Adventures in Open Source

I guess I should be flattered, but it appears that not one but two companies have decided to build commercial products on OpenNMS. Both of them were brought to my attention by members of our community.

The first product is called “RuggedNMS” by a company out of Canada called RuggedCom.

If you look at the screenshots, it is quite obviously OpenNMS with a slightly different skin. If you zoom in on their “Extensive Reports” screenshot you can see “uei.opennms.org” in the unique event identifiers.

How they can sell this as a commercial product without violating the GPL is a mystery, especially when you read their terms which state:

RuggedCom provides a trial copy RuggedNMS™ solely for the direct use of the person who is identified in the trial software request form. This is only a 30-day trial.

Redistribution of RuggedNMS™ software files by any means is prohibited.

The second case is a product called OpenGate by Encodex TeleSystems. They at least mention OpenNMS which is a good sign, but I am also confused by their use of the phrase “Encodex TeleSystems developed a proprietary Network Management product using OpenNMS platform and framework”. While technically possible, I am at a loss to understand how OpenNMS can easily be used as the basis for a proprietary product under the GPL.

While it is unfortunate, we do have experience in dealing with this in the past. One major difference over last time is that all of the OpenNMS copyright is now held by one entity, which makes enforcement of the license much, much easier.

I’ve contacted our team at Moglen Ravicher and asked them to look into this. My hope is that it can easily be resolved. We chose to make OpenNMS open source for a reason, and I have to wonder if it is too much to ask for others to respect that.

UPDATE: Okay, now I’m starting to wax sorely pissed. A friend of mine pointed me to this link on the RuggedCom site about discovery. Now compare that to the How-To I wrote years ago. Seem familiar?

UPDATE 2: Got a reply about OpenGate

Hi Tarus,

Thanks for your email. OpenNMS base product that you see on the website will be deleted, as this was never a product and was not built.
This was a conceptual design activity that never progressed.

We will remove it from the website right away.

Thanks

Arun Joshi, CEO
Encodex Telesystems

I bought my iPhone back in November, which was the last month I would have a Sprint bill.

So I thought.

Since December, every month like clockwork I get a multipage statement in the mail letting me know I have a credit for $1.24.

If we assume it costs, conservatively, $0.50 to send that bill, they’ve already spent almost twice what they owe me to let me know about the credit.

In other billing news, our newest insurance provider, Guardian, has informed my insurance broker that we haven’t paid our last two bills. As someone who is incredibly anal-retentive about paying bills I can explain: we haven’t gotten any.

And, in order to sign up to pay your bill online, you have to have information that is only sent with the paper bill, which I haven’t received.

(sigh)

Is it any wonder that the adoption of paperless billing has stalled? If we can’t trust our suppliers to deal with paper bills correctly, why would we trust them to do it electronically? With the huge penalties for missing, say, a credit card payment by even by one day, entering into an agreement to only get an electronic reminder can be a bit scary.

I wish they would adopt the process my eye doctor uses to verify appointments. Two days before the appointment they send out an e-mail. In the e-mail is a link to confirm or reschedule the appointment. If you don’t click on it, they call you the next day.

If Citibank or Chase would implement a system where they would send a paperless statement (or let you know that it is ready) and if you didn’t verify receipt within a certain period of time they’d send out the paper statement, I’d sign up in a heartbeat. Technologically it wouldn’t be hard to implement.

Can you tell I’m a little overwhelmed with paperwork lately? As OpenNMS has grown I’ve had to spend more and more time with administrative tasks than playing with software. I’m not sure I like it.

At least I got to help a client figure out a notification issue that was giving him trouble yesterday, and a lot of it is dealing with new business, which is always great, so I guess I shouldn’t complain.

A few months ago I blogged about a new site called “MonitoringForge.org“. It seemed to me to be a thinly veiled marketing attempt with little value, but I was willing to give it the benefit of the doubt and time would tell.

Well, I was reading Coté’s blog today and read a link where they created a press release to trumpet their 2,000th registered member.

This struck me as funny because, in the same sentence, they state that there are “more than 2,000 projects” registered on the site.

Wah?

So, if only one unique member of each project on their site registered, there should be more than 2,000 of them, yet they have less than that, and this is considered news? Heck, we have nearly 1300 people on the opennms discussion list and we’re just one project, but with their site running at an average of less than one person per project I guess we’re doing pretty well. And while I’m sure that 80 or so of our subscribers are directly working on OpenNMS, that still leaves about 1200 end users.

I’ll leave the similar calculation for MonitoringForge as an exercise for the reader.

(sigh)

Now I’m not one to beat a dead horse, but when the “Chief Marketing Officer” is willing to issue a press release on a site she calls “the epicenter of all open source projects that relate to IT monitoring” with such, in my humble opinion, lame numbers, I’m willing to stand by my original impression that this is just a marketing ploy.

