Add OSI license requriements

[massonpj]

Open source licenses are only licenses that comply with the Open Source Definition — in brief, they allow software to be freely used, modified, and shared. To be approved by the OSI, a license must go through the Open Source Initiative's license review process and as such is the industry and globally recognized standard for identifying open source software.

[ErieMeyer]

One thing to think through is how that would work with the fact that works done by government employees/owned are by default in the public domain.

[massonpj]

@ErieMeyer The Open Source Initiative (full disclosure I am the GM and a Board Director) recognizes the issues related to "public domain" as a technical term in copyright law that refers to works not under copyright — either because they were never in copyright to begin with (for example, as you mention the works were authored by U.S. government employees, on government time and as part of their job, are automatically in the public domain), or because their copyright term has finally lapsed and they have "fallen into" the public domain.

To be subject to a license (open source or otherwise), a work must still be in copyright. Therefore because works in the public domain are not under copyright they cannot be licensed at all and thus should not be referred to as open source [licensed] software: there is no license.

Because the documents in the playbook ("plays") refer to open source licensed work, they exclude discussions of pubic domain--again works in the public domain carry no license. If the Playbook wishes to also include works in the public domain for consideration in government sponsored contracts, development, projects, etc. that should be stated explicitly, e.g. play 05.md could state:

In cases where we use third parties to help build a service, a well-defined contract
can facilitate good development practices like conducting a research and prototyping phase,
refining product requirements as the service is built, evaluating software in the public domain
and/or distributed with an OSI Approved Open Source License...

I believe the solution to your very valid point, would be to highlight both options are acceptable and desirable. But both options need to be defined, what is public domain and what is open source. Interestingly, many people believe assigning no license (e.g. posting work on Github publicly) makes it either open source or puts it in the public domain. As you probably know, neither is true and actually results in the most restrictive status of "all rights reserved" by the author meaning the work cannot be used without permission of the owner. I am sure the folks here don't want that.

[vdavez]

Hi @massonpj. A few quick reactions to this:

1. From my vantage point, I see substantial downside to the US Government delegating the responsibility for defining what is open source to a third-party, non-profit organization, even a really good one such as OSI. Even if it were advisable for individual contracts, it is probably not ideal to be so prescriptive in a document like the TechFAR.
2. With respect to calling out public domain separately from open source.... Assuming for a moment that open source were exclusively defined by OSI, the OSI definition of open source could allow public-domain works. Which of the 10 requirements are not satisfied? I am aware of the backstory with OSI and CC0. But AFAIK, no one has conclusively resolved whether public domain/CC0 meets the definition or not; there's simply a lack of consensus.
3. On the specific-merits of your PR, if I understand it correctly, OSI approval is not a pre-requisite to satisfying the requirements of the OSI definition. The OSI approval process is a best practice and enforces community norms, but is not a per se requirement. As such, if anything, the PR should say solutions which satisfy the definition of [Open Source](http://opensource.org/definition).

[konklone]

The law in the US is that government works are public domain, and the spirit of that law, to me, very much includes work the government orders to be created on their behalf. This is why our team at 18F has an open source policy to always mark our work as public domain in the US and dedicate our work abroad as CC0, and insists on the same from any contractors we work with. When 18F released its Agile Delivery Services RFQ yesterday, it includes the clause "It is GSA’s intent that any data or deliverable created as a result of a task order under this BPA be committed to the public domain."

From the Open Source Initiative's FAQ on the public domain (emphasis mine):

There are certain circumstances, such as with U.S. government works as described above, where it is not easy to apply a license, and the software must be released into the public domain. In these cases, while it would be inaccurate to display the OSI logo or say that the license is OSI-approved (since there is no license), nevertheless we think it is accurate to say that such software is effectively open source, or open source for most practical purposes, even though it is not officially released under an open source license. (This is assuming, of course, that in the laws of releasing jurisdiction the meaning of "public domain" is compatible with the Open Source Definition.) After all, the freedoms guaranteed by open source licenses are still present, and it is possible for the familiar dynamics of open source collaboration to arise around the software.

I love the Open Source Initiative's work and role in the world, and the answer above is one I agree with fully.

I don't love writing the Open Source Initiative's name into the Playbook, especially when it would discourage contractors and their procuring agencies from releasing their work into the public domain.

[nacin]

I wholeheartedly agree with @konklone on this one.

[massonpj]

Thanks all for the comments/feedback. I'll try and respond specifically to each point.

1. "delegating the responsibility for defining what is open source" (although this is qualified with "third-party, non-profit organization," I am assuming this concern is specific to a non-Whitehouse, U.S. Gov. (other) organization defining what is open source.

First, the U.S. Digital Services Playbook includes language that recommends "open source" however there is no definition or criteria for "open source."

• "In cases where we use third parties to help build a service, a well-defined contract can facilitate good development practices like...evaluating open source alternatives"
• "Contract ensures open source solutions are evaluated when technology choices are made..."
• "In particular, digital services teams should consider using open source..."
• "Consider open source software solutions at every layer of the stack."
• If the codebase has not been released under an open source license, explain why.

