The subject of open source software licensing is rarely considered titillating. More often it inspires early afternoon naps.
Well, there's been a change in the script and we've got a small civil war on our hands. Tempers and tensions have risen between US-based Bluenog and Netherlands-based Hippo -- both companies deal in the content management space, both are tinkering with open source.
Now it's not the fight we're interested in -- though it's been a fun interlude of Days of Our [Software] Lives. Rather, it's the principles behind the issue that are worth paying attention to.
In short, Bluenog has been accused of violating Hippo's and Apache's software licenses by using Hippo's code and not properly giving attribution. We had a chat with both parties. Here's what they had to say.
The story broke ground on Seth Gottlieb’s blog, and was followed by a flurry of comments, blog posts and tweets. In our conversations, Hippo was represented by CTO Arje Cahn. From Bluenog’s side, we had CEO Suresh Kuppusamy and COO Scott Barnett representing.
Playing with Legal Boundaries
The entire premise of this sizzling and mostly public discussion was that Bluenog, with their Bluenog ICE product, has been violating Hippo’s license terms from day one. By rights, since Bluenog's software contains Hippo's software, any Bluenog build should contain the Hippo NOTICE file. Any redistribution of the Hippo's Apache-licensed code is obliged to redistribute this file, according to section 4d of the Apache 2.0 license.
For their part, Bluenog insists that attributions have always been in the source code (which is only available to paying customers). The location for Apache License 2.0, however, is not the root folder, as you’d expect. Though according to Kuppusamy, there is a “prominent Apache license right under the Tomcat folder.”
The goal, according to Bluenog, was to avoid having multiple copies of the license, so they decided to keep just that one.
We find it interesting that in the approximately 2 years that Bluenog ICE has been shipping, no one at Bluenog ever noticed the license omission.
Not Wrong, But Not Right...So to Speak.
Bluenog reps denied most of the accusations of licensing violations in their SLA/EULA, source code, trial download distributable and on the web site, but at same time, the vendor made an effort to correct some of the issues that community members and Gottlieb had pointed out.
For example, a Bluenog representative stated that they had “inadvertently missed” including the Hippo license in the Bluenog ICE trial download build.
Bluenog partially “rectified this in our download and we have also added more information on the Open Source Projects section of our website ...”
In the trial ICE binary executable downloaded from Bluenog on July 15, 2009, there were still no attributions to any of the open source technologies or vendors in the Clickwrap Agreement/EULA that you “accept” (or not) during the install process.
The Notice file, says Bluenog, was “missed inadvertently” in the past. There is now a new folder, called 3rdPartyLicensesAndNotices containing attributions file with all dependencies aggregated there. Also, you will find the BluenogLicenseAttributions.pdf in the root ICE folder that lists Hippo and some others with links to corresponding licenses.
The SLA hasn’t changed. Being a commercial content management solutions vendor, “we stand 100 percent behind our products and none of them are licensed to our customers under any of the open source license terms.”
Cahn’s take: “It's too easy to brush aside a breach of the Apache License as the weeping of another sad open source developer complaining about others stealing his code. Let's not forget that in the end respecting licenses is an essential part of the open source ecosystem.”
Forking a Hippo is Messy
Bluenog insists they did not fork Hippo 6 -- though Gottlieb says otherwise. Instead, they assert that they made changes to the original source code which they then “contributed back” (see below).
Should Bluenog’s customers -- who are paying for this combination of open source software -- feel cheated?
For one, ICE is based on an older version of the open source Hippo CMS. ICE leverages the v6 core, where as Hippo has moved on with a significantly re-engineered architecture in the latest version.
Secondly, the entire “integrated suite” that Bluenog sells is a mix of proprietary code and Apache projects -- from Jetspeed, Lucene and Cocoon to Jackrabbit and Wicket -- as well as other free open source technologies like TinyMCE editor.
Bluenog expressed their concern about the v7 release, saying that they preferred not to upgrade to Hippo CMS 7.x because there was "no clear upgrade path from v6 to v7." While it may not be prominent enough, Hippo responds with “Yes, we have a path for that.”
Given their concerns that the new version may not be upward compatible, we can understand that Bluenog wants to wait for Hippo 7 to stabilize. It's certainly a valid worry, and one that's been expressed elsewhere.
The issue may be that moving Bluenog ICE -- a portal-like solution -- over to Hippo v7 represents a distasteful amount of engineering work. The v7 software would have to be tied into the entire ICE framework. And given the re-architecting that took place with the Hippo 7 release, it's easy to imagine this being a prohibitive task. Is it forked or not forked...time will tell.
“We respect what they’re doing," says Bluenog. "They’re taking care of the plumbing -- as we don’t have the expertise there. We take the plumbing and build the house around it.”
On Contributing to the Open Source Community
Back in June, Bluenog formally announced its intent to contribute back to the open source community. We covered that, cautiously (yet optimistically) believing in Good Samaritanship and good open source citizenship of Bluenog. However, since the good faith and good intentions were announced there has been little evidence of results.
In our conversations, the Bluenog team said that they still intend to move forward with the announced plans. And according to COO Barnett, “Contributing back is a critical part of our relationship with the open source community. We want to get [the Nog Exchange] out as soon as possible, but don’t want to rush to make happy someone who is unhappy.” It’s either “satisfy Hippo today or satisfy the entire community tomorrow.” Same thought echoed by CEO Kuppusamy: “We want to give back, but we're so busy.”
The Nog Exchange is the name for Bluenog's open source code sharing and contribution platform. There is still no commitment to an official date on the Nog Exchange launch. Bluenog only says that “given pressure we’re getting from our friends,” it should happen in a matter of a few weeks.
It should be noted that the two key technologies for both Hippo's CMS solution and Bluenog's ICE platform are the Hippo CMS and the Apache Jetspeed 2 portal.
In an attempt to demonstrate a history of contributions, Bluenog sent us the following ad hoc examples:
- Wiki Portlet for Jetspeed
- Performance issue fix for Hippo CMS running on Weblogic
- Hippo CMS drop-downs how-to's
- Support JSP decorators in Jetspeed-2 as well as Velocity
- Portlets issues
- Security "Mapping Only" feature
- DESKTOP_ATTRIBUTE fix
- Moving / Deleting portlets fix
The Hippo CMS team and others in the open source community do not seem impressed. And it's difficult to blame them when you consider that Hippo has 5 developers actively contributing to the Apache Jetspeed project and that Hippo's CTO, Arje Cahn, is a member of the Apache Software Foundation. In his personal blog Arje also states that to his knowledge, Bluenog has never contributed any code back to the Hippo project.
It seems clear that contributing means different things to different folks.
Bluenog was once referred to as “Hippo in drag.” This is only partially true as Bluenog's solution is a few other things in drag as well. And while both the vendors involved are making their money via different and legitimate models, it is clear that Bluenog leans heavily on code written by Hippo's engineers.
Seth Gottlieb closes his article stating:
Customers are essentially paying Bluenog to ask questions on the Hippo mailing list that Hippo and the community are answering for free. It feels like Bluenog’s refusal to acknowledge Hippo is an attempt to protect this arbitrage. Had customers worked directly with Hippo, they would not only save money, they would also know that Hippo has an entirely new product: Hippo CMS 7 that is a ground up rewrite from the 6.x series that Bluenog forked.
Hippo CTO Arje Cahn notes in his blog post that “distributing our product without retaining the required notices does not only goes against the spirit of the open source community, it also hampers our efforts to build the larger community of which Bluenog and its customers are a part.”
Good faith is found in abundance in open source communities. But after this little drama, Bluenog is going to have to earn every drop it can get.