Jim Driscoll, currently project manager for Glassfish, has blogged "Newest Concern on Sun's Open Source Strategy," addressing concerns over copyright assignment to Sun under the CDDL. His statement is that the dual-assignment is normal for open source.

The ensuing discussion thread brings up some interesting points. One poster went into great detail:

The CDDL and the Copyright grant are completely independent, and basically unrelated. I think the CDDL is a fine license, as it balances programmer rights and user rights. But as Jim mentioned, copyright trumps license. With copyright, you can change the license.

Several years ago, Borland released the Interbase Database source code as an Open Source project. They then, quickly, turned around and brought it back in house. Obviously, it was immediately forked and today we have Firebird, which as far as I can tell is on a divergent course from Interbase.

Interbase wasn't free long enough for any community work to have been done on it before it was taken back, and I'm not familiar with their license. But it is an example of a company "changing its mind" regarding an open source project.

With the copyright grant of the SCA, Sun has the ability of taking the totality of the work, both original code and new submissions, and forking it for a completely internal, closed source project, and then being able to relicense that code in any way it sees fit. After a year of work, Sun can take the GlassFish project, update it, change it, repackage it and relicense it as "Java AS 10 Super Edition". They can integrate enterprise clustering, managment, etc., and are not obligated to return any changes to the community.

If a community member tried to do the same thing, any changes they made to the original source code that were necessary to implement those changes WOULD have to be returned to the community (at least made available) because of the terms of the CDDL.

So, if I wanted to make GlassFish Enterprise, even though I wouldn't be obligated to release my "Enterprise Management Console" or whatever, since it may well be a new creation and not under the terms of the CDDL, however if I had to make internal changes to better support, say, clustering, those changes are required by the CDDL to be released.

But since Sun holds copyright, they are not obligated by the CDDL to release those internal changes, as they are not obligated to keep the CDDL license on the code.

It's an interesting problem. At Java One, some Sun engineers admitted privately that Sun has a very difficult time being as supportive of Java as some of their competitors, simply because Sun has ownership of Java - supporting it as aggressively as, say, IBM does would mean competing with their own business partners. Therefore, any move Sun makes has to be examined very closely.

The new licenses Sun has created recently do seem to be attempts to become "more open," but community support seems to be flagging. What's your opinion on the matter?

... in all the cases, most of the open source projects require an additional and separate signed contribution agreement, even Apache ones (http://www.apache.org/licenses/icla.txt).
So what if suddently the Apache Foundation decides to resell some commercial proprietary products?
Same is true with all dual licensed projects. What if MySQL suddently decides that MySQL 5.0 will become proprietary? And of course they can...

Stéphane

Fork and some market share will be lost :)

Stéphane TRAUMAT

The main concerns could be easily alleviated by the creation of an independent, non-profit that would exist to ensure that the "open" versions of the code could continue forward under the CDDL as long as people chose to contribute. This would not stop Sun from reusing such code in a commercial implementation, just as it does not stop (and is not intended to stop) commercial implementations based off the Apache License. But it does ensure that the open version of the product continues forward for those who have a vested interest in that version of the product.

I've often thought that the Java specs should be held by such an independent non-profit organization as well, and that the JCP should be administered by that organization. However, Sun apparently feels otherwise for the moment.

The main concerns could be easily alleviated by the creation of an independent, non-profit that would exist to ensure that the "open" versions of the code could continue forward under the CDDL as long as people chose to contribute.

Actually, the CDDL license, like all Open Source licenses, already does that. It's yours. We can't take it away.

The new licenses Sun has created recently do seem to be attempts to become "more open," but community support seems to be flagging. What's your opinion on the matter?

Community support comes from community. I doubt that the community using the Sun app server has "flagging support" for what Sun is doing, but that community is neither as large in terms of developers -- nor as vocal -- as the communities surrounding other open source projects.

I think it's a positive move from Sun, and in retrospect it's probably a late move, but if it helps their customers, I can't see how anyone else (i.e. anyone who doesn't have a stake in its success) has a right to be "concerned" ..

Peace,

Cameron Purdy
Tangosol Coherence: Clustered Shared Memory for Java

I can't see how anyone else (i.e. anyone who doesn't have a stake in its success) has a right to be "concerned"

The concerns Mr. Driscoll were addressing were from people who contribute code to the server, and who must essentially sign their copyright over to Sun. I don't think Sun's approach is new or unreasonable here, but the people expressing concern are certainly valid stakeholders in the process.

