COSS Community

Cover image for AMA with Heather Meeker, Open Source Licensing Expert (and Musician)
Heather Meeker
Heather Meeker

Posted on

AMA with Heather Meeker, Open Source Licensing Expert (and Musician)

Hi! My name is Heather. I’m a General Partner at OSS Capital, and a lawyer in private practice specializing in open source software licensing.

I learned to program when I was a child, and since then, I’ve been fascinated by software and technology. I like to sing and play music (drums), and I like weightlifting and dancing -- but not at the same time.

Discussion (32)

Collapse
cassidoo profile image
Cassidy Williams

Hey Heather!

Do you have any blanket advice for someone who might have some private code they want to open source, licensing-wise? I've seen some people say that it's overkill, and others saying that they don't understand the licenses enough to use them, or feel like they need a lawyer to have one.

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

It's not too hard to choose a license. Here is a video about it, for anyone who is interested. youtu.be/s7alZTsw298

TLDR: You choose either (1) GPL if you want a copyleft license for a whole program, (2) LGPL or MPL if you want a copyleft license for a library, and (3) Apache 2, BSD or MIT if you want a permissive license. And to demonstrate my (minimal) coding skills, here is my license picker! heathermeeker.com/license-picker-2-0/

Thanks for the question!

Collapse
deepak profile image
Deepak Prabhakara

Hi Heather,

It would be great to get a glimpse of how Enterprises (especially their legal counsel) view open-source licenses, are there particular ones they prefer and ones they will likely look to stay away from?

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

Unfortunately some legal counsel are still not very knowledgeable about open source, and they consider it a big scary problem. People always fear what they don't understand. (I feel this way about the areas of law I don't know, too.) When it comes to using OSS of others, counsel will be concerned about copyleft licenses like Affero GPL or even GPL. And yet, often, using code under these licenses is not a problem -- you just need to have a compliance process in place, and to understand your use case. Over the years, legal counsel have learned more about OSS, and it's now part of the toolkit of most tech lawyers. But sometimes, we need to do a little education to make them comfortable. I find that it's usually possible to address OSS concerns, and when it's not, it's because of an unwillingness of counsel to learn.

Thanks for the question!

Collapse
didierrlopes profile image
didierlopes.eth

Hey Heather,

I don't have any question per se, as you were very VERY helpful to have a call with OpenBB team very early on to discuss some concerns we were having.

So just came to support your AMA, and thank you for being kind enough to spend some time with us. 😊

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

It is truly my pleasure!

Collapse
dylanwre profile image
Dylan Roskams-Edris

Hello Heather,
Thanks very much for having an AMA.
I'm working at the intersection of open science, academia, and innovation and would love to know whether you have any experience with investing in/supporting projects that originated in academic settings? If so, what advice academics should have when considering this path? and (if you have the bandwidth to answer three questions) how do you convince the institutions themselves to support an open commercialization pathway?
I work in Canada and most of the university policies on innovation and IP have exactly 0 understanding of (and therefore support for) open source as a viable pathway. In fact, they usually end up getting in the way because those policies tend to equivocate "invention" and "commercialization" with highly restrictive IP instruments (e.g., patents and full copyright protection). They often create this really weird perverse incentive where, if an academic develops and shares something under an open source license then anyone else can use it to make money without having to tithe to the institution, but if the inventor themselves wants to commercialize it they have to give 10% revenue (not even net) to the institution, which effectively kills the effort.

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

You are right. Universities have come very slowly to understanding OSS or any kind of open knowledge. But it's worse than that, they don't really understand "soft IP." They tend to be very entrenched in a model that goes like this: professors or researchers on their payroll develop inventions, those are patented, and the university licenses them to the inventor (or others) for royalties. I have literally had a university OTL send me a patent license when we wanted to license software or data!

Also, when you are dealing with a university OTL, you are often dealing with a contract lawyer or paralegal who has no authority to negotiate standard patent licensing terms.

This is an education problem, and it's tough. The best you can usually do is get the ear of the head of OTL, who can make decisions, and try to convince them. BTW I think the University of California has some good policies about this. security.ucop.edu/resources/open-s...
You might encourage local universities to take a page from their careful consideration of the topic.

Thanks for the question!

Collapse
dylanwre profile image
Dylan Roskams-Edris

Thanks a bundle for confirming my experience and the link to the UC resource! I had not encountered it before. Because CAN universities often end up following what the US does it is veeery useful to have this kind of example to point to.

Thread Thread
heathermeeker profile image
Heather Meeker Ask Me Anything

UC did a lot of forward thinking about it, partially in the hope of creating an example. I hope it works!

