Freedom and Choice in Open Source Licensing: Comparing the EUPL v1.1 and the GPL v3

The European Union Public License (EUPL) version 1.1 was released and approved by the Open Source Initiative (OSI) on January 9, 2009. A major milestone in the evolution of open source licensing, the EUPL contains some important distinctions that set it apart from other popular open source licenses: it’s written with native language support for all EU member countries, it’s compatible by design with a number of OSI-approved licenses and — also by design — incompatible with the GNU General Public License version 3.0 (GPL v3). Could this possibly be a message to the Free Software Foundation (FSF) and the open source community that there really is a vital, innovative world outside the borders of the United States?

While members of the open source community often bristle at the mention of yet another license, many people have welcomed this one. The EUPL is unique in its encouragement of interoperability, freedom, and lack of license lock-in upon redistribution. By making specific distinctions, it represents a divergence from the typical freedoms afforded by whatever the latest iteration of the GPL may be.

As noted in the Wikipedia entry for the EUPL, the EU had some specific goals in mind when drafting this license:

“With license proliferation a growing problem, the European Union justifies its license as the first open source license to be released by an international governing body. The European Union also wishes to dispel legal uncertainties, real or perceived, in respect of other open-source licenses, such as the GNU General Public License, by creating a software license which takes due account of European Union Law. A third goal of this license is to create an open-source license available into 22 official languages of the European Union, and is sure to conform to the existing copyright laws of each of the 27 Member States of the European Union. Lastly, to dispel fears of license proliferation, the license was developed with other open-source licenses in mind and specifically authorizes covered works to be re-released under the following licenses: GNU General Public License (GPL) v. 2; Open Software License (OSL) v. 2.1, v. 3.0; Common Public License v. 1.0; Eclipse Public License v. 1.0; CeCILL v. 2.0.”

At the same time, the EUPL tries to take a more international view on the enforceability of an agreement that requires oversight in many jurisdictions. Licenses originating in the United States are derivatives of US copyright law, so as far as they’re concerned international considerations are non-existent. While translations of existing FSF licenses are informative and referential, the US English employed is the only contract language.

 

WHY SHOULD YOU CARE?

Both the EUPL and the GPL v3 are copyleft licenses, so some of you may be wondering whether there are any significant differences between them. Choosing the correct license could be as simple as using the GPL v3 if the software is originated in the US, and the EUPL v1.1 if the software is from Europe. Who really cares?

We do, and here’s why: the EUPL v1.1 is conspicuously missing something that could be fairly significant depending upon which side of the Atlantic you happen to live and work. The GPL v3 is not included in the EUPL’s list of “compatible licenses” under which subsequent works can be re-released — a provision included in the EUPL in order to help fight license proliferation. We agree that license proliferation is a growing problem with open source licenses, but why did the EU specifically exclude the GPL v3 from the list?

One explanation for the EUPL’s purposeful incompatibility with the GPL v3 might involve freedom, and what it means to open source licenses. As copyleft licenses, the aim of both the EUPL v1.1 and the GPL v3 is to free the code from proprietary copyright laws. However, the freedoms provided by the GPL v3 may be limited to the US, and so may not be “free” enough for the global community. For example, is it truly freedom if you’re protected from intellectual property claims, but then forced to use a specific license — one not of your own choosing — to distribute your original work? This may be one of the problems that the EU has with the GPL v3. Once a work is created under the GPL v3, all subsequent works will be licensed under it as well. In contrast, works licensed under the EUPL v1.1 can be re-licensed under any of the different licenses on their compatibility list. Perhaps the EU does not want software created under the EUPL v1.1 to be trapped within the confines of the GPL v3 later.

Here’s something else to consider. The GPL was originally derived from US copyright law, which creates a license bias toward issues unique to the United States. It may very well be that the FSF created their license to be specific to the US software community, but that distances it from the global community. There’s a large world of software developers and users outside of the US, and their concerns are different those of US-based developers and users. It makes sense that they want a license that addresses those differences. Many OSI-approved licenses (including but not limited to the GPL v3) do not address a global audience, and it’s a fair assumption that current efforts like the EUPL are just a hint of what is to come in global or regional licensing outside the US.