Am I wrong? Can anyone comment who found the site valuable? Inquiring minds want to know.

A couple of days ago I saw a post by Dana Blankenhorn continuing the discussion of copyright assignment in open source. He pointed to a piece by Michael Meeks that he describes as:

This may be one of the most important papers on open source since The Cathedral and the Bazaar. It is well worth your time to read it in full.

With a comment like that, how could I not read it?

The main driver for a lot of this discussion is the impending acquisition of Sun, and thus MySQL, by Oracle. MySQL had a policy that any code contributed to the project required that the author assign the copyright to to the MySQL corporation. This gave them full control over the application, including the ability to publish it under different licenses.

The problem I foresaw with this was that some contributors would be reluctant assign copyright, and thus community contribution to MySQL would be lessened. This really didn’t seem to affect MySQL at all, and the fact that they “owned” 100% of the code definitely helped them get bought for US$1 billion by Sun. Their ability to generate revenue from that code was also responsible for their rapid growth and in a large part helped make the MySQL database what it is.

But now that MySQL looks destined to be owned by Oracle, people are worried that Oracle won’t put much energy into the project. MySQL was designed to be a replacement for Oracle’s bread and butter products, so it is obvious that as the new owner, Oracle won’t be working too hard to put itself out of business, thus the only real question is how much less effort will be put into MySQL. Since MySQL was published under the GPL, it would be very hard for another company to commercialize it, which will limit the chances that a well funded fork could be created. MySQL’s future growth looks pretty small, or at least much smaller than it could have been under a different owner.

Because of this, one of the MySQL founders, Monty Widenius, has even started a petition to prevent the sale by appealing to the EU.

Now I’ve had a couple of e-mail exchanges with Monty and I found him to be a very friendly and nice guy, but I’m a little puzzled by his actions. One can only assume that as a founder of MySQL he made quite a bit of money on the sale of the company, and that he was also instrumental in creating the company that eventually was sold. Thus his decisions led directly to this predicament. It seems to me, well, “wrong” to accept VC money, have a record breaking buy-out and then want things back the way they were, so I have little sympathy for this effort. Perhaps instead of trying to block the sale via legal channels he would be better off forming a foundation to try and purchase MySQL back from Oracle and then he could make it as free as he wanted.

Anyway, had MySQL been licensed under a more permissive license, or had contributors not assigned copyright, it would make it much easier for a third party to step in and commercialize a fork. I responded to some of Brian Aker’s comments on the subject a few weeks ago, and now I thought it’d be fun to examine those of Michael Meeks.

The two main points I took away from Michael’s paper were that copyright assignment should be avoided, and that one should use a permissive license. This is in order to build “a social environment built for the common good”.

I can’t really disagree with his conclusions. I believe that, yes, if one wants “a diverse, and thriving developer community” creating software with the most freedom is important. But it is based on one of the biggest flaws and misconceptions about open source, which is that simply by being open source thousands of qualified people will give up nights and weekends to work on your project.

I would never base any business plan on altruism. In fact, I don’t think it exists, at least on a large scale. People are selfish, and they do things in order to bring themselves personal gratification. The trick is to align those things that benefit individuals with those that benefit the group.

In many cases the ideas that Michael describes work. If you take a look at some of the successful open source projects, the end users are also developers (Spring, JBoss and to a lesser extent MySQL). The product that is sold is usually built using the open source tools, but it is not the tool itself. Thus having permissive licenses can make this very beneficial for all involved, since they are then free to commercialize the final product as they see fit.

But what happens when the project is aimed at end users and not developers? Take OpenNMS for example: our end users are network and system administrators, not Java coders. The project is the product. In order to develop this software, someone has to write it, and the most qualified coders tend to have things like mortgages, car payments and other needs that require money. It’s fine to preach altruism when you work for a large company like Novell or Sun, but what about small companies that are dedicated to open source? How can they make money and protect their work, while still remaining true to open source ideals?

In my own experience with OpenNMS we had a company that took our project, made some changes to it and distributed it in violation of the license. They had raised several million dollars in VC money and thus were able to hire the resources necessary to rapidly advance the application, and they claim to have made millions more selling, ultimately, the work of our community.

Had OpenNMS been published under a permissive license, this would have been perfectly legal. Thus the work of a small but dedicated group of people could have easily been commercialized by a larger company with more money. But since OpenNMS is published under the GPL this was not permitted, so we decided to pursue legal action.

The first thing you learn is that you are on your own. No one really cares that someone is abusing an open source license, especially if the code being stolen is maintained by a commercial institution. Luckily we were in a position to afford to hire a legal team.

Then we hit the second hurdle. At the time no single entity held copyright to the OpenNMS code. All code up until version 1.0 was held by Raritan (which had bought the assets of Oculan after they went out of business) and most of the remaining code was held by the OpenNMS Group. The company in question claimed that if it was using the code in violation of the license, it was only the code for which Raritan owned the copyright, and thus we had no recourse, as only the copyright holder can enforce the license.

