Open Source Hypocrisy

Matt Mullenweg, founding developer of WordPress, posted an interesting article called Price of Freedom. The main thrust of the article is the thorny problem of open source software protecting itself from people that simply remove all original references and copyright notice and pretend they created the software.

Being someone that just recently had their own copyright violated (article on that one soon), I can relate. Matt states:

“Though the freedom intrinsic in the GPL that has allowed people to abuse WordPress it has allowed even more people to do amazing things and over time the good far, far outweighs the bad. Most importantly I feel like WordPress would have never gotten off the ground if it hadn’t been open from the beginning. (In fact there were several more functional blogging programs started around the same time that have since withered away.)

Ultimately I know our software isn’t going to change anyone’s spots. Good people will do good things with it, and bad people will do bad things with it — regardless of any protections I put in place. Windows Vista, a multi-billion dollar enterprise, was cracked within days. Does any piddling encoding I can do in PHP really matter? If protection like that isn’t broken it’s a statement of popularity, not security. I suppose could harass the bad guys, shut down their host, send them scary letters, but it’s just going to stress me out and like cockroaches they’ll pop up someplace else. I also know that most projects, software, and ideas die from obscurity, not piracy.”

I agree wholeheartedly with Matt on the encryption/obfuscation issue, as it just doesn’t make sense with open source software. I’m also not hip to the idea of encrypting a footer or other such include in order to enforce some sort of copyright notification that the end user has no power to suppress.

For example, on a PHP-based open source CMS project I was once involved in, we were trying to tackle the same issue: Some folks were taking our software, removing all references to us, and rebranding it as their own and selling it as a closed commercial product.

How do you police such behavior?

As an open source volunteer, you’re most likely working with limited resources, so you don’t really have the time to spend 5 hours a day surfing the Internet looking for violations like a miniature RIAA.

On this particular project, it was decided to include a META tag in all output, identifying the platform that was powering the site. (For the record, I was aghast at the notion and fought the idea as it was not really any better than the encrypted copyright notice. But I was outnumbered. C’est la vie.)

Of course, one of the first things all clients asked me to do was remove the META output, but not because they were wanting to violate copyright, but avoid a storm of corporate issues – angry vendors when they learned the corporate site was not on their platform, competing vendors who claim favoritism, and such. My biggest gripe was that it made it easy for less-virtuous people to hunt down websites with a vulnerable version of that software if a major exploit was ever found.

It looks like Matt’s perspective is one I endorse at the end of the discussion though; as to me it’s totally uncool and un-FOSS-like to encrypt a copyright notice or spit out unwanted META output. The only thing we can do is continue to innovate, express ourselves in our craft, and know that the bad guys always end up with a burning paper bag of dog droppings on their front porch.

Not that I’m suggesting anyone take any action. (cough)