When I wrote about Sun's announcement about Open Solaris, I said that I wouldn't explain one issue I saw with the new license, the CDDL, because the Contributors' Agreement wasn't complete, and until I saw it I wouldn't know if an issue I had with the license was resolved or not.
I have just learned that Sun will not have the Contributors' Agreement finished for weeks, perhaps months. I thought we'd have the document in a matter of days. Because none of us can know our future for sure, and we never know when we'll be hit by a truck or a tsunami or something, I feel I need to explain the hole to you now, so you can sensibly decide if you wish to accept the terms of the license or if you prefer to wait until Sun makes whatever adjustments it decides to make in order to address the issue.
This isn't, I stress, an attack on Sun. I believe they will do something to address this concern. It's just information I feel responsible to explain to you. I have to date found them to be responsive to community concerns, and I see no reason to doubt that this issue will be solved in some way, too. But you do need to know about it, so you can track it and make sure.
The license for Open Solaris has a problem, I believe. Or more accurately, it has a potential problem that is unique to Sun and which stems from its recent agreement with Microsoft. Specifically, marbux spotted a way that it would be possible for developers co-developing Open Solaris to someday find themselves blocked from distributing code by a Microsoft patent infringement claim, while leaving Sun, because of their cross-licensing deal with Microsoft, free to continue to distribute the contributed code.
Dan Ravicher has spotted some other issues, too, which he raises in an open letter to Scott McNealy now on PubPat.org's website.
Here are the four questions Dan has about the patent grant:
1. Is Sun's patent grant limited to only software licensed under Sun's newly released Common Development and Distribution License (the “CDDL”)?
2. Is Sun's patent grant also limited to only software distributed directly by Sun?
3. Has Sun retained the right to make patent infringement claims against anyone modifying software licensed by Sun under the CDDL?
4. Did Sun use or attempt to use its agreements with Microsoft in an effort to protect free and open source software from Microsoft's patents? If not, why not?
So those are his issues. If, for example, you decide you wish to fork the code without signing the Contributors' Agreement, and you can do that, does the patent protection apply to you? Does it cover modifications?
Groklaw's marbux noticed another issue that we brought to Sun's attention and that I now want to bring to yours.
The CDDL was taken from the Mozilla 1.1 license, as you know. There is a clause in the Mozilla 1.1 license that was dropped from the CDDL. Noticing that is what got marbux thinking. You can see both licenses side by side on Groklaw's comparative chart.
I would like to take you through all the steps, one by one, so you can evaluate the risk for yourselves. First, you will note that both 2.1, the Initial Developer Grant, and 2.2, the Contributor Grant, of the CDDL grant you rights "Conditioned upon Your compliance with Section 3.1 below and subject to third party intellectual property claims. . . "
Next, let's take a look at Sun's explanation for why it dropped the clause:
3.2. Modifications: This section is based on Sections 3.1 and 3.4(c) of the MPL. The required notices in the MPL regarding third party claims and patents (formerly in MPL Section 3.4(a) and 3.4(b)) have been eliminated; they seemed overly burdensome and likely to prevent wider acceptance of the license by the community. Additionally, none of the other major open source licenses (e.g., GPL, BSD, CPL, OSL) require such disclosures.
Of course, the FSF isn't in a patent licensing agreement with Microsoft, so it doesn't need such a clause, but I think Sun does. Here is the clause from the Mozilla license that Sun has dropped in its entirety. You can get the redline diffs [PDF] that Sun has prepared, if that will help you to visualize what I'm talking about. The Mozilla clause that is missing in the CDDL reads like this:
3.4. Intellectual Property Matters (a) Third Party Claims. If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. (b) Contributor APIs. If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the LEGAL file. (c) Representations. Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes that Contributor's Modifications are Contributor's original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License.
That raised the question in marbux's mind, namely, what about if Sun knew about some Microsoft patents but didn't tell the contributors? Sun's FAQ says this about patents:
The CDDL provides an explicit patent license for code released under the license, as well as provisions to discourage patent litigation against open source developers.
There is protection from Sun. I take Sun's patent grant as the company saying that they intend to do right as far as their own patents are concerned. But what about Microsoft? What if Sun knew about some patents Microsoft had and might someday use and yet Sun is not obliged under the license to disclose them?
It is, in the end, a matter of trust. I never, personally, enter into any contractual relationship on that basis. I want it all spelled out, including the worst-case scenario. I want to know what happens if we end up hating each other after we've entered the contract and have it all specified in the wording of the document before I sign. What can I do about it if you turn out to be a snake? Even if Sun didn't declare all conceivable IP issues under the sun, if they at least declared any potential patent issues they know about involving Microsoft, I'd feel a lot better about this license. Otherwise, what do you see in the license that would prevent the scenario marbux posits as conceivable?