Collapse
fdocr profile image
Fernando

Hi Heather, thanks for hosting the AMA. I have two semi-related questions:

  1. Individuals and sometimes companies seem to tend to fallback to MIT as default without giving it much thought. What do you think are the most common use cases or situations where folks should consider other licenses and which ones do you recommend?
  2. If someone were to change the license of a project, what steps should they take in order to have those effects safeguard their IP? Is the "damage already done" for the code released before the new license was put in place? If a CLA is needed, do you need previous contributors to sign them in order to update the license?
Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

If you don't use a CLA, AND you want to change the outbound license for a project, AND you have used a copyleft license (like GPL, AGPL, or LGPL) you usually have to do a clean-up project to get new rights for your project. That is a pain!

When I have advised on those projects, we usually did a 3-tier approach. Some contributions are very small (a few lines, a non-code change) and don't usually require any re-licensing. Some contributions are from contributors who are still involved in the project, and we just send them a CLA to acknowledge. (Usually they don't object.) For those who don't respond, you can push out a notice saying "We are changing our project license, please speak now or forever hold your peace." That is not the best position, legally, but it's often all you can do. If anyone actually does object, you remove the code from the project.

If you have used a permissive license for the project, you don't need all this. You just preserve the original license notice for pre-change contributions. You end up with two license notices, but that's not such a bad thing.

Thanks for the question!

Collapse
fdocr profile image
Fernando

People in the Linux development area do seem to default to MIT, because it is GPL compatible.

I guess "tell me the license you go with and I'll tell you who you are" talks a lot about me, or the friends I hang out with? 😆

Thank you for the answers to both questions! I now know a lot more about this than I did before.

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

The fallback license seems to depend on the community, in my experience. People in the Linux development area do seem to default to MIT, because it is GPL compatible. (But then they often dual license under GPL and MIT, which is...weird.) In corporate world, the default license for releases is usually Apache 2.0, because it has patent terms.

Collapse
jess profile image
Jess Lee

Any horror stories to share for maintainers/entrepreneurs of oss?!

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

I have plenty, a few of which I can't share. :) But here are a few general examples -- the names have been omitted to protect the disappointed.

  • Be careful about the name of your project. You should treat it as a trademark and protect it. Some of the worst heartaches I have seen are fights about who gets to control a project, and legally, that comes down to using the project name. Don't let someone else hijack your hard work.

  • If you develop a project while at a company, and want to spin in off into a business, be sure to have a written understanding with your company about it. Most of them will be cooperative if you ask. Again, the legal property at issue is usually the project name, which would usually belong to the company. It can be difficult to understand what rights you have in projects you do "on your own time" -- the law does not track most people's expectations. So you probably need to accept that your company will have a seat at the table in your new venture, and it's best to get that into the open early, rather than have it come back to bite you when you are doing your first financing.

  • If your project is under a copyleft license like GPL, consider whether you need a contribution license agreement (CLA). I have worked with many companies that did not use one, then had to backtrack to get rights from contributors who were no longer engaged, or even friendly.

Thanks for the question!

Collapse
melodydrummondhansen profile image
Melody Drummond Hansen

Hello, Heather—
Long-time listener, first-time caller. 😄
Lawyers often like to include OSS disclosure obligations and/or audit rights or responsibilities. Is disclosure or audit better in your view? Can disclosure obligations lead to over-disclosure or inaccurate disclosures that create risk?
MDH

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

Hi Melody!

Audits are useful, but they can be overkill depending on the situation. They are never wrong, of course. I like to say that they are like insurance -- it's never wrong to buy it, but you might be insuring against risks that are very unlikely to arise. Disclosures are very important, not only for the information they convey, but how they demonstrate internal open source compliance processes. If a company (usually in an M&A, investment or sales deal) delivers a disclosure that is unprofessional or lacking information (or the clearly-inaccurate "we don't use any open source"), then it's often best to do an audit. But if the disclosure looks good, then an audit usually doesn't yield any additional material risks.

Thanks for the question!

Collapse
liana profile image
Liana Felt

Hey Heather - Thank you so much for doing this!

Do you have any guiding principles founders can use to determine the correct licensing model?

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

Arcane magic spell, or tarot cards? Just kidding. It's not too complicated.

If you are building a business, you have to figure out what you are selling -- and it can be anything but licenses to open source software, because they are free. But that's not so hard to figure out, because people don't really buy source code rights, they buy products. So, the question is: what extra value are you creating, and who will buy it?

There are all sorts of options: complimentary software (open core), managed services, hardware, network platforms, professional services, support services, even product QA (like Red Hat). Here's a video with a deeper explanation for anyone who wants to learn more. youtu.be/Ck1gJIZ3Lr4

Thanks for the question!

