COSS Community šŸŒ±

Cover image for AMA with Heather Meeker, Open Source Licensing Expert (and Musician)

AMA with Heather Meeker, Open Source Licensing Expert (and Musician)

Heather Meeker on July 27, 2022

Hi! My name is Heather. Iā€™m a General Partner at OSS Capital, and a lawyer in private practice specializing in open source software licensing. I...
Collapse
 
cassidoo profile image
Cassidy Williams

Hey Heather!

Do you have any blanket advice for someone who might have some private code they want to open source, licensing-wise? I've seen some people say that it's overkill, and others saying that they don't understand the licenses enough to use them, or feel like they need a lawyer to have one.

Collapse
 
heathermeeker profile image
Heather Meeker

It's not too hard to choose a license. Here is a video about it, for anyone who is interested. youtu.be/s7alZTsw298

TLDR: You choose either (1) GPL if you want a copyleft license for a whole program, (2) LGPL or MPL if you want a copyleft license for a library, and (3) Apache 2, BSD or MIT if you want a permissive license. And to demonstrate my (minimal) coding skills, here is my license picker! heathermeeker.com/license-picker-2-0/

Thanks for the question!

Collapse
 
dylanwre profile image
Dylan Roskams-Edris

Hello Heather,
Thanks very much for having an AMA.
I'm working at the intersection of open science, academia, and innovation and would love to know whether you have any experience with investing in/supporting projects that originated in academic settings? If so, what advice academics should have when considering this path? and (if you have the bandwidth to answer three questions) how do you convince the institutions themselves to support an open commercialization pathway?
I work in Canada and most of the university policies on innovation and IP have exactly 0 understanding of (and therefore support for) open source as a viable pathway. In fact, they usually end up getting in the way because those policies tend to equivocate "invention" and "commercialization" with highly restrictive IP instruments (e.g., patents and full copyright protection). They often create this really weird perverse incentive where, if an academic develops and shares something under an open source license then anyone else can use it to make money without having to tithe to the institution, but if the inventor themselves wants to commercialize it they have to give 10% revenue (not even net) to the institution, which effectively kills the effort.

Collapse
 
heathermeeker profile image
Heather Meeker

You are right. Universities have come very slowly to understanding OSS or any kind of open knowledge. But it's worse than that, they don't really understand "soft IP." They tend to be very entrenched in a model that goes like this: professors or researchers on their payroll develop inventions, those are patented, and the university licenses them to the inventor (or others) for royalties. I have literally had a university OTL send me a patent license when we wanted to license software or data!

Also, when you are dealing with a university OTL, you are often dealing with a contract lawyer or paralegal who has no authority to negotiate standard patent licensing terms.

This is an education problem, and it's tough. The best you can usually do is get the ear of the head of OTL, who can make decisions, and try to convince them. BTW I think the University of California has some good policies about this. security.ucop.edu/resources/open-s...
You might encourage local universities to take a page from their careful consideration of the topic.

Thanks for the question!

Collapse
 
dylanwre profile image
Dylan Roskams-Edris

Thanks a bundle for confirming my experience and the link to the UC resource! I had not encountered it before. Because CAN universities often end up following what the US does it is veeery useful to have this kind of example to point to.

Thread Thread
 
heathermeeker profile image
Heather Meeker

UC did a lot of forward thinking about it, partially in the hope of creating an example. I hope it works!

Collapse
 
didierrlopes profile image
didierlopes.eth

Hey Heather,

I don't have any question per se, as you were very VERY helpful to have a call with OpenBB team very early on to discuss some concerns we were having.

So just came to support your AMA, and thank you for being kind enough to spend some time with us. šŸ˜Š

Collapse
 
heathermeeker profile image
Heather Meeker

It is truly my pleasure!

Collapse
 
fdocr profile image
Fernando

Hi Heather, thanks for hosting the AMA. I have two semi-related questions:

  1. Individuals and sometimes companies seem to tend to fallback to MIT as default without giving it much thought. What do you think are the most common use cases or situations where folks should consider other licenses and which ones do you recommend?
  2. If someone were to change the license of a project, what steps should they take in order to have those effects safeguard their IP? Is the "damage already done" for the code released before the new license was put in place? If a CLA is needed, do you need previous contributors to sign them in order to update the license?
Collapse
 
heathermeeker profile image
Heather Meeker

If you don't use a CLA, AND you want to change the outbound license for a project, AND you have used a copyleft license (like GPL, AGPL, or LGPL) you usually have to do a clean-up project to get new rights for your project. That is a pain!

