When GPL software goes bad

Users of a popular open-source accounting system may have just updated to a license they would never have agreed to had the author actually told them it had changed. What's more, the author is actively censoring attempts to advise the userbase of the license change, and appears to be making an attempt to retrospectively re-license all prior versions as well.

14/04/2007 ~18:00 GMT: Update!

I have just been advised that DWS has just updated their licensing conditions on their website, and have returned SQL-Ledger to the GPLv2 license. This is a great step from DWS as there was some confusion over the legal status of several translations which were user-contributed and had been re-licensed without the original author's consent. He has also released 2.8.1 of the software which I am told includes the GPL license. These changes have come as this article was reaching the upper vote levels in Slashdot's "firehose" submission queue, and has likely come as a reaction to the coverage on the LedgerSMB lists of this article (still no license-related posts appear on the SQL-Ledger lists). The SOSL is still available on the site.

Of particular interest is the updated Terms & Conditions page, which now contains what can only be described as an apparent reaction to being called out on trying to subvert the open community:


The software is licensed under the GNU GENERAL PUBLIC LICENSE commonly known as the GPL. Please read the license before making changes and releasing changes to the general public. A copy of the license may be obtained from http://www.sql-ledger.com/source/license/COPYING.
Licenses are there to protect intellectual property however there will always be people who abuse a license thinking that the license gives them a license to steal. You will find people who distribute forks thinking they do anyone good. In reality they are just stealing someone elses hard work and circulating as theirs. Most of the time you will hear that their's is an improved version of SQL-Ledger and the original is a piece of shit.
Marketing a product requires some thought, you don't gain credibility by downplaying someone else, especially the one you are trying to imitate. It simply does not work, it has been proven time and time again. Oh, well, let them think what they do is right, it only works in favour of SQL-Ledger.
Yours truly
Dieter Simader

It's important to understand that a lack of understanding of the GPL and community-based software was a contributing factor to the birth of LedgerSMB, and Dieter continues to display an apparent ignorance of the purpose of the GPL license. However I am glad to see that he has reinstated the License, but sad to see that still the mailing lists remain silent on the entire issue.

SQL-Ledger, a popular double-entry accounting system has, until recently, been available under the GPLv2. With the release of version 2.8.0 of SQL-Ledger, Dieter Simader has chosen to re-license the software under a new, bespoke license referred to as the "SQL-Ledger Open Source License" or the kindly suggested "SQL-Ledger OSL" (hereafter referred to as the SLOSL, for brevity). This license has a few interesting clauses which I will analyze roughly later in this article. Most of the license terms almost seem directly focused on preventing forks, the most recent of which (and perhaps the one gaining the most momentum at this stage) is LedgerSMB (disclosure: I am lightly involved in the LedgerSMB project as a webmonkey and general irritant). Those with a penchant for joining dots might conclude that the recent successes of the LedgerSMB project are exactly what has driven DWS to re-license SQL-Ledger.

It's important to understand that first of all, there is nothing at all wrong with a copyright owner deciding to take his or her work and to license new versions of it under different terms. This is very much their right and something I wouldn't hold against someone should they wish to exercise it. However that is not the end of the story. There is a foul odor in the air.

Mushroom Community

DWS has chosen to re-license SQL-Ledger to non-open-source terms (more on that later). No worries - he is within his rights to do this. However, he has made this change without so much as a peep about it on the SQL-Ledger mailing lists. The software was released on the website, and although there was no official announcement of it's release on the mailing lists, the release itself has come up in discussion but not once has the license change been mentioned (Dieter himself has participated in some of these discussions).

That's not for want of trying though. I know through discussions with people in the LedgerSMB camp that a number of posts have been made to the SQL-Ledger lists querying the license change. None, however, have made it past moderation. The user community is still in the dark on the fact that their accounting package has changed licenses.

It seems clear that the author's intent is to suppress all discussion about the license change and to subvert the community into adopting a license change that they have no idea they agreed to.

Censoring the community is not an entirely new phenomenon however....

Security through "La La La I Can't Hear You!"

Around August 2006, Chris Travers and Chris Murtagh created the LedgerSMB fork after repeated efforts to close security holes in SQL-Ledger. While some issues would be fixed, many issues would be actively ignored, and others only partially patched. In all cases, the responses from DWS were hostile. The fork was initiated after several months of trying to get fixes accepted for a serious bug which would allow an attacker to bypass the authentication checks.

