Issue #7 May 2005

What every administrator needs to know about open source licenses

Introduction

If you're a system administrator and you deal with software, then you may know a great deal about licenses. Maybe you've never taken the time to fully read a license, but software licenses govern what we can and cannot do with software that we have obtained. If you work with open source or free (as in freedom) software, then you know that these also carry licenses, but of a completely different nature. This article discusses free and open source licenses from the point of view of a system administrator, specifically technical advantages such as the flexibility that open source licenses provide and the security-related advantages.

The Open Source Definition defines open source almost primarily in terms of licensing. Section 1 entitled Free Redistribution states "The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale." While the underlying rationale pertains to preserving the efforts of contributors in a market system, it's impossible to ignore the importance of the license itself in the Open Source Definition.

The licenses

Perhaps the most widely known open source license is the GNU General Public License (GPL). The GPL was written in 1989 by Richard Stallman and the Free Software Foundation. The important thing to remember about the complex GPL is that the license reversed the concept of what a software license does. Instead of a means of privatizing software, it becomes a means of keeping software free. The preamble states, "the GNU General Public License is intended to guarantee your freedom to share and change free software—to make sure the software is free for all its users."

Perhaps the most widely known open source license is the GNU General Public License (GPL).

This has a profound effect on the use of software by system administrators because as software is field tested, problems reveal themselves, and the GNU GPL empowers anyone using the software it governs the opportunity to modify it, share those modifications, and even charge for the service of distribution. The effects continue for free (as in freedom) software because the freedom to modify software promotes the spawning of new software projects. These new projects are typically characteristically similar in that they also bear open source licenses.

Often, however, the elements of a project have different licensing requirements or goals. Many developers find the GPL too restrictive in that it requires that derived works be distributed into the same license or a superset of the license. Developers may choose to adopt a different or new license from the outset or at some point in their project. An example of another open source license is the Apache License. The Apache License, now in version 2.0, aims to allow contributors to retain the full rights to use their original contributions for any other purpose outside of Apache, while providing the Apache Software Foundation (ASF) and its projects the right to distribute and build upon their work within Apache. Virtually all rights are granted to the licensee, including the right of commercial use or diffusion of derived works under non-open source licenses.

Another widely used license of this type is the Mozilla Public License (MPL). Before early 1998, the classic licenses (GPL, Lesser GPL, BSD, and MIT) were the most commonly used for open source software. Since that time, the Mozilla Public License has become widely used. The MPL is designed to encourage contribution, but some feel it restricts contribution to the benefit of the Mozilla Organization. For this reason, there exists a great debate about whether the MPL and licenses like it are GPL compatible. In fact, they are not, but for the purposes of this article, it's only useful to point out that the MPL does allow for the free distribution of covered source code and requires that the source code for any binaries be available. Today, there are dozens of licenses, each of which has been submitted for review and approval by Open Source Initiative (OSI), who maintain a list on their website.

Open source licensed applications

Obviously, the reason that these licenses are useful to us is that they give us innovative and technically flexible software. When it comes to the GPL, almost no software is more useful and flexible than the GNU Compiler Collection (GCC).

Obviously, the reason that these licenses are useful to us is that they give us innovative and technically flexible software.

GCC was first released in 1987 and was the first ANSI C optimizing compiler released as free software. GCC is highly portable and runs on most platforms available today. GCC can produce output for several types of processors including 64-bit CPUs.

Compared with commercially available compilers, GCC provides much more value beyond even the lack of price. GCC has a high degree of flexibility. For example, one can cross compile a program and produce executables for systems other than the system on which GCC resides. This allows software to be compiled for systems where a compiler cannot be run, such as embedded systems: a major advantage.

GCC also has multiple language front-ends, allowing parsing of various languages including Java, Fortran, and C++. Its modular design allows for support of new languages and architectures. Provided that the requisite runtime libraries are available on the target system, adding new language support to GCC enables the use of that language on any architecture. Further, adding new architecture makes is available for all languages that you support.

GCC is distributed under the GNU GPL, so as with all GNU software, you have freedom to use, modify, and share any enhancements you create. For example, GCC and utilities like make are used to compile the distributed source code for the Linux kernel. This fact is crucial to the survival and growth of Linux. Different people run different kernels and distributions, and it would be impossible for kernel developers to create binary distributions for all variations of the Linux kernel.