When I have advised on those projects, we usually did a 3-tier approach. Some contributions are very small (a few lines, a non-code change) and don't usually require any re-licensing. Some contributions are from contributors who are still involved in the project, and we just send them a CLA to acknowledge. (Usually they don't object.) For those who don't respond, you can push out a notice saying "We are changing our project license, please speak now or forever hold your peace." That is not the best position, legally, but it's often all you can do. If anyone actually does object, you remove the code from the project.

If you have used a permissive license for the project, you don't need all this. You just preserve the original license notice for pre-change contributions. You end up with two license notices, but that's not such a bad thing.

Thanks for the question!

Collapse
 
fdocr profile image
Fernando

People in the Linux development area do seem to default to MIT, because it is GPL compatible.

I guess "tell me the license you go with and I'll tell you who you are" talks a lot about me, or the friends I hang out with? šŸ˜†

Thank you for the answers to both questions! I now know a lot more about this than I did before.

Collapse
 
heathermeeker profile image
Heather Meeker

The fallback license seems to depend on the community, in my experience. People in the Linux development area do seem to default to MIT, because it is GPL compatible. (But then they often dual license under GPL and MIT, which is...weird.) In corporate world, the default license for releases is usually Apache 2.0, because it has patent terms.

Collapse
 
jess profile image
Jess Lee

Any horror stories to share for maintainers/entrepreneurs of oss?!

Collapse
 
heathermeeker profile image
Heather Meeker

I have plenty, a few of which I can't share. :) But here are a few general examples -- the names have been omitted to protect the disappointed.

  • Be careful about the name of your project. You should treat it as a trademark and protect it. Some of the worst heartaches I have seen are fights about who gets to control a project, and legally, that comes down to using the project name. Don't let someone else hijack your hard work.

  • If you develop a project while at a company, and want to spin in off into a business, be sure to have a written understanding with your company about it. Most of them will be cooperative if you ask. Again, the legal property at issue is usually the project name, which would usually belong to the company. It can be difficult to understand what rights you have in projects you do "on your own time" -- the law does not track most people's expectations. So you probably need to accept that your company will have a seat at the table in your new venture, and it's best to get that into the open early, rather than have it come back to bite you when you are doing your first financing.

  • If your project is under a copyleft license like GPL, consider whether you need a contribution license agreement (CLA). I have worked with many companies that did not use one, then had to backtrack to get rights from contributors who were no longer engaged, or even friendly.

Thanks for the question!

Collapse
 
deepak profile image
Deepak Prabhakara

Hi Heather,

It would be great to get a glimpse of how Enterprises (especially their legal counsel) view open-source licenses, are there particular ones they prefer and ones they will likely look to stay away from?

Collapse
 
heathermeeker profile image
Heather Meeker

Unfortunately some legal counsel are still not very knowledgeable about open source, and they consider it a big scary problem. People always fear what they don't understand. (I feel this way about the areas of law I don't know, too.) When it comes to using OSS of others, counsel will be concerned about copyleft licenses like Affero GPL or even GPL. And yet, often, using code under these licenses is not a problem -- you just need to have a compliance process in place, and to understand your use case. Over the years, legal counsel have learned more about OSS, and it's now part of the toolkit of most tech lawyers. But sometimes, we need to do a little education to make them comfortable. I find that it's usually possible to address OSS concerns, and when it's not, it's because of an unwillingness of counsel to learn.

Thanks for the question!

Collapse
 
melodydrummondhansen profile image
Melody Drummond Hansen

Hello, Heatherā€”
Long-time listener, first-time caller. šŸ˜„
Lawyers often like to include OSS disclosure obligations and/or audit rights or responsibilities. Is disclosure or audit better in your view? Can disclosure obligations lead to over-disclosure or inaccurate disclosures that create risk?
MDH

Collapse
 
heathermeeker profile image
Heather Meeker

Hi Melody!

Audits are useful, but they can be overkill depending on the situation. They are never wrong, of course. I like to say that they are like insurance -- it's never wrong to buy it, but you might be insuring against risks that are very unlikely to arise. Disclosures are very important, not only for the information they convey, but how they demonstrate internal open source compliance processes. If a company (usually in an M&A, investment or sales deal) delivers a disclosure that is unprofessional or lacking information (or the clearly-inaccurate "we don't use any open source"), then it's often best to do an audit. But if the disclosure looks good, then an audit usually doesn't yield any additional material risks.

Thanks for the question!

