Lora Bentley spoke with Mitchell Ashley, CTO and general manager, StillSecure, who spoke to us regarding the differences between GPL v2 and GPL v3 and why some open source leaders aren't making the switch. StillSecure's Strata Guard Free is based on the Snort open source project.

Bentley: What have those behind the Snort project decided as to which version of the GPL they will use?
Ashley:  My understanding is that Sourcefire is considering whether or not they're going to move to GPL v3. They have not announced any plans on their mailing lists other than stating that it's under review. That’s a common practice that I think every open source project, whether it's commercially backed or a personal project, will have to do because there are provisions in GPL v3 that change some options around commercialization as well as protection of IP. We'll have to wait and see whether we'll see widespread adoption of version 3.

Bentley: Can you elaborate on the specific provisions that are of concern at this point?
Ashley: In general, GPL v3 has provisions in it that do things like restrict a commercial venture's ability to sue end users. Of course, we hope companies don't do that, but that comes into play, for example, with Microsoft and Novell and some of the assignment of rights that they've done through the patent exchanges, and potentially with other companies that may have similar needs. The threat of being able to sue users gives them some bargaining power, and it's also a right that they may or may not want to give up. There are other provisions around something called "tivoization," which basically is around digital music rights and protection of that on devices like TiVo boxes. Most of the concerns are things that would be important to a business rather than an end user.

Bentley: It appears that some are concerned that Snort is no longer a GPL project. Why?
Ashley: Well, some changes have occurred, and I think part of the issue is with the method by which the changes happened. There was a header change to the Snort files on the day of the GPL v3 release. One of the things that was removed is the ability to license the Snort code under GPL v2 and later versions, and that's obviously because Sourcefire is still considering whether it will use GPL v3 for Snort.

There's some concern about whether Sourcefire has the right to make that kind of change. They certainly do as to their own contributions — which are significant — to the Snort project, but there are others who have also contributed a great amount of code. Were their rights overwritten when that change was made? Yes, Snort is commercially backed, and a substantial amount of the work is done by a commercial company, but not all of it is. There were comments made that a person who submits a three-line code fix shouldn't have as much say as a contributor that offers a significant amount of code. And I'm not sure that that's necessarily true.

I think what we're seeing is that open source is undergoing this evolution from an open and free project to a second phase of being commercially backed, and then a third phase, which we're entering, where the commercial venture wants to make some changes to the licensing around what was originally developed. I think that leads to some confusion and miscommunication and a lot of concern from people that not only use the software, but also develop it.

Bentley: Does the fact that Snort is now locked under GPL v2 affect how it's used with or incorporated into other open source projects — especially those that are licensed under version 3?
Ashley: These are some questions that haven't been answered yet: Can you take a GPL v2-licensed product such as Snort ... Under a normal scenario, you could combine that code with other GPL code. But if the other project is GPL v3 and Snort is GPL v2, are you allowed to do that? So there's potentially some restriction, but no one's quite sure whether those are possibilities or not.

Sourcefire's interest, I believe, is to gain some control over the commercial use of that open source project. It's something that, actually, we've gone through at StillSecure in considering how we license some of our products. ... The GPL is an interesting license. ... There are many things about it that have not been tested — in the courts or between companies. So it's tough for companies that license under the GPL to know for sure how well they're protected. It was written not with companies in mind, but with open and free software development as its goal.

Bentley: What do you think it will take for those questions that are still up in the air to be answered?
Ashley: Well, one company suing another over their interpretations of the license ... and the Free Software Foundation has an enforcement mechanism to take reports of individuals or companies misusing the GPL. Those are two ways that it can be done. I think what I would like to see is organizations like the OSI (Open Source Initiative) and the FSF broadening their thinking about not just free software development and free software for use, but also putting that into an ecosystem that includes commercial use of that free software. There's probably just as much — or maybe more — open source being used inside commercial products than there are just in user networks around the world. At least it's certainly a substantial percentage of it. To ignore that is sort of ignoring reality. There's an argument to be made — both from an economic perspective and from the development perspective — that having that commercial role in open source is an important part of the ecosystem...

...OSI has made rumblings that they're going to enforce their definition of "open source," which means [the license under which a project is released is] an OSI "certified" license — one that they've approved. That's fine, but — to begin with, they don't control the definition of "open source." Secondarily, they don't really have an enforcement mechanism other than the court of public opinion.

So rather than taking a more narrow view, I would love to see an organization like the OSI embrace the various commercial uses of open source technology — whether that would be under the current OSI-recognized licenses or other licenses that companies providing source code create. I think there's an inherent conflict in some of the goals stated around the criteria for an OSI-approved license. One of them ... is that the license doesn't restrict any class of individuals. And I think there's an argument to be made that commercial ventures are a class of people. So, if you are using an OSI-approved license such as the GPL, and you are adding your own restrictions, either through interpretation or riders (additional language outside of the license), in effect you are discriminating against a class of users: commercial ventures. It's not an issue that OSI has recognized or talked about yet, but I think that's in conflict with their own goals. The OSI should be strongly supporting commercial use of open source software ... rather than looking to restrict that.