Collapse
brendab9 profile image
Brenda M Brown

Hello Heather,
This comment is just a greeting and kudos, since there is a precedent above for having no question per se. My tenuous connection to open source consists of owning a Helium Hotspot and a Linux computer, and vaguely knowing that both companies use software operating primarily under open source licensing. I've read a few of your easy to understand articles on complex topics such as inflation, AGPL and DAO's. We met in person years ago at a Yale event and discussed your work on non competitive game theory! So I am delighted that you have become successful and world-famous and that I had an opportunity to meet you years ago.

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

Thanks for the shout-out, Brenda! It's great to hear from you and I hope you are doing great.

Collapse
brendab9 profile image
Brenda M Brown

Yes, doing great! Beat Gloria Steinem by one year by marrying a man at age 67! (Her first marriage was at age 66). Sending "Connect" on LinkedIn.

Collapse
nishchit14 profile image
Nishchit

Hey Heather!
Thanks for the AMA!! I have a question about copyright and multiple licenses,

  1. when and why do add a copyright message/template at the header of each file of oss codebase? does it relate to any license?

  2. also would there be any bad impression for enterprises if we use permissive (90%) and copyleft(10%) licenses to save the core of the project? and what should be the best practices to sign CLAs for such case?

Collapse
drewda profile image
Drew

Hello. I would be curious to hear more of your current thinking on "open core" licensing.

Open core does everything that is needed legally speaking for the data platform and associated tooling that our small firm offers. However, in practice, it seems to leave a bad taste in the mouth for a certain number of individual developers (even if they are not the target market for any of our commercial services) and it confuses some number of larger organizations (who are the target market, but may have varying levels of technical understanding about the open and closed components that their complete solution will entail).

Do you see more understandable alternatives to open core emerging? Is this just the challenge of marketing and selling complex software whatever the licensing model?

Thank you.

Collapse
ben profile image
Ben H

What factors in open source licensing do developers sometimes over-think, or over-analyze, when they are actually not very important?

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

I love this question. License compatibility! There are some pretty simple rules for it, but the open source community spends tons of time arguing about issues like whether Artistic or Apache are compatible with GPL. And never in the history of open source has a claim actually arisen over this, to my knowledge.

Also, some open source licenses have patent license termination provisions. Though this was a good idea to make code licensors comfortable, again, I have never seen such a provision invoked.

Both of these are pretty nerdy licensing issues, so maybe they are more a time sink for lawyers than developers.

Developers sometimes want to write new open source licenses. I would strongly caution against that. Yes, the existing choices are not perfect, but most of them will work in the real world.

Thanks for the question!

Collapse
gg profile image
Gary

Hi Heather,

Maybe a complicated one here…

Does training a neural net/ML model on a copyrighted dataset that is licensed under a reciprocal license X: a) subject the model to the reciprocal license X; b) enable the copyright owner to have a serious colorable claim under the license or copyright law to rights to the trained model; and/or c) cause any other wonky unexpected effects in contract or copyright law?

Presume the model is not distributed, but merely is used to enable SaaS software usage by third parties…

Thanks!!!

Collapse
obxvivien profile image
Vivien

Hi Heather,

two questions:

  1. Can you recommend a contributor's license template?

  2. just for fun: Is it correct that public domain is not officially "open source" (because it is not OSI-approved?)?

Thank you for doing this AMA! much appreciated ❤️

Vivien.

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

For a CLA, I usually use a modified and slimmed down version of the Apache CLA. They use two different forms -- individual and corporate, and I have combined them, and removed some of the Apache terms. I'm happy to share that form if you like, just send me an email. That having been said, there are lots of CLA forms, and they are mostly identical in substance. (BTW I don't think CLAs are necessary for projects with permissive licenses, because the CLA is nearly identical in substance to a permissive license.)

Question 2 is indeed a fun one. Public domain is not officially open source, because the open source definition describes a license. Some public domain dedications, like CC0 or (shudder) WTF, actually have license terms, too. That's because in some countries, theoretically you can't actually dedicate a copyrightable work to the public domain. (An example of the the overthinking mentioned above.) These documents have a fallback license, in case the public domain dedication is unenforceable. Actually the recent kerfuffle about CC0, BTW, is that it doesn't grant patent rights. But it would not be very rational to release code under CC0 if you had any patents on it that you wanted to actually enforce.

Thanks for the questions!

Collapse
ashu_153 profile image
Asutosh Mohapatra

Hi Heather,

Is it mandatory to disclose the linking type of the components in the notice file of software?

Collapse
heathermeeker profile image
Heather Meeker Ask Me Anything

No, it's not. Linking method really only matters for LGPL. Some customers, buyers or investors will ask for the information so they can do diligence on LGPL use. But for most licenses it is irrelevant. And no open source licenses requires you to disclose it in a license notice.

Thanks for the question!