As the playbook is currently written, it appears to me any organization can label their software "open source software" and qualify for consideration. Will the authors of the Playbook, CIO.gov, and/or some other group undertake the work to determine if software considered per the recommendations of the Playbook is "open source?" What will the evaluators use to determine if any software and or license is "open source"? How will various interpretations of "open source" (and the associated requirements/affordances) be communicated and managed to all parties (those within the government and those who wish to engage with the government)?

The Open Source Definition was written and is used by the OSI and the open source community when reviewing licenses to ensure that software freedom, what most people expect when evoking the term "open source," is guaranteed: use, study, modify, re/distribute. The Open Source Definition and the OSI Review Process are internationally recognized as standards that addresses the above questions and provides continuity across the industry. They are recognized by industry leaders (e.g. Adobe, Apple, Craigslist, Github, Google, HP, IBM, Microsoft, Oracle, Twitter), some of the world's most successful open source software projects and advocates (Apache, Creative Commons, Debian, Drupal, FreeBSD, Eclipse, LibreOffice, Linux, Mozilla, Wordpress, Wikimedia to name only a few) as well as the public sector (Univ. of California, Univ. of Illinois, NASA, State of California, State of Massachusetts, State of New York, U.S. Dept. of Defense, U.S. Dept. of Labor, and many others).

I would point to three examples where software is labeled "open source" but, as licensed would cause significant conflicts with not only what I would assume are the expectations of those using the Playbook, but potentially with government use in any form.

1. Qabel -According to the website and marketing material, "Qabel is a free, open-source, decentralized, expandable platform" for encryption and is distributed under the "Qabel Public License Version 0.1." Unfortunately, according to this license, the software may not be used for commercial purposes or by "military, intelligence or related purposes, including but not limited to intelligence and military research." These, in addition to other provisions in the license would clearly violate the OSD and thus not be approved by the OSI.
2. OSET - According to the OSET Foundation web page, "About Open Source Elections Technology," OSET "is all about making elections and voting systems open source..." Adding, "The result is emerging as a framework of open source elections technology freely available for any jurisdiction to adopt, adapt, and deploy for public elections" and is distributed under the "OSET Public License." The OSI hasn't reviewed the Open Public License, so can't give a formal opinion without running it through the process. But, we did note that the
   license includes a requirement to notify the initial developer of every change. This type of requirement is generally regarded as failing to meet the Free Distribution criteria of the Open Source Definition. So, if the OSI did review the Open Public License, the likely outcome is that we'd rule it as not open source.
3. SailfishOS - Perhaps the most egregious example (in my personal opinion), Jolla promoted SailfishOS as: "Proudly open source;" "...the Jolla Tablet...runs on Jolla’s own independent and intuitive open source based mobile operating system Sailfish OS;" "Your tablet is powered by open source software called Sailfish;" "Jolla Tablet’s Sailfish operating system will be unlike anything you’ve tried before...Independent and powered by open source, change whatever you like, whenever you like;" "Together with the open source community, we’re continuing to strengthen our privacy capabilities at every opportunity;" "Jolla’s core value is freedom of choice for our community. That’s why we’ve picked Intel’s innovation platform, backed by open source, to power the Jolla Tablet;" "All of our customers can have their say on the direction of our products through Jolla and other open source communities that we work closely with;" Welcome onboard the Jolla Tablet journey! For $10 you’ll... get to support the greatest open source project ever...!," and; "That’s why Sailfish OS is totally independent and has been built the way it has – and why we’re continuing to strengthen it at every opportunity together with the open source community." Unfortunately, Sailfish is not open source and in fact is not distributed with any license (making it "All rights reserved." In addition, Jolla's SailfishOS EULA includes several restrictions that clearly debunk any claims of the software being open source.

The reason each of these examples should be of concern to the U.S. Government and those using the Playbook is that without an internationally recognized standard accepted throughout the sector, conflicts will occur: some based on ignorance that inhibits the very openness that this document seeks to foster, and worse, outright abuse by nefarious organizations that simply seek to benefit from the growing interest and adoption of open source software. See the recent news from Russia on this.

In response to issue 3., "The OSI approval process is a best practice and enforces community norms, but is not a per se requirement." I would agree. "Open Source Software" is not defined and can be ambiguous, but "OSI Approved Open Source Licenses" and "OSI Certified" are defined and is a recognized standard. The value of including language that points to the OSI Approved Licenses is that it reduces the risk to, and overhead for, organizations seeking to comply with the U.S. Digital Services Playbook. Both government departments and agencies that seek the benefits of software freedom, as well as the companies and organizations that wish to participate, will have a clear metric and references (a list of OSI approved licenses) to assess if the software both aligns with industry norms and can inform their work when applying a license to new work. Without such a bright line to denote open source software--as you say, norms--government agencies will need to undertake the evaluation of each software license submitted, resulting in considerable overhead, possible confusion and another "standard" that they will need to refer to when developing/distributing software.