Collapse
 
brendab9 profile image
Brenda M Brown

Hello Heather,
This comment is just a greeting and kudos, since there is a precedent above for having no question per se. My tenuous connection to open source consists of owning a Helium Hotspot and a Linux computer, and vaguely knowing that both companies use software operating primarily under open source licensing. I've read a few of your easy to understand articles on complex topics such as inflation, AGPL and DAO's. We met in person years ago at a Yale event and discussed your work on non competitive game theory! So I am delighted that you have become successful and world-famous and that I had an opportunity to meet you years ago.

Collapse
 
heathermeeker profile image
Heather Meeker

Thanks for the shout-out, Brenda! It's great to hear from you and I hope you are doing great.

Collapse
 
brendab9 profile image
Brenda M Brown

Yes, doing great! Beat Gloria Steinem by one year by marrying a man at age 67! (Her first marriage was at age 66). Sending "Connect" on LinkedIn.

Collapse
 
liana profile image
Liana Felt

Hey Heather - Thank you so much for doing this!

Do you have any guiding principles founders can use to determine the correct licensing model?

Collapse
 
heathermeeker profile image
Heather Meeker

Arcane magic spell, or tarot cards? Just kidding. It's not too complicated.

If you are building a business, you have to figure out what you are selling -- and it can be anything but licenses to open source software, because they are free. But that's not so hard to figure out, because people don't really buy source code rights, they buy products. So, the question is: what extra value are you creating, and who will buy it?

There are all sorts of options: complimentary software (open core), managed services, hardware, network platforms, professional services, support services, even product QA (like Red Hat). Here's a video with a deeper explanation for anyone who wants to learn more. youtu.be/Ck1gJIZ3Lr4

Thanks for the question!

Collapse
 
nishchit14 profile image
Nishchit

Hey Heather!
Thanks for the AMA!! I have a question about copyright and multiple licenses,

  1. when and why do add a copyright message/template at the header of each file of oss codebase? does it relate to any license?

  2. also would there be any bad impression for enterprises if we use permissive (90%) and copyleft(10%) licenses to save the core of the project? and what should be the best practices to sign CLAs for such case?

Collapse
 
bau profile image
Bau

lucarb999.com/ Europe storms: Children among dead in France, Austria and Italy
Strong tempests have battered areas of focal and southern Europe, killing something like 12 individuals including three kids.
The passings, most from falling trees, were accounted for in Italy and Austria, and on the French island of Corsica.
Weighty downpour and winds destroyed campgrounds on the island, while in Venice, Italy, brick work was brushed off the belltower of St Mark's Basilica.
The tempests follow a long time of heatwave and dry spell across a significant part of the mainland.
In Corsica, twists blasting up to 224 km/h (140mph) removed trees and harmed trailers.
Specialists there said a 13-year-old young lady was killed by a falling tree on a camping area.
Inside Minister GĆ©rald Darmanin, who showed up in Corsica on Thursday, said 20 individuals had been harmed - four of them truly.

Just about 13,000 individuals were cleared from a few campgrounds on Thursday night and protected in open structures, in front of more anticipated harm. Yet, specialists said on Friday morning that the night had passed with practically no significant occurrences.
Outrageous tempests have become more successive as of late in light of environmental change.
Observers to the tempests said they had been totally unforeseen and no advance notice was given.
"We have never seen such immense tempests as this, you would think it was a typhoon," eatery proprietor Cedric Boell told Reuters news organization.
On the French central area, a few southern regions were hit by power cuts and roads were overflowed in the nation's subsequent city, Marseille.
In Austria two young ladies matured four and eight were killed by a falling tree close to a lake in Carinthia.
Afterward, three ladies were accounted for to have kicked the bucket in Lower Austria territory, likewise because of a falling tree.
Authorities said 13 individuals had been harmed, including five youngsters.
Four different ways environmental change is influencing climate
Hannes Primus, city chairman of the Wolfsberg region where the two young ladies were killed, said the region has been left looking "like a combat zone".
In the mean time in Italy, a man and a lady were killed by falling trees in discrete episodes in the locale of Tuscany.
High breezes moved throughout Venice, blowing bistro umbrellas across St Mark's Square and dislodging brickwork from the church belltower.
Ocean side hotels in Tuscany and further north in Liguria were harmed by the tempests.
Tuscan local pioneer Eugenio Giani posted a video of a ferris wheel going crazy in high breezes at Piombino.
In any case, in southern Italy, the heatwave proceeded, with temperatures of up to 40C kept in Sicily.
Furthermore, across the Mediterranean Sea in Algeria, somewhere around 38 individuals have passed on in backwoods fires.
Many pieces of Europe have seen a long time of uncommonly sweltering and dry climate.
Outrageous climate occasions, including both heatwaves and storms, have become more serious and more continuous lately due to human-incited environmental change.
The world has proactively warmed by around 1.1C since the modern time started and temperatures will continue to rise except if state run administrations all over the planet make steep slices to emanations.