As for flagging support, that is usually to be expected when you open your source out of desperation. Two years ago, while the JBoss and Geronimo developers were evangelizing the need for an open source application server, Sun was making snide remarks about the open source community, and announcing that a free, stripped-down, closed source server was good enough for everyone.

Now that they have done a complete 180, I doubt they lie awake at night wondering why developers don't suddenly flock to them. I have years of experience with an open source product that is meeting my needs just fine, and Sun would have to offer something more compelling than another me-too entry to make me consider switching.

I have years of experience with an open source product that is meeting my needs just fine, and Sun would have to offer something more compelling than another me-too entry to make me consider switching.

To try/use a J2EE 5 platform in development with JSP 2.1, JSF 1.2, EL, EJB 3, etc?

I'm one of the contributors to Glassfish and not an employee of Sun-- and had to sign a SCA to contribute to some of their projects. Truthfully, much of this talk about licensing scared me a little. I, for one, am not fluent in legalese and the discussions on Java.net cleared up all of my concerns. With the code contributed to the CDDL, Sun doesn't have the upperhand. The code as it stands under the CDDL can be utilized and shared with anyone.

If using MySql and and Linux doesn't scare you, then using Sun's AppServer shouldn't scare you either.

Truthfully, much of this talk about licensing scared me a little. I, for one, am not fluent in legalese and the discussions on Java.net cleared up all of my concerns. With the code contributed to the CDDL, Sun doesn't have the upperhand. The code as it stands under the CDDL can be utilized and shared with anyone. If using MySql and and Linux doesn't scare you, then using Sun's AppServer shouldn't scare you either.

I'm the one quoted in the main article.

I think most folks are like you, and the grant of copyright is not a big issue, but I do want to clarify that in this case, Sun DOES have an upper hand. It is not an equal partner in the community. By assigning copyright, Sun has all the rights to do anything they want with the overall source code, and no one else in the community has that same power over the entire source base. So, while all community members are equal, Sun is more equal than others.

Again, 99.99% of the time for 99.99% of the people, this is not a problem. FSF holds all of the cards for GNU software (not GPL software, just the GNU/FSF managed software), and has the same powers over it as Sun does.

However, for example, the Linux kernel does NOT have this issue. Linus is not the sole copyright owner of the kernel code, the individual contributors are. Linus can not simply fork the Linux kernel, relicense it, and sell it to SCO or Microsoft. There was an issue once where someone DID want to pay for a fork of the Linux kernel, but couldn't pull it off. Either the people were unwilling to relicense their contributions, or perhaps unable to even be contacted.

This was one of the issues with OpenSolaris, the whole vetting of the source tree to get consolidated rights over the source code. Since even something like Solaris had code from several companies, all of the code had to either be put under the same license/copyright umbrella or be removed from the distribution. Doing such a thing for the Linux kernel would be very time consuming.

This is the primary motivator that Sun has to keep all of the code in its projects with a single source of copyright, and it is also a distinct advantage for Sun, as being the entity that has sole copyright over the entire source base (even though they share copyright with indvidual contributors, they alone have copyright over all of it), they essentially have much more control over it. Jim Driscoll's argument is they would use this authority to be able to relicense the source code should CDDL 1.0 have a fatal flaw, they could upgrade everything to CDDL 2.0 or whatever.

But that knife cuts both ways. The fact that they can at will relicense the source base means they can relicense it to anything, not just a CDDL related or inspired license. They can create a fork and license it as the GPL, or as BSD, or they can fork it and license it under a closed source license.

The key here, of course, is the word "fork". They can't pull back CDDL licensed code. That code is "free forever". Anything you add to the project will always be available to anyone that can get their hands on the source code.

But what they can do is make a fork of the source tree, license it with a closed source license, and make changes to any parts they please without any obligation to the CDDL, and thus under no requirement to release those changes back to the community. So, as a contributor, you submit code, they can fork and relicense and upgrade your code, and you would not necessarily see those changes to your work.

MOST folks don't care. The BSD/Apache folks certainly don't, as their licenses are much more liberal than the CDDL. But I think it is important to realize that if this kind of "taking" bothers you, while the CDDL would protect you in a pure CDDL project where you maintain copyright, in a Sun (or any other) project where you hand copyright over, the CDDL does not protect you, at least not from the master copyright holder.

