A Question of Trust

I went to the beach this weekend for a short vacation. On the way back I stopped for fuel, and while I was pumping a man came up to me with a sob story about a broken fuel pump and how he needed some money to get home.

This happens to me about every three years or so, and I always react the same way.

I give them money.

Yeah, I know that this labels me as a sucker, but I would much rather give $10 to ten people who are lying about why they need it than to not give it to one person who did.

On the other hand, panhandling doesn’t work on me (I rarely give money to people who accost me on the street) but busking sometimes does.

It comes down to a matter of trust.

Since I work in open source software some might assume that I’m some long-haired, love thy neighbor hippy type. This is not true. Being a geek I tend to model my behavior on what makes sense. Creating a community to develop OpenNMS is simply the most rational way to create a rapidly growing enterprise-grade network management framework. What makes it work is that the people involved have a mutual respect and trust in each other.

When I started out with OpenNMS, I decided to trust in a number of people that I didn’t know. That trust has really paid off into making OpenNMS what it is today. This wasn’t a leap of blind faith but an effective strategy based on game theory called “Tit for Tat“. Also known as “equivalent retaliation” the idea is that you trust the other person at first and then behave as they do. If they prove trustworthy, you continue to trust them. If not, you stop trusting them. It has been shown that over time this is a very successful behavior.

So why do I bring this up? Back in 2005 a company called Cittio was brought to my attention. Their stuff looked a whole lot like OpenNMS with a better GUI. I investigated it and it turns out that they are using OpenNMS and probably a number of other open source tools, but they seem to be going out of their way to hide that fact. I called Jamie Lerner, the founder, and he assured me that they were abiding by the GPL. Since I didn’t have any proof to the contrary, I decided to trust him.

It seems that trust was misplaced.

I recently got an e-mail from a company that was looking at both OpenNMS and Cittio. It appears that Cittio is not telling potential clients that any open source software is being used, at least not at the level of detail required by the GPL. From the client “Oh, Watchtower told us that they used some open source apps but did not mention as to what they used”. When I brought up the fact that parts of Watchtower are based on OpenNMS, the client replied “I could not find one ounce of mention on their website to OpenNMS or any other Open Source code that is running on this product. That really irritates me.”

I should also mention that this client is in final negotiations with Cittio (they dropped their initial price considerably) so we’re not talking a first contact cold call here – they are ready to close this deal without a single detail concerning their use of open source.

So I have moved Cittio into the “untrustworthy” column.

At the moment I really can’t do anything about this. We are doing well enough that I could get lawyers involved, but I’d rather spend any extra money we have on making OpenNMS better than pursuing a company like Cittio. I am hoping that word of mouth is enough to get people asking the right questions when dealing with them.

While part of this pisses me off another part finds it kind of amusing. The part that makes me angry is that a lot of people have donated significant time to build OpenNMS and when someone comes along an exploits that work it is just not right.

The amusing part is that this situation reminds my of the old joke about the Space Shuttle program. The Soviet’s had a very similar program called “Buran”.

Image yoinked from here.

As you can see, the two systems are strikingly similar. The joke after the Challenger disaster was that it put the US space program back 2 years and the Soviet one back 10.

In the same vein, it looks like Cittio would like to run their stuff on Windows. When we announced our Windows port, one of the outstanding issues was that jrrd had not been completely ported yet. So it was funny to see a question on our mailing list from Orhan Aglagul, a Senior Software Engineer at Cittio according to LinkedIn, asking about compiling the jrrd.dll. He used his gmail.com account when he posted on our list, but he used his cittio.com account when he asked the same question on the RRDtool list. Sneaky, huh? And not very smart, as I doubt Tobi has any clue as to what jrrd is.

When Ben is able to finish jrrd.dll (it is not needed for OpenNMS to run) I guess that will save Cittio some time, although it is published under the GPL and not the LGPL and thus they can’t use it without exposing at least some of their code to the GPL. It doesn’t appear this has stopped them in the past.

If there are any Cittio customers out their that have purchased the product and received the source code I would be interested in hearing from you and I will update this post accordingly. Likewise, if you have purchased the product and not received the source code, I would be interested in learning about that too.

Let me be clear that I welcome people to take and use the OpenNMS code, tweak it to your heart’s content and perhaps contribute some of that work back to the project. I even welcome people who make changes for their personal use and don’t, for whatever reason, feel like sharing those changes. But I have to draw the line and someone taking the code, hiding or at the bare minimum obsfucating that fact, and distributing it to others in violation of the license.

7 thoughts on “A Question of Trust

  1. I did wonder how long it would take before someone tried this with OpenNMS. You might want to drop an email to the SFLC and to just to see what they recommend. I think I’d even contact PJ over at Groklaw.

  2. I actually did contact the SFLC but since various parts of the OpenNMS code are owned by different commercial companies, they can’t pursue it. However, we are working to set up a non-profit foundation to act as a holding company for any intellectual property related to OpenNMS (copyrights, trademarks) and if that is successful all of the OpenNMS code will be held by this non-profit and we will definitely start pursuing things like this actively. I can only hope that any investors in companies that use open source software, like OpenNMS, improperly were adequately aware of this before they put up their money.

  3. Did you really look that hard on their site or elsewhere to see that they fully disclose what open source products they use? A 10 second google search of “Cittio open source” pops up a full page on their site listing each open source package they use in a very simple list. It also doesn’t seem that hard to find just looking at their site Technology/Open Source Components is pretty easy to find.