Collapse
 
ben profile image
Ben Halpern

What factors in open source licensing do developers sometimes over-think, or over-analyze, when they are actually not very important?

Collapse
 
heathermeeker profile image
Heather Meeker

I love this question. License compatibility! There are some pretty simple rules for it, but the open source community spends tons of time arguing about issues like whether Artistic or Apache are compatible with GPL. And never in the history of open source has a claim actually arisen over this, to my knowledge.

Also, some open source licenses have patent license termination provisions. Though this was a good idea to make code licensors comfortable, again, I have never seen such a provision invoked.

Both of these are pretty nerdy licensing issues, so maybe they are more a time sink for lawyers than developers.

Developers sometimes want to write new open source licenses. I would strongly caution against that. Yes, the existing choices are not perfect, but most of them will work in the real world.

Thanks for the question!

Collapse
 
gg profile image
Gary

Hi Heather,

Maybe a complicated one hereā€¦

Does training a neural net/ML model on a copyrighted dataset that is licensed under a reciprocal license X: a) subject the model to the reciprocal license X; b) enable the copyright owner to have a serious colorable claim under the license or copyright law to rights to the trained model; and/or c) cause any other wonky unexpected effects in contract or copyright law?

Presume the model is not distributed, but merely is used to enable SaaS software usage by third partiesā€¦

Thanks!!!

Collapse
 
obxvivien profile image
Vivien

Hi Heather,

two questions:

  1. Can you recommend a contributor's license template?

  2. just for fun: Is it correct that public domain is not officially "open source" (because it is not OSI-approved?)?

Thank you for doing this AMA! much appreciated ā¤ļø

Vivien.

Collapse
 
heathermeeker profile image
Heather Meeker

For a CLA, I usually use a modified and slimmed down version of the Apache CLA. They use two different forms -- individual and corporate, and I have combined them, and removed some of the Apache terms. I'm happy to share that form if you like, just send me an email. That having been said, there are lots of CLA forms, and they are mostly identical in substance. (BTW I don't think CLAs are necessary for projects with permissive licenses, because the CLA is nearly identical in substance to a permissive license.)

Question 2 is indeed a fun one. Public domain is not officially open source, because the open source definition describes a license. Some public domain dedications, like CC0 or (shudder) WTF, actually have license terms, too. That's because in some countries, theoretically you can't actually dedicate a copyrightable work to the public domain. (An example of the the overthinking mentioned above.) These documents have a fallback license, in case the public domain dedication is unenforceable. Actually the recent kerfuffle about CC0, BTW, is that it doesn't grant patent rights. But it would not be very rational to release code under CC0 if you had any patents on it that you wanted to actually enforce.

Thanks for the questions!

Collapse
 
drewda profile image
Drew

Hello. I would be curious to hear more of your current thinking on "open core" licensing.

Open core does everything that is needed legally speaking for the data platform and associated tooling that our small firm offers. However, in practice, it seems to leave a bad taste in the mouth for a certain number of individual developers (even if they are not the target market for any of our commercial services) and it confuses some number of larger organizations (who are the target market, but may have varying levels of technical understanding about the open and closed components that their complete solution will entail).

Do you see more understandable alternatives to open core emerging? Is this just the challenge of marketing and selling complex software whatever the licensing model?

Thank you.

Collapse
 
ashu_153 profile image
Asutosh Mohapatra

Hi Heather,

Is it mandatory to disclose the linking type of the components in the notice file of software?

Collapse
 
heathermeeker profile image
Heather Meeker

No, it's not. Linking method really only matters for LGPL. Some customers, buyers or investors will ask for the information so they can do diligence on LGPL use. But for most licenses it is irrelevant. And no open source licenses requires you to disclose it in a license notice.

Thanks for the question!

Collapse
 
bau profile image
Bau

Your diligent effort has not slipped through the cracks. I and the whole senior administration might want to compliment you on working effectively. ą¹€ąø„ą¹ˆąø™ąøŖąø„ą¹‡ąø­ąø•