GPLv3 looks like a worthy update


When I first came across the GNU General Public License in 1986, it was nothing short of an epiphany for me. Its revolutionary approach to copyright (all wrongs reversed) and the bold vision of the GNU project (to do nothing less than to make UNIX obsolete by making something that was both better and free) was as earth-shaking to me as perhaps quantum physics was to Einstein. (You don’t need to tell me I’m no Einstein–I know that.)

After downloading the GNU C compiler in 1987, I developed considerable facility with GNU software. I experienced a most remarkable transformation of my own programming skills. (It reminded me of my own experience playing classical guitar the first time I played a “real” guitar instead of a junker, the music did not only sound better, but it was easier to play for longer as well. Hacking on GNU software was like playing a fine instrument….). Through this experience, I gained confidence to tackle a project that, only one year ago, I would have dismissed as sheer fancy: the development of the world’s first native-code C++ compiler, which I first released in December of 1987.

As I wrote in Open Sources, I began to see that the GPL provided a unique opportunity to commercialize free software, and after a two year quest to find some like-minded entrepreneurs, the first free software business (and, by definition, the first open source software business) was born. The story of that company is well documented in the O’Reilly book, but the salient point for this posting is this: the GPL had been written with freedom in mind and without consideration of the world of computers known as embedded systems. Cygnus became a major player in the embedded market, and in 1991, the Free Software Foundation updated the GPL to version 2 and issued the LGPL. In my opinion, these clarifications were not compromises against freedom to improve the business prospects of Cygnus (though there was that positive effect). Rather, they were technical improvements, much as one would expect to find in a protocol definition after some experience was gained. GPLv2 was a win-win.

Version 2 of the GPL has remained unmodified for 16 years, while copyright laws, conventions, and interpretations have changed in both degree and in substance. Version 2 of the GPL has also remained unchanged while companies large and small, powerful or not, scrupulous or not, have challenged it in every way imaginable, as if such challenge was their Job One. Some have been so bold as to say “well, since we can’t figure out how to make money with the GPL the way that other successful companies have, the GPL must be broken!” Right.

In that same period of time, cryptographic techniques assumed secure have been proved weak, and we should not be surprised. Cryptographic methods (and security in general) is all about creating a defensive capability such that the cost of attack is greater than the value of the reward. In 16 years, costs have changed considerably: 8-12 generations of Moore’s Law has delivered 256x to 4096x the computing power per machine, the Internet multiplied this computing power again by several orders of magnitude as distributed collaborative cracking projects became popular sport, not to mention advances in elliptical curve algorithms that undercut cryptographic strength by staggering amounts. In the world of cryptography, where we assume there are dedicated opponents working to challenge systems day and night, those who stand still are lost. Stronger defenses are needed every day.

GPLv2 has been a stunning success, and is presently the license of choice of some of the most exciting software projects in the world bar none. But corner cases have been found where the freedom that the Free Software Foundation sought to guarantee have been circumvented, and those circumventions also work against the fair bargain that makes open source an attractive basis for commercial success. The success of one against the loss of a whole community is not what open source is all about (and certainly not what free software is about, either).

I have read the newly released draft of GPLv3 carefully, and I believe it is a stunning accomplishment. (Disclaimer: not only am I no Einstein, I am also not a lawyer. However, my 20 years of experience with free software, the GPL, and 18 years of commercial experience should count for something.) My reading tells me three things. First, the GPLv3 is familiar; it is not as if everything we know must be relearned. Second, the GPLv3 deals with corner cases which, if left unfixed, will collapse, taking all our good work down with them; collapse is bad enough, but predictable collapse is shameful. Thirdly, the GPLv3 reaffirms that in spite of all the growth and all the success that the free software movement has enjoyed these past 20+ years, the goal of the Free Software Foundation remains centered on software freedom, and that the only prohibition they uphold is against those who seek to undermine such freedom. It is encouraging to see an organization maintain principle in the face of prosperity.

This morning, with GPLv3 on one monitor and the OSD on the other, I read a license that should have no trouble achieving OSI certification. Based on my reading, I encourage the Free Software Foundation to submit their final draft when they are ready so that the whole open source community can review, discuss, and recommend to the OSI board whether they, too, see what I see. If so, we should see a much-needed update added to the roster of OSI-approved licenses, and we will be in a position to encourage those whose business depends upon fairness to offer them a licensing choice that is both sound and safe.