the other guy's wrong, just that our license preferences conflict (at least in the hypothetical scenario I just described). Backing away from hypotheticals, what I can say concretely is that there's too much ambiguity here for me to be comfortable.

To put it another way, even though I might be comfortable taking the legal risk of getting sued because I feel it's obvious that the author meant his code to be open source, I nonetheless can't be comfortable using the code anyway because I don't know how the author meant it to be open-source. He might very well have meant it to be open-source in a way incompatible with my actual usage, and so in the absence of surety it's ethically wrong (as well as technically legally wrong) for me to use it.  Plus, Google Code Project Hosting has a policy that you may not use it to host non-open-source code, and so I couldn't include that software in my chosen SCM site, anyway. (N.B. - I actually did have it included for a day or two, until I noticed this problem and removed it.)

In this case, I did not attempt to locate and contact the author to clarify because it was easier for me to just write the code out of my app. In other cases it might not be so easy. And by the way, this isn't the only Arduino code that does this: there's a sample Makefile intended to be copied and customized for building projects from the command line. That actually is included in the core Arduino distribution, and it has no copyright heading at all, let alone a license.

Perhaps it sucks that the world we live and code in makes this stuff important. But, like it or not, it is important. I'm not trying to pick on the Arduino project; it's a fabulous project that has done awesome work. But this kind of thing is one reason why my day job is sometimes so hard: license compliance is often not easy, and with a project of the scope of Android, it gets to be damned hard.

So I guess I wrote all this to make a plea: please please developers, if you release source code, think carefully about what you are releasing, and make sure you choose your license carefully so that it reflects not only your principles, but also how you hope and expect it to be actually used by others. But most of all, PLEASE take the time to get the details right.

2 comments:

jonoxer said...

If you're not on the Arduino developer mailing list it may be worth checking out the archives. There's been significant discussion over the last couple of weeks about lack of license declarations in example code and libraries, and Tom Igoe has been doing his best to fix it up and add declarations with the intention of placing the example code into the public domain to make it as widely usable as possible.

Dan Morrill said...

Very interesting! Thanks. I will check that out.