Since the fork, the LedgerSMB team has ensured that any security vulnerabilities found in the codebase (there have been quite a few, plus those not yet made public) were reported to DWS so that he could patch the issues to protect his users. Generally speaking however, any issue which requires a valid login to exploit has been ignored. Vulnerabilities that are patched are generally done so silently, with no notice to the community that their older versions are vulnerable to attacks.

Needless to say, posts about these unpatched security flaws never make it to the lists or the users, who need to see them most. As a user myself, who has two businesses using SQL-Ledger I find this unacceptable.

An attempt at retrospective licensing

One of the more curious changes brought about by the new license is that there is an attempt being made to apply the new SLOSL license retrospectively. As far as I know, this isn't legally possible, but the attempt is being made nonetheless. This means that DWS wants to revoke your GPL license for older versions of SQL-Ledger, and re-license it under the SLOSL. The Terms & Conditions page at the SQL-Ledger site states:


The software is licensed under the SQL-Ledger Open Source License. Please read the license before making changes and releasing changes to the general public. A copy of the license may be obtained from http://www.sql-ledger.com/source/license/COPYING. The version published on the website at http://www.sql-ledger.com/source/license/COPYING takes precedence over any other version in circulation.

The statement that the SLOSL takes precedence over any other license versions in circulation would appear to be an attempt at retrospective re-licensing. But as Napoleon said (assuming Hanlon plagiarized it) "Never ascribe to malice that which is adequately explained by incompetence." - perhaps this is not the intent of the "takes precedent" claim.

This is not the first time that conditions on the DWS website has cast doubt over their intentions in licensing software under the GPL. Debian had some concerns over this as early as April 2005 - the terms were modified some time afterwards.

A close look at the SLOSL

As at this writing, there have been at least four known versions of the SQL-Ledger Open Source License. Previous versions included some rather interesting clauses (essentially anti-compete stuff) but they have since been removed so won't be discussed here. It is quite possible that the license will have changed since this copy was taken as well, but it is functionally identical to the version shipped with 2.8.0.


##########################################################################
SQL-LEDGER OPEN SOURCE LICENSE
(c) 2007, DWS Systems Inc.
##########################################################################

TYPE OF DOCUMENT
This document is an Open Source License (OSL), not to be confused with
the GNU General Public License (commonly known as "GPL"). To avoid
confusion, refer to this Open Source License as "SQL-Ledger OSL"
whenever possible.

Oh, I don't think anyone's going to confuse this with the GPL.

INTENT OF THIS DOCUMENT
The intent of this document is to explain the guidelines for using,
modifying and copying this package. You may only use, modify or
copy this package consistent with the requirements of this license.

CONDITIONS FOR USE AND COPYING
1) You can use and/or copy this package without restriction provided that
you do not use it to violate any Federal, State, County, or City laws or
provisions. This package was released by the copyright holder(s) with the
belief that this package did not already violate any such laws or provisions.

This is one of the more bizarre clauses. Fair enough to stand up for one's beliefs but this is likely to have unintended consequences. If I make a mistake on my tax return, have I violated the license? What if I am running a non-profit fighting for Taiwanese Independence? Or a brothel in New York? ;-)

2) All copyright notices must stay intact at all times.

CONDITIONS FOR MODIFICATION
1) Any modifications to this package must retain all copyright notices
of the original copyright holder(s) for the original code used.
2) Any modifications to this package must be noted (by comment or
otherwise) as modifications, and not as part of the original work.

Clause 2 forces you to take credit for your work. It also hints at the observed hostility to outside contribution the project has shown in the past.

3) After any such modifications, the original code will still remain
copyrighted by the copyright holder(s) or original author(s).

Huh? This is very odd. Copyright law in any country I know would agree that creating a derivative work never changes the copyright on the original.

4) You must freely provide information on where to get the standard
package in it's unmodified state.

An advertising clause. Fairly standard outside of the GPL world, as I understand it.

5) It is recommended that any maintenance releases or bug fixes be
directed to the copyright holder(s) for inclusion in the standard package.
6) You may not replace the SQL-Ledger Logo and create the impression
that it is another program.