It's a technical lawyerese detail, but it's all a matter of expectations, and while the CDDL is fine, the combination of the CDDL and the copyright grant MAY cause confusion for some contributors who see the CDDL as their safe harbor from this kind of incorporation of their open source work into proprietary code.

Note, that specifically for something like GlassFish I DO see this issue coming up. I fully expect that Sun would take the GlassFish project, and spruce it up for an "enterprise" version, or whatever that they can license to customers. Also, Sun needs to be able to relicense GlassFish as the Reference Implementation to other companies (like IBM and BEA) who may well incorporate GF code in to their own internal products rather than reinventing it for become compatible with the latest JEE standard.

Finally, I don't think this is a big deal. I think most folks go into this with open eyes, there's no subterfuge going on, it's all there in black and white. But I don't want someone to think that they're blindsided by this topic, that Sun deceived or cheated them, and go screaming the heavens about how horrible Sun is for "stealing code", because they're not. The code was given to them.

The concerns Mr. Driscoll were addressing were from people who contribute code to the server, and who must essentially sign their copyright over to Sun.

Just to be clear, they're not signing it over to Sun. They're granting it to Sun, and keeping it themselves. It's not like work-for-hire.

Now that they have done a complete 180, I doubt they lie awake at night wondering why developers don't suddenly flock to them. I have years of experience with an open source product that is meeting my needs just fine, and Sun would have to offer something more compelling than another me-too entry to make me consider switching.

I agree with Corby and I had made similar comments in another post. Sun has to offer something special for community at large to consider Glassfish. JBoss had first mover advantage and Geronimo has unique architecture (and Apache name) to excite people. Glassfish is an attempt to open source a failed commercial product. Why should I be contributing to it - To help Sun build its own commercial product. While I consider Sun to be the most "altruistic" amongst all other big corporates involved with Java, it would help the community more if it concentartes on underserved areas in open source.

Now that they have done a complete 180, I doubt they lie awake at night wondering why developers don't suddenly flock to them. I have years of experience with an open source product that is meeting my needs just fine, and Sun would have to offer something more compelling than another me-too entry to make me consider switching.I agree with Corby and I had made similar comments in another post. Sun has to offer something special for community at large to consider Glassfish. JBoss had first mover advantage and Geronimo has unique architecture (and Apache name) to excite people. Glassfish is an attempt to open source a failed commercial product. Why should I be contributing to it - To help Sun build its own commercial product. While I consider Sun to be the most "altruistic" amongst all other big corporates involved with Java, it would help the community more if it concentartes on underserved areas in open source.

Have you contributed to Apache Tomcat? Most of the versions were done by Sun and it's engineers and given back as the reference Servlet container.

Yet Sun gets NO thanks for you bunch of complainers. Then the same complainers talk about Sun and open source. It's getting so OLD that it's becoming more and more annoying.

And Tomcat is the servlet container used in JBoss and I believe Geronimo, so if your using those servers send a Thank You card to Sun!

Have you contributed to Apache Tomcat? Most of the versions were done by Sun and it's engineers and given back as the reference Servlet container. Yet Sun gets NO thanks for you bunch of complainers. Then the same complainers talk about Sun and open source. It's getting so OLD that it's becoming more and more annoying.And Tomcat is the servlet container used in JBoss and I believe Geronimo, so if your using those servers send a Thank You card to Sun!

Brian - You are just supporting my point by brininging discussion on Tomcat. It am not complaining about Sun. I am very much aware of Suns contribution to Tomcat. It was succesful because of "first mover" advantage. Coupled with good engineering and Apache support it had turned out to be the most succesful product in open source world. Sun's own web server has fallen from its Netscape glory to irrelevance now. It is all about building community as far as open source is concerned. Tomcat invigorated the community by being first to provide production quality web container in open source. Struts provided MVC framework when none existed. Spring stood up to reduce J2EE complexity. If you look at any open source product its success is dependent on timing and ability to solve most pressing needs. IMHO, Glassfish does not satisfy these criteria hence irrelevant.