It's hard to talk about open source and Linux without mentioning the Apache HTTP server. Apache has been called a 'killer app' for Linux and is now the most widely used HTTP server available. Now in 2.0, Apache allows far more flexibility than any commercial alternative. In fact, because of the Apache License's freedom regarding derivative works, many commercial contender HTTP servers are based on or have Apache code in the them.

Apache's flexibility lies in its modules. Apache modules provide directives which allow the server administrator to enable or disable functionality of the web server at will. For example, mod_rewrite is a popular module that provides a rule-based rewriting engine to rewrite requested URLs on the fly. Several dozen modules come with Apache by default, and as this article is written 393 are available. The development of these modules and their associated functionality are a direct result of the freedom granted by the Apache License.

Apache continues to grow organically. Users who benefit from this growth tend to contribute back to it by providing enhancements, fixes, and support for others. The Apache team ascribes this benefit to the fact that Apache is provided at no cost. The reason being that when someone pays for software, they usually aren't willing to fix its bugs, and so those users don't contribute back to the project. The result of offering it at no cost is a strong community built around Apache which keeps tabs on security vulnerabilities. Since the amount of individual effort expended by any particular contributor is fairly light, the members of the community don't bear unreasonable burdens and Apache is kept up to date. Patches and updated versions of Apache are made available early and often. The Apache community puts their own work under close scrutiny. and this makes for a stable and secure software product.

Another such application under open source license is MySQL, purportedly the world's most popular open source database. [Editors note: Refer to the article MySQL basics for more information on MySQL.] Once Apache had been established as a Linux de facto standard, MySQL was not far behind in providing an open source alternative to higher-cost, more complex database technology. MySQL is easy to implement and administer and is the 'M component' in 'LAMP,' a term that defines how MySQL is used in conjunction with Linux, Apache, and either Perl, Python, or PHP. [Editor's note: Refer to the January 2005 article LAMP lights the way for more information on LAMP.] MySQL includes typical enterprise features of databases and several enhancements such as full transaction support with commit, rollback, crash recovery, and low-level locking capabilities.

A major difference in MySQL's strategy is the availability of two distinct licensing options. For developers of open source solutions, MySQL offers their source code and binaries under the GNU GPL. MySQL's Open Source License allows you to offer your software, such as a LAMP application under an open source or free software license, to all who wish to use, modify, and distribute it freely. For developers or companies who do not want to release the source code for their applications as open source or free software, MySQL offers a commercial license which allows you to provide commercial software licenses to your customers or distribute MySQL-based applications within your organization. The benefit here is that you get the benefits of open source or free software with the ability to keep your own application closed source if you so desire.

A discussion of open source and licensing wouldn't be complete without discussing desktop applications, and any open source desktop discussion would be remiss not to mention the recently high-profile web browser Firefox. The United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, recently disclosed several severe security exploits in Internet Explorer and recommended the switch to an alternative browser, such as Firefox. Because Firefox is distributed under the MPL, it is subject to the same forces of open source and free software as any other project, most notably security scrutiny.

Browser software allows users to access the large amount of data on the world wide web, and so the Mozilla Organization reasons that browser software must include both good security design and good security practices to maximize the amount of protection available. This philosophy benefits users as well as system and network administrators who spent a great deal of time protecting assets from spyware and malicious code. Firefox has integrated security features such as popup blocking and the inability of spyware and adware programs to automatically install.

Conclusion

Ultimately, the issue of licensing and software from a technical point of view boils down to requirements.

Ultimately, the issue of licensing and software from a technical point of view boils down to requirements. Security and stability, as always, are processes not steady states. The main problem with open source and free software licensing today is that license proliferation has become a barrier to open source deployment. OSI is managing this problem with good policy and as they point out, these are the problems of success, not of failure. Still, where applicable, and where requirements permit, the use of open source licensed software has technical advantages in terms of flexibility and security of the enterprise. The benefit of the communities surrounding these projects will always far exceed the benefit of being royalty-free software products.

For more information on software licenses, refer to last's month's video Open source software licenses explained.

About the author

Matt Frye is a Unix/Linux system administrator living in North Carolina. He is Chairman of the North Carolina System Administrators and is an active member of the Triangle Linux User Group. In his spare time, he enjoys fly fishing and mental Kung Foo.