    Not saying they are perfect – but they seem pretty far from hiding the fact that OpenNMS is in their product offering

  4. wishdev: it is not a question of what I know, but of what potential clients know. The GPL is very clear about how proprietary and GPL’d software can be distributed together, and it is up to Cittio to insure that clients and potential clients are aware of how they are using GPL’d code, and this code must be kept separate from the proprietary code to insure that the end user is clear on what is free and what is not. I have a number of e-mails with a client of Cittio’s where this was not made clear. The onus is on Cittio to insure the client is aware of how open source code is used in their product, and not the other way around.

    Plus, there is an “anonymous” post on our mailing list by a Cittio employee asking questions about very recent code, unlike the five year old code they mention on the website. It “suggests” that Cittio is not being upfront about their use of OpenNMS.

    I will gladly post to this blog any reply from Cittio, unedited, if they would like to clearly state how they are using OpenNMS, how they let their customers know about OpenNMS (and RRDTool and Postgresql) and how they are able to integrate it into their commercial product without changes to the OpenNMS code.

  5. Apologies for not responding to this earlier, my second son just entered this world and my family and I have been a little busy.

    As you know, CITTIO was founded because of the shortcomings of legacy NMS solutions that were too manual, too time-consuming and ultimately unable to deliver needed visibility across heterogeneous environments. We chose to build a software company that leveraged the power and flexibility of open-source technology.

    Currently, CITTIO’s software makes use of more than 35 open source components. We’re deeply dedicated to the ongoing success and growth of open source as well as maintaining strong relationships with the open source community for many years to come. To clear the air:

    1) Our focus has been and remains to provide the best monitoring solution possible for our customers and future customers.
    2) We fully disclose information on the open source components we use on our website at: http://www.cittio.com/technology/open-source.html .
    3) As our website clearly states, we currently use OpenNMS version 1.0.2 and believe we had abided by the GPL.
    4) Our contracts make it clear open source code is delivered with our offerings and customers have the right to gain access, copy, modify and redistribute this free software.
    5) Our customers have access to the open source code used in our offerings.
    6) The CITTIO developer referenced is a dedicated, hard-working contractor who also works from home frequently, hence the CITTIO and non-CITTIO DNSs.

    The above is clearly not enough so let me explain how we use OpenNMS in our product and the changes we will make going forward:

    We use the 1.0.2 OpenNMS code line which is fairly old but works well for what we use it for. We leverage the backend daemons such as discovery and data collection. Collected data is put into the PostgreSQL database, RRD files, and into Java messages where we then access it from standard SQL or Java messaging and display the results in our GUI. By accessing the OpenNMS code via standard SQL and Java messages, we believe we created a clear separation between the GPL code and our code. This being said, we have incorporated bug fixes, performance enhancements and some features from more recent OpenNMS builds into the code. We also have made modifications in order to make the communication points with OpenNMS easier by adding some more messages or data into the database. In addition we have added enhancements such as performance tuning and dynamic graphing of hard drive mount points. We have always made an offer to all customers in our standard software license agreement that this code is freely available to them.

    It is clear making code available to our customers is not enough. We will therefore also make this code freely available to everyone on sourceforge as part of our 3.1 release in the next few weeks. Given your suggestions, we will look into making a third party audit of our software and sharing the results. I hope this provides more clarity and resolves any outstanding issues.

    Jamie Lerner
    President & CEO
    CITTIO, Inc.

  6. Congratulations on the birth of your son, and thank you for taking the time to write. My hope is that the community will allow you time to respond in full, because I am sure that more questions will arise than the ones I wish to raise here.

    At OpenNMS our main concern is that since Watchtower and OpenNMS exist to perform many of the same functions, we want to insure that the work of our community is not abused, on purpose or by accident. Since we are open source, you can see all of our code, and we can’t see yours. That makes us very nervous.

    For example, you state twice that you use OpenNMS 1.0.2. Then you go on to state that “we have incorporated bug fixes, performance enhancements and some features from more recent OpenNMS builds into the code”. This means that *you are not using OpenNMS 1.0.2*.

    Do you see the contradiction? It is also an admission that Cittio is intimate enough with the OpenNMS code to be able to backport these changes. It makes me wonder where else the OpenNMS code might have ended up. I would like to hear about how you keep your main developers isolated from the OpenNMS codebase to insure that there is no accidental cross contamination.

    You also mention that you leverage the backend daemons for discovery. Our discovery process is used mainly to determine what services are to be monitored on what devices. Does this mean that to provide the “best monitoring solution” for your customers that you are using OpenNMS monitors? I wouldn’t blame you a bit since they’re great but it starts to really blur the line at where OpenNMS stops and Watchtower begins.

    You also mention “Java messages” as a method of integration. Could you be more specific? In my admittedly limited knowledge of Java I can’t think of anything that could be considered a “Java Message” that doesn’t amount to the static linking of libraries, which would violate the GPL. For example, if there was a Watchtower .jsp file that imported a class from org.opennms, the moment Tomcat compiled that JSP it would amount to a static link.

    The GPL also requires that you either transfer the source when you transfer the binaries, or you make a written offer available to all third parties to provide the source for three years. Just to be clear, from your comments I assume it is the latter?

    I like the idea of a third party audit, because even if you release your code modifications from 1.0.2 via Sourcforge, no one can be sure you have released all of them. Thank you again for your time and we look forward to the results.

Comments are closed.