While it is true that there are undoubtedly OSD-complaint licenses in use, that the OSI has not reviewed, the OSD, the OSI Approved License list and the review process, are all well established and recognized and we continue to review new licenses when submitted (e.g. our recent approval of Oracles UPL), and just as importantly guide those who seek new licenses in alternatives to avoid license proliferation.

With regard to the second issue, "calling out public domain separately from open source," again I agree that there are few practical differences between CC0 and/or public domain work and permissive open source licenses and is thus, as you note, in line with the OSD. However, I would not offer the same regarding copyleft licenses as there is no way to require that modified versions/derivatives of public domain software remain CC0 or are contributed back to the public domain. One may modify public domain work and then apply a proprietary license on it (in addition they could potentially do this without modification).

The OSI recognizes software released as CC0 or in the public domain (as it could be argued to be a form of "permissive" open source licenses), but we would not consider that to be open source "licensed" software. Denoting this difference would add clarity to the document for those who may not understand the differences/impact between licensing and public domain. In addition, many may not want to relinquish their copyright.

I would point to the various issues reported by GIthub as evidence of confusion. Many people post code to Githib assuming that by posting it "in the public" it is either in the public domain or is open source. Neither is true and again, in US law, is actually "all rights reserved." By referencing "OSI Approved Licenses" those who want to contribute code can be assured that their work will indeed promote software freedom and be internationally recognized as open source software. We worked with Github to help develop this.

The problem with, "solutions which satisfy the definition of Open Source" requires some authority to asses if that definition is met. This leads me back to my opening questions about who will do this, how will this be constantly manged, and will this create a second standard?

Finally (I know, at last), I would offer that the laws around of public domain is not universal and vary across jurisdictions. Again, providing clarity can only help.

[konklone]

The OSI recognizes software released as CC0 or in the public domain (as it could be argued to be a form of "permissive" open source licenses), but we would not consider that to be open source "licensed" software.

As someone who prefers that government works, built or bought, be public domain, that's a reason for the Playbook not to define "open source" as that of an OSI-approved license.

In addition, many may not want to relinquish their copyright.

They are free not to perform work for the government.

I would point to the various issues reported by GIthub as evidence of confusion. Many people post code to Githib assuming that by posting it "in the public" it is either in the public domain or is open source. Neither is true and again, in US law, is actually "all rights reserved."

This is a problem, but a separate issue from what license to use. As an example, 18F's open source policy has a default LICENSE file and boilerplate instructions for new repos that ensures our repositories are marked as domestically already public domain, while applying CC0 elsewhere.

A repository could also intend to license itself under an OSI-approved license, but neglect to include a visible LICENSE file or take a non-standard approach to indicating their license. This is all to say, you bring up a valid issue, it's just not something that recommending "an OSI-approved license" solves. Recommending that a license or dedication be clearly indicated in a standard way is good guidance, but I suspect is too low-level for the intent of this Playbook.

In general, it's of course helpful to have definitions for things. The open source definition may be useful in that regard, whether or not it's appropriate for this Playbook. But like @vzvenyach, I still don't really like the idea of the government depending wholly on a definition maintained by a single outside entity.

This neat 1998 piece by Guido Van Rossum, the creator of Python, has an interesting passage about Eric Raymond, who co-founded the Open Source Initiative:

Eric Raymond has trademarked the term "Open Source" (capitalized) and has a somewhat precise definition of what is or isn't Open Source on his web site (see below). I sometimes worry that this can become a limitation: what if I call my software Open Source, with his approval, and later I change the terms and conditions, or Eric changes his definition -- I could be sued by someone who says I have to stick to the Open Source rules. Eric believes that this won't happen, and besides says that everyone is free to use the "open source" (lowercase) without sticking to his definition. We'll see -- for now, I'm favorable to the concept, but we won't put "Open Source" on the Python web site yet. (Note that we don't use "freeware" either.)

In any case, I'll just add that I'm a devoted fan of free and open source software, have released my works under both permissive and copyleft licenses, and am glad that institutions exist to keep those definitions free and clear. I also believe public domain is the right standard to hold our public service to, and would rather see that preference made unambiguous, not discouraged by an OSI approval process or external checklist.

[konklone]

For the record, it was nice to see the House of Representatives clear full use and participation in open source software today, and both that post and this one by OpenGov both linked to the Open Source Definition.

[paultag]

Not to jump in (and clearly I'm so conflicted on all sides; both USDS and OSI), but I think using the OSD (at minimum) would be a wonderful idea

[konklone]

@paultag Want to suggest language, or open a new PR with some?

[camerons]

I've written an Open Source Policy for an Australian University, and an issue we ran into was providing guidance on which Open Source License to recommend.
I suggest that Governments should do the hard work of determining which license is in the best interest of Government, then provide a well defined workflow to help developers select the preferred Open Source license for the developer's use case.