By excluding the GPL v3 from compatibility with the EUPL, the European Commission is indirectly pushing out the FSF as a presence in open source licenses in Europe. The GPL v3 is the FSF’s license for the 21st century, and it is now incompatible with what may very well become the predominant license in the EU. As the first license to be released by an international governing body, the EUPL has the potential to become widespread not only in Europe but worldwide. The 22 different languages in which the EUPL v1.1 is released also increase the likelihood that usage will spread quite quickly. Given these circumstances, we think it’s pretty significant that the GPL v3 cannot be merged with any code under the EUPL v1.1.

 

THE PLAYERS

EUPL v1.1 and the European UnionThe European Union Public License (EUPL) v1.1 was released on January 9, 2009. This license was created by the European Commission, the executive branch of the European Union, and is available in all 22 languages of the EU. The European Union, for those who do not know already, is a union of 27 European countries (called Member States) that was established on November 1, 1993. These Member States joined together for various economic and political reasons. Primarily, the partnership allows for easier commerce and trade among the different countries. The creation of the EUPL is another step in unifying and standardizing the products — in this case software products — that are used within the European Union.

By creating a license in multiple languages, with equal validity for all linguistic versions, the EU has created a framework within which future open source projects in the European Union can work. It’s also worth noting that the EUPL is the first license to be released by an international governing body. The original version (EUPL v1.0) was created on January 9, 2007 and its provisions still account for most of the license. Only seven modifications were made to the original license, and these were included primarily for purposes of clarification. The main revisions in the 2009 version of the EUPL allow for other linguistic versions of the license to be created by the European Union, giving it worldwide distribution potential.

GPL v3 and the Free Software FoundationThe GNU General Public License (GPL) v3 was released on June 29, 2007. It was created by the Free Software Foundation (FSF), which is headed by Richard Stallman. The FSF, which was founded on October 4, 1985, is a US-based, non-profit corporation that promotes the free software movement — an ideology that combats US copyright law to allow for modification and redistribution of software code without restriction. According to Richard Stallman: “The free software movement is not merely personal. It is a political movement like the environmental movement, the civil rights movement, etc.”

The original GPL license was released in January of 1989 and we’ve seen two subsequent versions since then. The GPL v3 is considerably different from the GPL v2 (which makes sense, since the GPL has been around much longer than the EUPL). In each version, the FSF attempts to maintain their values while adapting to the current technological situation. The main revisions and concerns in the GPL v3 involve modern topics such as time-shifting restrictions, Digital Millennium Copyright Act (DMCA) specifics, and “tivoization”.

 

____________________________________________________________

AttributionThe-European-Union

Copyright Airius Internet Solutions, LLC 2009, reprinted with permission from OpenLogic Corporation.

__________________________________________________________

Licensing

http://creativecommons.org/licenses/by/3.0/

http://olex.openlogic.com/wazi/attributions-licensing/

 

REFERENCES AND CREDITS

LicensesEUPL 1.1 — http://ec.europa.eu/idabc/eupl
GPL v3 — http://www.gnu.org/licenses/gpl-3.0.html

Software patentshttp://gpl3.blogspot.com/2008/08/gpl-project-watch-list-for-week-of-0822.html

US Copyrighthttp://gpl3.blogspot.com/2008/06/gpl-project-watch-list-for-week-of-0613.html

Jacobsen: Copyright Casehttp://gpl3.blogspot.com/2008/10/gpl-project-watch-list-for-week-of-1010.html
http://gpl3.blogspot.com/2008/01/gpl-project-watch-list-for-week-of-0125.html

The Research GroupThe Research Group collects and manages data regarding software policy management, open source licenses, and global software vulnerability management issues. Data and references for this article were researched by Ernest Park and Antony Tran. The Research Group actively takes submissions regarding stories, FOSS issues, and project announcements, and we are grateful to the hundreds of core contributors who have devoted their time and resources at helping us provide up-to-date information. The Research Group has hosted over 80 interns in the last year from the leading schools in the United States. To submit stories and announcements, receive more information on products, or inquire about internships, please write to rdgroup@airius.com.

 

What Does Oracle’s Buyout of Sun Mean to Open Source?

Oracle's Buying Sun: What This Means to Open Source

 

Sun has been responsible for the single largest corporate investment in open source software to date.

Sun's actively funded and well supported OSS projects are at the core of the community.

 

 

 

 

http://www.sun.com/software/opensource/learnmore.jsp

A short list, seriously:

The players
Sun Microsystems
Sun has been an advocate and champion of open innovation driving networked computing. Their recent direction seems to clarify who they are . . .

 

 

Let's not forget . . .