It took us a year working with Raritan before they could join us in pursuing this company, and in that time the company ripping off our community’s work tried to clean up their act by releasing a fork of OpenNMS. While I can’t see how that fork would absolve them of their licensing issues (OpenNMS is a Java program published without the classpath exception, so simply importing OpenNMS classes is the creation of a derivative work under the GPL and there is no way this forked code could have been used without importing those classes) it did muddy the water quite a bit. I also found out that the legal system in the United States is reluctant to award damages based on software that used to violate a license, even if that software was sold for large amounts of money.

Before we could pursue it much farther, that company closed its doors. Whether our actions had anything to do with it, I don’t know, but part of me likes to think that there were some consequences for the theft of our code. But we did get a benefit: Raritan was willing to sell us the copyright to the code we didn’t own. It wasn’t cheap (two houses had to be mortgaged to cover the cost of the loan) but it was fair.

Once we purchased the copyright to the 1.0 code, all that remained for us to be able to defend OpenNMS from cases like this in the future was to reach some sort of agreement concerning copyright with the 40 or so contributors to OpenNMS since 1.0. Copyright assignment seemed to be the best way to go, but it didn’t seem fair to me. For example, suppose a member of our community comes up with a cool algorithm for doing some task and they integrate that into OpenNMS. Copyright assignment would mean that they were giving away that work, and if they wanted to reuse it in the future they would have to license it back from us. While it is important for all of the OpenNMS code to have a single owner, that was not fair to, and definitely discourages contribution from, the original programmer.

Our solution came from an OGP member named DJ Gregor who suggested that we adopt the Sun Contributors Agreement (SCA). This introduces the concept of dual-ownership: the copyright is assigned to a third party yet the author also maintains copyright. While this has never been tested in court, I trust the Sun legal team that it will hold up. I was happy to see that this meets, somewhat, with Michael’s approval, as he mentions the SCA a number of times in his article.

Thus, based on my experiences with OpenNMS, for a small company trying to make it with a business based on open source software, I think restrictive licenses like the GPL are crucial, as is copyright assignment.

The key part of any community is trust, and open source communities are no different. We don’t have huge numbers of people outside of the company contributing code (heck, we tend to hire the most prolific coders) but we do have an active core of people that help keep the project moving forward. The way we’ve been able to maintain that is by promising that no matter how much OpenNMS grows or is packaged in the future, the source will always be 100% available under an open source license. This is a promise we maintain by doing all of our development publicly – even custom development projects have their own branches in our git repository.

And we truly do listen to our team (DJ’s suggestion of the SCA as a case in point) even if they aren’t employed by the commercial side of the project. They are empowered to help determine the direction of the OpenNMS even though they don’t work for the company.

I think it is easy to describe a utopian world where all software is free, especially when your paycheck doesn’t directly depend on revenue from that software, but for a company that wants to both generate revenue and remain 100% open source, some sense of ownership and control is necessary.

I agree with Dana that the article is definitely worth reading, although I’d stop short of comparing it to The Cathedral and the Bazaar. Also check out the links at the bottom of Michael’s post. It includes the aforementioned article by Brian Aker as well as a great one by Bradley Kuhn called “‘Open Core’ is the New Shareware“.

At OpenNMS we try to avoid the pitfalls of open core commercial software by publishing 100% of our work publicly, but that requires such things as a restrictive license and copyright assignment. As with any situation involving trust it takes time to build, but we hope to continue to earn it.

Note: This is one of my travelog posts with little OpenNMS content.

I like Chicago. I think it gets a bad rep in comparisons with New York and San Francisco, but I almost always enjoy my trips here. This may come as a surprise to many, since this is the eighth year in a row I’ve spent a week in Chicago in December, and I must admit the fact I like the city has a lot to do with being here other times during the year (we have a large number of clients in the area).

It’s cold here. As I write this it is 2F (-17C). This is actually an improvement over earlier this week where, while it was warmer, there was constant sleet/snow/rain. On Tuesday when I was walking back to the hotel, the 40 mph winds coming off the lake combined with pellets of sleet that could quite literally flay the skin off your face. Luckily, I have the world’s best travel umbrella, which acquitted itself quite well. Since the wind caused the sleet to hit you horizontally, I just held the umbrella up in front of my face to block most of it, with the occasional peek around it to make sure I didn’t walk into anything or anybody. The wind was so strong that it reduced the umbrella into a cone with a base about 10 inches wide, but it didn’t fail or invert and it got me back to the hotel with my face intact.

Compared to yesterday, that was a pleasant experience.