You are just supporting my point by brininging discussion on Tomcat. It am not complaining about Sun. I am very much aware of Suns contribution to Tomcat. It was succesful because of "first mover" advantage. Coupled with good engineering and Apache support it had turned out to be the most succesful product in open source world. Sun's own web server has fallen from its Netscape glory to irrelevance now. It is all about building community as far as open source is concerned. Tomcat invigorated the community by being first to provide production quality web container in open source. Struts provided MVC framework when none existed. Spring stood up to reduce J2EE complexity. If you look at any open source product its success is dependent on timing and ability to solve most pressing needs. IMHO, Glassfish does not satisfy these criteria hence irrelevant.

What criteria? That it's not the first? Since I was around for Tomcat, let me tell you, it wasn't the first. It also wasn't the second. It also wasn't production quality, when it started, let me tell you. It did get the biggest community, though, in part because of the Apache association. Which led to it becoming production quality. If first mover was key to success, Larry Page would still be a grad student.<BR><BR>

As for the Sun Web Server, that's a big orthogonal, and it competes mostly with the Apache Web Server and IIS, where's it's doing quite well, thanks, on a revenue basis.<BR><BR>

Lots of comments for something that's so irrelevant, don't you think? Marc Fleury started out by saying the irrelevant comment, but that was before we announced the license. I'm sure he's still saying it's irrelevant, but I doubt he's thinking it.<BR><BR>

If first mover was key to success, Larry Page would still be a grad student.<BR><BR>

As for the Sun Web Server, that's a big orthogonal, and it competes mostly with the Apache Web Server and IIS, where's it's doing quite well, thanks, on a revenue basis.<BR><BR>

Hey Jim, get the brains at Sun to give java.net a better comment system so we don't have to type in HTML. As you can see, it seems to have become a habit with you now. :-)

Hey Jim, get the brains at Sun to give java.net a better comment system so we don't have to type in HTML. As you can see, it seems to have become a habit with you now. :-)

I was just thinking the same thing *sheepish grin*. It's Movable Type over there. What's it here?

Now that they have done a complete 180, I doubt they lie awake at night wondering why developers don't suddenly flock to them. I have years of experience with an open source product that is meeting my needs just fine, and Sun would have to offer something more compelling than another me-too entry to make me consider switching.

Vamula (if that is your real name); how exactly have Sun done a "complete 180" ? What is it that Sun has done that makes you think that we're diametrically opposed to Open Source ? Are you mentally blocking out our involvement in things like OpenOffice, NetBeans, Tomcat, Gnome, NFS, Solaris, JBI, etc ?

If you are involved in another project and are happy then that's just fine and dandy. If you don't value the choice that multiple OSS AppServer projects gives then that's fine too; if you can't be bothered to at least find out and understand what other projects offer that's your loss, no-one else's.

Rich Sharples
Sun Microsystems
http://blogs.sun.com/roller/page/sharps

Community support comes from community. I doubt that the community using the Sun app server has "flagging support" for what Sun is doing, but that community is neither as large in terms of developers -- nor as vocal -- as the communities surrounding other open source projects.

AS PE is in the Java EE SDK that's had 4 million downloads from our site, so I doubt we're flagging as much (or quite as small) as most folks here think. The community we have is rather large, but certainly not terribly vocal - they tend to be IT types toiling away inside corporations, rather than large groups of people who make a habit of posting on discussion forums.

The concern over the open source strategy arises because of the copyright assignment, and the motivation for it, according to Jim Driscoll:

What's your alternative? Because surely, one must be presented. To be forever locked into a license, regardless of it's current suitability to task, is surely not a good idea. The ASF and FSF don't think so, and neither do I.

To address this concern, instead of requiring a copyright assignment to Sun, why not do what has been done in the past: creating an independently run non-profit organization which has the copyright assigned to them.

While Sun's motivation is legally to make money, a non-profit organization can be trusted by having their operating policies known from the beginning.

To address this concern, instead of requiring a copyright assignment to Sun, why not do what has been done in the past: creating an independently run non-profit organization which has the copyright assigned to them. While Sun's motivation is legally to make money, a non-profit organization can be trusted by having their operating policies known from the beginning.

Yes, that's the ideal solution, but I think we can all understand why Sun wants to maintain some control over something like Solaris/OpenSolaris rather than forking off a non-profit.

By the same token, anyone can fork GlassFish or OpenSolaris and provide a venue for those not willing to cede copyright to add to the project. These projects could easily maintain and remain up to date with the parent projects, as the CDDL allows their incorporation.