Even if we assume that Sun will address the issue in the Contributors' Agreement, that doesn't solve the problem we see completely. That is because some may wish to fork the code without entering into the Contributors' Agreement. Then what? If the Contributors' Agreement solves the issue in some way, would they not be particularly vulnerable, because the license doesn't protect them from the hole in the license, and they haven't entered into the Contributors' Agreement? That is the problem we see that I am counting on Sun to solve.
I've asked marbux, who first noticed the license issue, to explain to you how all the above pieces weave together. You can then make up your own minds on what you want to do, based on what Sun does.
The Issues With the CDDL, by marbux
The CDDL is a rewrite of the Mozilla Public License ("MPL") v. 1.1. My concern centered on Sun's recent cross-licensing arrangement with Microsoft and Sun's reasons for removing MPL 1.1 sections 3.4(a) and (b), which require prominent notification when a contributing developer is aware that any third party has intellectual property rights in submitted code. I advocated the position that Sun should strengthen those provisions, rather than removing them, making clear that Sun itself as well as contributing developers are unaware of any potential relevant IP claims by third parties. I proposed the following language:
If either Initial Developer or Contributor has knowledge that rights granted under Sections 2.1 or 2.2 of this license are potentially subject to a claim of intellectual property rights by any third party, they are required to include a text file with the Source Code distribution titled "LEGAL.TXT" which describes each such claim and the party or parties making such claims in sufficient detail that a recipient will know which portions of the Source Code are involved and whom to contact. If Initial Developer or Contributor obtains such knowledge after the Source Code is made available to any second or third party, they shall promptly modify the LEGAL.TXT file in all copies Initial Developer and Contributor make available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Software that new knowledge has been obtained.
Sun first rejected the proposed language, arguing that if such notifications were not needed in the General Public License for Linux, they should not be necessary in the CDDL, and that it would be suicide to Sun's hopes to develop an open source community if it withheld knowledge of blocking IP rights in software projects where it was the initial developer.
The short answer why it is needed in the CDDL and not the GPL is that Linus Torvalds has not just entered into a cross-licensing arrangement with Microsoft, the relevant details of which are not public. Moreover, the longer answer is that it is clear that the Sun-Microsoft cross-licensing arrangement affects Solaris, the software to be licensed under the CDDL:
Q: Do you believe Microsoft's behavior has changed? And there is a corollary: Do you think as part of this Java Desktop, Windows and Office and StarOffice will interoperate?
[Sun CEO Scott] McNealy: They do interoperate. And this just provides an opportunity and a framework to provide server-to-client, server-to-server, Solaris and Windows and Microsoft and Sun clients talk to those servers, to provide a higher level of interoperability and compatibility going forward while respecting each others IP (Intellectual Property). ... Think these two companies have uniquely advantaged each other from an interoperability perspective with the Solaris and Windows servers stacks.
It is also clear that Microsoft has patented the Windows interoperability code and intends to patent even more of it, according to the recent Court of First Instance decision in the European Union:
122 ... In its application for interim measures, Microsoft states that certain of the [interoperability] communications protocols that the Commission requires it to provide are covered by patents or patent applications and that it intends to file, before June 2005, a large number of patent applications covering various aspects of the Windows Client PC and server operating systems covering the [interoperability] communications protocols referred to in the Decision.
* * * * *
142. The [Microsoft] settlement concluded with Sun Microsystems – the only complainant before the Commission – in April 2004 comprises a series of reciprocal agreements whereby the parties agreed to collaborate in product development and to conclude cross-licences, including licences covering the types of [interoperability] communications protocols concerned by the Decision. Microsoft emphasises that the cross-licences make provision for consideration in the form of access to Sun Microsystems’ intellectual property and provide Sun Microsystems with an incentive to respect Microsoft’s intellectual property in its licensed technology.
See also Steve Ballmer April 2, 2004 statement, (stressing the importance of intellectual property cross-licensing in the April 2, 2004 settlement with Sun, saying "some of it [the settlement] is forward-looking, us to Sun and Sun to us, in terms of the licensing of key intellectual property that relates to making these things plug together and interoperate well over the network"); December 1, 2004 Microsoft progress report (stating that the two companies had made significant strides in their joint effort to allow "use of Windows on Sun," listing several significant milestones already achieved in operating system interoperability).
There is also an appearance that Sun will be paying royalties to Microsoft involving Solaris code:
The agreements involve payments of US $700 million to Sun by Microsoft to resolve pending antitrust issues and $900 million to resolve patent issues. In addition, Sun and Microsoft have agreed to pay royalties for use of each other's technology, with Microsoft making an up-front payment of $350 million and Sun making payments when this technology is incorporated into its server products.
Thus, there are strong grounds for concern that Solaris contains Windows interoperability code licensed from Microsoft, raising the possibility that Microsoft may at some point exercise its intellectual property rights to block further implementation of Open Solaris.