As my three readers know, I recently bought an iPhone. This trip has been my first chance to really use it and I am quite pleased. While the voice quality is just okay and the camera isn’t very good at all, as an overall communications device it works quite well. I am at a long time customer that happens to be a bank and as such their network is very locked down. Usually I am completely cut off from e-mail and IM, but with the iPhone I can easily keep in touch. The AT&T 3G network has been very responsive (I’m on the third floor of the building next to a window) and the intuitive interface of the phone makes using it a breeze. Battery life has been good – lasting the entire day even with a Woot-Off in progress.

And at least it hasn’t driven me to run over it with a truck, like my friend with the Droid. (grin)

One thing I didn’t understand about the phone were these new “push” notifications, and I’m still not sure I understand them completely. On the iPhone OS, third-party apps are not allowed to run in the background. Thus when using, say, an instant messenger application, you have to keep it in the foreground in order to know that someone has sent you a message. I was using an app called “IM+ lite” by Shape Services and I was bragging that I could stay connected even with it in the background since it supports push notifications and a little pop-up would appear when there was a new message for me to read.

It didn’t dawn on me that the only way that could work is if some third party server was acting as the client by connecting to my Jabber server as me. Since the IM+ app wasn’t in the foreground, there is no way for it to maintain a connection to the server to know that new messages were waiting, so there had to be another method for it to “know” there was a message waiting.

This really pissed me off.

As I have mentioned many times before, I am somewhat of a security nut. We have a Jabber server just for internal communication that a) we control and b) we require SSL connections throughout. Thus I feel really safe when using IM.

What pissed me off was that nowhere in the documentation for IM+ does it mention that some company in Germany is going to receive your credentials in the clear and then masquerade as you on your server – giving them access to your contact list as well as being able to log your conversations. I verified that, indeed, a server using the IP address 87.106.135.189 (which puts it in Berlin) was connected to my Jabber instance.

I was more pissed at myself for not being more careful, but still – I was under the impression that German law required companies to be quite clear about the information they collect over the Internet and how that information is used, but apparently that doesn’t apply to Shape Services. I am paranoid enough not to use my Jabber login as the admin login, so all I had to do was change my password, but still I was angry.

Be very careful when using push notifications on the iPhone.

I have since switched to the Jabber app from OneTeam, and I hope that push support comes to Openfire soon.

But no worries – I figured last night would make me forget all about it since that was our annual pilgrimage to Shaw’s Crab House. I have always loved Shaw’s – nice atmosphere, great service and good food.

To quote the Princess Bride, I have got to get used to disappointment.

To start with we ended up getting seated very close to a large round table full of about eight men and, oddly enough, just one woman. The guy closest to me must have been six and a half feet tall and over 300 pounds, and he was very drunk. This caused him to repeatedly get out of his chair, and since we were about an inch apart it would slam into mine. He would slur an apology but manage to do it again later.

Now the restaurant really doesn’t have too much control over that, but they do have control over the wait staff, which seemed uninformed and not very responsive. Our order of a dozen oysters took over 40 minutes to arrive. This was followed by our main courses, even though two of us had ordered a cup of lobster bisque that should have been served before the mains.

I love the bisque, but it was not to be.

Perhaps because of the delay on the oysters my scallops came out at room temperature. They were perfectly cooked, with just the right amount of caramelization, but just not hot. I ate about half of them before complaining to the table, and my dinnermates suggested that I mention it to the waitress. I did, and she offered to take them back and heat them up, but I resisted. Heck, this is a nice, expensive restaurant and they should be able to deliver food right the first time, and “heating things up” is what I do with leftovers when I get home.

When I said “no, that’s okay”, she got real snippy and said “well, why did you bring it up if you didn’t want me to do anything about it?” So like a punk I let her take my plate and 20 minutes later my scallops returned on a different, heated plate, ever so slightly warmer. By this time I wasn’t hungry anymore.

I blame myself – I should have asked to have our table moved away from the large, drunk guy. I should have replied to the waitress “well, I was hoping you could have suggested something other than heating up my poorly delivered meal, perhaps the manager can suggest something? Will you get him for me?” but I didn’t do any of these things.

I’ve noticed that a lot of unhappiness in this world doesn’t come from bad things happening to people, but from unmet expectations. I was expecting the excellent service and great food I have experienced at Shaw’s in the past, and they under-delivered (in all fairness I should point out that they did comp two desserts because of the missed bisque). I might have been able to mitigate the situation by talking with the manager, but I didn’t, which just deepened my mood even more.

Whenever I experience a bad service situation, I do try to learn from it. I’m going to have to think of ways within our own business when dealing with OpenNMS support to make sure expectations are properly set, and to encourage people to complain to management (i.e. me) if they aren’t. If I have an unhappy client I will do my best to set things right, but I have to know they are unhappy first.

Next time I’m in Chicago I’m eating at Vong’s due to this experience at Shaw’s.

I hope none of our OpenNMS clients feel the same way about us.