The concern over the open source strategy arises because of the copyright assignment, and the motivation for it, according to Jim Driscoll:

What's your alternative? Because surely, one must be presented. To be forever locked into a license, regardless of it's current suitability to task, is surely not a good idea. The ASF and FSF don't think so, and neither do I.

To address this concern, instead of requiring a copyright assignment to Sun, why not do what has been done in the past: creating an independently run non-profit organization which has the copyright assigned to them.

While Sun's motivation is legally to make money, a non-profit organization can be trusted by having their operating policies known from the beginning.

But as Jim pointed out, Sun will and always has been required to operate in a manner similar to Apache because of its ownership of Java-- there's the JCP for example.

The new licenses Sun has created recently do seem to be attempts to become "more open,"

Ahem - just a quibble here: The CDDL license is not more open - the CDDL license is Open. It's an OSS license, blessed by the OSI.

We just had a long discussion at Javalobby about LGPL and CDDL and the patent license grant you receive.

If I understand correctly under the CDDL a Contributor grants a patent license for the code that he contributes.
Each regular contributor will grant patent license only for his contribution.
By virtue of the SCA Sun, obtains a shared copyright from the other contributors. A next release of the software would have all contributions carrying Sun's copyright (to keep the code base under single copyright) and thus give patent license for that code.
Jim, do I get it right?

We just had a long discussion at Javalobby about LGPL and CDDL and the patent license grant you receive.If I understand correctly under the CDDL a Contributor grants a patent license for the code that he contributes. Each regular contributor will grant patent license only for his contribution. By virtue of the SCA Sun, obtains a shared copyright from the other contributors. A next release of the software would have all contributions carrying Sun's copyright (to keep the code base under single copyright) and thus give patent license for that code. Jim, do I get it right?

This is a complex topic and I Am Not A Lawyer (IANAL). Let me try anyway:<BR>
You're smushing together some things that don't have overlap the way you seem to think they do, CDDL and SCA, and patent and copyright. Let's try to tease them out.<BR><BR>

CDDL is an Open Source license that makes patent grants. You get a grant of patents contained in the source code, for the purpose of using it with that source. You also grant permission as copyright holder to do all sorts of folding, spindling and such on the code.<BR><BR>

The SCA is a simple contract that also talks about patent and copyright. Signing the SCA grants a joint copyright to Sun, and also grants patent rights to Sun, so Sun can later do important things with the code, like putting it into the RI, as well as changing the overall license if we ever get license peace with the Mozilla foundation.<BR><BR>

The legal notion of "release" contained in the CDDL (or, for that matter, in the GPL or ASL licenses) doesn't really match what engineers think of as a release. It just means the particular version of the code as it currently exists, not a separate special release like a promoted build. It's a snapshot in time of code.<BR><BR>

I hope this made things clearer, rather than more murkey. Let me know if you have a specific question, I'll keep trying to answer them as best I can - but remember, IANAL, so if you ever really need to know for any license, you should always ask an expert in law, not a former engineer who's currently an engineering manager. (Not a project manager, as stated above).

I'm hoping someone can help with some of the language used in the CDDL.

In the distribution clause Sun uses the words "You distribute or otherwise make available".

What exactly does that mean?

Scenario1:
Suppose I setup a webstore, and a customer fills out an order entry form. Then they hit submit and the request is processed by glassfish. Did I just "Otherwise make available" glassfish to the customer?
Scenario2:
I build a server (Hardware and everything) that can process purchasing orders. I then use this server to process purchasing orders using glassfish for an organization. The organization pays me for this service. Am I now "otherwise making available" glassfish to the organization?
Scenario 3:
Scenario 2 + a user in the organization that I'm leasing the services on the server to, sends request to glassfish sitting on my server, using a browser, and glassfish sends responses back to the user in the organization. Am I now "otherwise making available" glassfish to the organization?

So in other words, do entities using glassfish have to inform everyone interacting with the server, through a browser, of their CDDL license rights?

Incidentally, I also posted the "Otherwise Distributes Concern" on both Jim Driscoll's and Simon Mink's blogs several days ago, and neither of them replied.

This probably means that anyone interacting, using a browser, with your server running CDDL licensed libraries/executables must be made aware of their license per the CDDL.