You must retain the SQL-Ledger Logo. Even if you make a derivative work. This seems designed to directly prevent forking of the project. However, understand that keeping the trademarked logo means that you are subject to the terms and conditions of use. Bear in mind that trademarks are intended as a way to identify yourself in a market segment exclusively. So does using the trademarked logo of DWS (at their insistence) bind you to other behavior they might require pursuant to the use of their trademark? I guess the clause achieves the desired result - it makes any sort of use of the code for redistribution purposes thoroughly undesirable.

DISCLAIMER OF WARRANTY
This software is provided by the copyright holder and contributors "AS-IS",
and any expressed or implied warranties, including, but not limited to,
the implied warranties of merchantability and fitness for a purpose are
disclaimed. In no event shall the copyright holder or contributors be
liable for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of
substitute goods or services; loss of use, data, or profits; or business
interruption) however caused and on any theory of liability, whether in
contract, strict liability, or tort (including negligence or otherwise)
arising in any way out of the use of this software, even if advised of
the possibility of such damage.

CURRENT LICENSE VERSION
You may view the current version of this license at
http://www.sql-ledger.com/source/license/COPYING

Particularly worrying is that there is no versioning of the license, and the aforementioned retrospective re-licensing term which means that you may never know, minute-to-minute, what you are allowed to do with the system that holds your accounting data.

I for one, will be moving to the still-GPL'd LedgerSMB (which was forked from well before the license changes were implemented).

*SQL-Ledger is a registered trademark of DWS Systems Inc.

LedgerSMB started as a fork of the SQL-Ledger project with a focus on security and data integrity initially, and now a rapid expansion of capabilities through embracing a true open-source style community of open information sharing and contribution.


Trackback URL for this post:

http://www.purple.dropbear.id.au/trackback/151

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

did you know..

that you need a shell account to create cookies?


Re cookies and shell accounts

Indeed, apparently it is the _users_ who need shell accounts!


Maybe not a legal issue?

Sure, there were some unusual things in the license. Maybe some of them are wrong.

But...

I don't think this should be a legal issue. It's the well-known issue of trust in the open-source (FLOSS) communities. If you can't trust the devs, who can you trust? The license itself is not so important as long as it can be trusted as a bridge between the devs and the community members. But even when the bridge falls, it is still not a legal issue, but an issue of trust.


Re: Maybe not a legal issue?

I agree, and the primary thrust of the article is that the trust was broken. The maintainer changed the license without telling anyone. When it was discovered, he censored the mailing list to prevent anyone else finding out about it. Then when the walls started closing in, he reverted the license change and added some very unprofessional (and in several cases, fictional) statements to his website. You are right, trust really is the central issue at hand - one of the reasons LedgerSMB was started in a round-about way.


Wow. The hostility of the

Wow. The hostility of the maintainer is shocking. As a developer myself, I can understand the frustration one feels when a bug is reported, but taking it out on the person who reported it is completely unprofessional.

-- Doug


Retroactive

I belive the word you're looking for is retroactive not retrospective.

That said, it is simply impossible to retroactively change licenses on code that's already been distributed.


Re: Retroactive

It would seem that most dictionaries consider the two words as synonyms in this case. http://dictionary.reference.com/search?q=retrospective
In a legal context you might have a point though, but even Merriam-Webster's Dictionary of Law looks like it would accept either for this use, although retroactive might be more apt in this case.


Maybe the best phrase would

Maybe the best phrase would be a "reactive change" to the licence...


Semantics

No, "reactive" would be incorrect. I am referring to the attempt to have the new license apply to all previous releases of the software, which is as I understand it, impossible. The "Retro" prefix means applying to things past, back in time. Now in referring to the license change generally, yes, it would appear to be a reactive move in response to the LedgerSMB fork - but that's another issue.


Ex post facto

Ah how a topic can go off course :) How about ...

"... an attempt to retrospectively ex post facto re-license all prior versions ..."

Latin for "from a thing done afterward." Ex post facto is most typically used to refer to a law that applies retroactively, thereby criminalizing conduct that was legal when originally performed.

Caveat emptor, quod erat demonstrandum.


Is there any way you could

Is there any way you could turn on date display for these blog or reply entries, as it is very difficult to know when things are being said. This can have a bearing on someone's perspective of the software package in question, although I for one have raised more than the odd eyebrow when reading mailing list posts, the "style" or approach of the original software author and some of his obvious "supporters".


Timestamps etc

Thanks for the suggestion. Turned out the theme I had changed to didn't show owner and timestamp information for posts. I've moved to a very basic zen-based theme now which shows that information.