 

Oracle

The business of Oracle is built around proprietary software licensing. It is a company not known for its sponsorship of the open source community. Oracle is more focused on very tactical investments in open source. http://oss.oracle.com/

http://en.wikipedia.org/wiki/Oracle_Corporation

 

The details

There has been a lot of commotion around Oracle's recent bid on Sun Microsystems. Oracle is in the process of purchasing Sun for $7.4 billion, which includes Sun's $1.8 billion in debt. With this acquisition Oracle will be purchasing Java, Solaris, a bunch of hardware and virtualization tools, which will all synergize with Oracle's current state to provide a projected increase of $1.5 billion in revenue in the first year and over $2 billion in the second year.

But let’s put business aside for a second. The proprietary software and increase revenues aside, what will happen to all of the open source components of Sun, especially MySQL which is a competitor with the Oracle database?

Please read the rest at WAZI . . .

Full Story at Wazi

 

Attribution

http://creativecommons.org/licenses/by/3.0/

http://olex.openlogic.com/wazi/attributions-licensing/

 

About Airius

Airius is a specialized research consultancy, focusing in solutions, strategy and analytics around the use of open source software for business and government. Contact Airius at info@airius.com.

 

References:

http://ab-at-sun.blogspot.com/2008/01/sun-is-largest-enterprise-contributor.html

http://blogs.zdnet.com/BTL/?p=16598

http://gigaom.com/2009/04/20/oracle-to-buy-sun-for-74-billion/

http://blogs.zdnet.com/Gardner/?p=2903

http://marketing.openoffice.org/planet/

http://news.cnet.com/8301-13505_3-10223090-16.html?part=rss&tag=feed&subj=TheOpenRoad

http://lmaugustin.typepad.com/lma/2009/04/oracle-buys-java-and-mysql-for-free.html

http://www.oracle.com/technology/tech/opensource/oracle-open-source-faq.html
https://fossbazaar.org/content/free-puppies

 

Open Source Insecurity

Jay Lyman of The 451 Group posted this note specific to the security of open source software.

Content that I contributed to the post . . .

1. There is a direct correlation between reported vulnerabilities and usage. The most used applications have the most consistent and accurate issue reporting, as can be seen by the information reported to the NVD. This is a two part situation. Applications in more “common” use will receive more routine attention. Some applications are on the review list of internal and external testers. The more on the radar an application is, the more likely it is to have regular issues reported. A distinction with reporting is that popular applications do more often have commercial funding, and pay people to test for and find issues. The distinction clarified is that a large user base and popularity leads to something important - corroborating reports of the same issue. If an internal engineer reports an issue, it is valuable, even on a FOSS project. Popularity means that reports may also come from external sources. Those reports can be correlated against the internal ones, thereby providing an objective review of what is going on.

2. Patches are released more consistently by well financed operations. Financial support leads to a more consistent patch release schedule. Good engineers get paid to do what they do. Engineers working on Linux have no had to do so for free, yet Linux is held up as an example of how to do it right. In practice, Linux has among the most vulnerabilities reported against any OS, and when combined with issues against distributions, Linux has the most issues reported against it. The important thing is, when issues are reported, a well funded FOSS project can put engineers against the suspected defect, test, document, and resolve. If a patch is required, a well funded operation delivers the patches faster and more consistently.

SKY CAPTAIN AND THE WORLD OF TOMORROW, Angelina Jolie, 2004

3. Vulnerabilities are sometimes an inverse measure to security. Risk has an indirect correlation to issues reported. The problem is that the issues are a communications mechanism. If we point to reported vulnerabilities as a problem, companies will be secretive and mislead information reporting. The process that we want is to have lots of issues reported, and lots of very timely responses. The “risk” is only the component of time from when an issue is reported to the time when a maintainer or vendor responds or posts a patch. The risk is that time during which there is no clear path to safety. THerefore, the biggest risk in software security is using an application which has NO reported issues. This means that nobody is looking, or looking hard enough, or you are using an application with such little user population that nobody will see anything or report it. This risk increases as the complexity of the application increases. I would not be surprised if an icon editor had no issues reported for two years, but would highly suspect the information if a major database had no issues for a time period. Remember, reported issues are just information. Having no response, that represents a risk.

 

 

http://blogs.the451group.com/opensource/2009/02/10/open-source-security-debated/

http://gpl3.blogspot.com

 

 

 

This work is licensed under Creative Common By SA 3.0