One particular statistic jumped out at me from our open source survey, look at the last number here. "9% of developers contribute to open source even though our company's policies prohibit it."
I see this statistic and I think, “Right on, man. Down with the system, down with The Man! Open source for the people. Revolution!” I put on my protest bandana and march the streets carrying signs of solidarity with the Open Source movement. The idea that 9% of developers are essentially saying, “rules be damned, I’m giving back to open source” resonates with a core part of the developer identity. We’re independent minded people, we’re very “self-actuated”, and it’s our job to “Think Different”. Every organization has developers that do first and ask permission later, it’s a part of the culture.
But, think about it, is this good for Open Source? It's a fun statistic, sure, but I’m not so sure it's a reason to celebrate.
They won't even know...
I too have worked for corporations with open source policies that prohibit “giving code back” to projects without approval. Now, I’m not going to say that I’ve sidestepped these prohibitions, everything I’ve done in open source has always been “above board” you don’t need to question my “Contributor License Agreement”, but I have known several contributors who tell me things like:
“Whatever, there’s a policy in place at work against giving this change back to open source, but I’m doing it anyway. They won’t even know.”
...this creates problems for open source. Let’s peer behind the curtain for a bit and discuss how a foundation like Apache or Eclipse is able to release contributed code.
You Sign an Agreement
Apache and Eclipse, two amazing organizations that make the bulk of the OSS software I use every day possible, how do they work? You write some code over at Apache, the code is released under the Apache Software License,, and the copyright is assigned to the Apache Software Foundation. Eclipse has some different rules, a more rigorous legal review, but in the end, both foundations rely on something important. The rely on contributors making accurate statements that they are allowed to contribute code to an open source project.
At Apache this is called a CLA, a “Contributor License Agreement”, and every open source foundation that is going to ship software has this. I had to sign one with Oracle to participate in the Hudson project, I had to sign one years ago when I was committing code to Apache projects, if you want to contribute to Nexus OSS we have a CLA, and everyone who touches an Eclipse project (even tangentially) has to have some agreement in place that clears the foundation to ship open source.
So, let’s say that 10% of the contributors are contributing code to a project even though there is a corporate policy prohibiting it. I hate to think about where this little factoid leads, and I’m not trying to scare people away from OSS, but let’s just say, it’s not a good thing at the end of the day if there’s some question about individual agreements. If you were really worried about this problem and you had appropriate resources, you’d track the Provenance of every open source project you touch.
Developers, Tread Carefully
So, if you do this, be careful. A few high profile missteps by a developer or two could end up having a negative effect on the community. This is truer now more than ever. Just this week we’re seeing an uptick in news about lawsuits over patents and more legal maneuvering on massive legal cases that promise to effect all developers. These disputes all involve companies that have been very, very active in open source development. If someone were to call up all of the contributor licenses agreements from one of these institutions, I’d like to think that most of them were accurate.
On one hand, it’s great people are so passionate about open source that they will contribute under these circumstances. On the other hand, Open Source isn’t made of “passion and intent” it is built atop some pretty novel legal structures. Respect the agreements you sign both with your employers and with open source entities, otherwise I think we’re setting ourselves up for problems down the road.
Conclusion: Not Worried, just Wondering
I’m not writing this piece to spread FUD, OSS is here to stay. I just think we (open source contributors) need to respect the foundations of the movement. If you believe that Open Source is a good thing, then you shoud respect the legal foundations on which it is built. If you work somewhere that has a policy against contribution, don't side step it, try to change it. Try to make the case internally that open source isn't just about consumption, it's a virtuous cycle of consumption and contribution, and you can't have one without the other.
Open source is nothing without the legal structure that makes it possible.
Now, I don’t think this is a reason to stop the presses, but I do think that this is a reason for every organization to take stock of their open source policy. Here are some recommendations:
- If you don’t have an open source policy, make one. Start tracking consumption with Nexus Pro.
- Your policy must cover consumption. What licenses can people integrate into your software? What’s the process for approval of a new component? What is your process for identifying licenses that might violate your policy. Sonatype’s Nexus Pro and Sonatype Insight should be a part of your approach to managing and monitoring consumption.
- Your policy must cover contribution If you are in a position to help define this policy make sure that developers are given enough freedom to contribute back to the open source projects they use. If you have an open source policy that prohibits contribution back to the open source software that sustains your business it’s bad for the community, it’s selfish, and, ultimately, your developers are going to find a way to contribute. Don't just prohibit this because it doesn't generate revenue, your developers getting involved will lead to lower overall support costs for OSS integration.
This statistic, while it did activate some revolutionary zeal for the OSS movement, it also just speaks to the fact that some corporate policies don’t align with how open source works. Adopt a rational policy, starting tracking open source, and use tools like the Repository Health Check in Nexus Pro; otherwise, your developers are probably doing first and asking later.
