Every so often I think about how fortunate we are as a company to be part of such a dynamic and thriving open source community. Our physical location is fantastic and even better, our "back yard" boasts some of the most innovative open source organizations in the nation. Less than a block to the right is Jaspersoft , around the corner is Groundwork Open Source and a bit further up are Hyperic and Mulesource among others. The area is a hot bed of activity and enables us to keep our finger on the pulse of what's happening in open source evolution.
As a testament to our commitment to the community, we launched our GPLv3 Resource Site back in June of 2007 as a way to share the comprehensive research we had been gathering as a normal course of business. To make the site as useful as possible, we added the option for development teams to actively contribute information regarding their own projects so that the world could track what they were doing. Since its inception, we have had an impressive and steady list of visitors, which come from all over the world.
As we move into the final quarter of 2007 we are working on yet another intensive and valuable project that we hope to "gift" to the community before year's end.
It has come to my attention that there now exists a GPLv3 site that purports to be the first online resource with information based solely on open source projects publicly publishing code under the new license versions. Well, we took a few moments to investigate this claim and found several important discrepancies that include projects that have not yet converted and have no code published under GPLv3. That said, it's important to focus on the entire landscape surrounding GPlv3 conversions and that is what we offer.
On October 16, Matt Asay posted a blog regarding Palamida's distillation of GPLv3 conversion numbers and the importance of getting a thorough picture of what's going on with regards to projects not yet moved, or including the terminology "or later" in their licenses. As of today, our site lists 984 projects - all of them out in the open for the world to see, play around with, validate, etc. So, this transparency means that any inaccuracies in our reporting are flagged immediately by the community and rectified in real time. We run the GPLv3 site like an open source project - it's a collaborative, dynamic and transparent web resource that accepts any requests for change.
Palamida's opinion is that developers want, and in nearly all cases, need to know if the open source they are currently embedding, or considering using, is on a path to migrate to GPLv3 or LGPLv3. Relying on data that specifically overlooks an "intent to migrate" can create serious issues for any organization currently reliant on GPLv2, which makes up a significant part of the world's marketplace. Electronic manufacturers, telecom companies, the automotive industry and any organization reliant upon embedded technology is directly affected by tracking which versions of the GPL are in use. Underscoring the importance of knowing which projects rely on which version of the General Public License is the fact that GPLv3 is not compatible with GPLv2. If you are an organization utilizing code released under the GPLv2, it is of particular urgency to understand which projects are choosing to stay and which are choosing to move to v3. If the organization's project of choice decides to convert with the next release, they have serious legal and business issues on their hands. Thus, keeping track of the ongoing conversations is a critical part of proactive open source code management.
Further, we released our GPLv3 Resource Site after six months of expansive research surrounding GPLv2 and v3. It's important to note that after polling the development community, working together with open source project leaders and continuing to accept and build upon information continuously submitted by open source community development teams, we can confidently state that Palamida offers the most accurate and frequently updated information available regarding the General Public License conversions.
License obligations are an important factor in determining whether or not a project will be adopted but we feel that validating the security of open source code has an even greater bearing on the development community. Understanding license obligations is but one slice of the larger OSS pie. My quote du jour seems to be, "Open source code is not less secure than commercial code but as secure." I thoroughly believe that. A key differentiator is that the open source community works much faster to patch any issues than commercial organizations. The bottom line is that open source project teams want to produce applications with integrity and they work with one other to accomplish that aim. To help support these goals we created our Vulnerability Reporting Solution (VRS). In his October 10 article, "Open source code vulnerability critical as licensing," Shamus McGillicuddy adds context to what we've been saying for a very long time - that vetting the integrity and security of the open source code embedded throughout enterprise software assets is just as critical, if not more so, than understanding license terms. Both present serious legal and business implications that, if left untended, can derail even the best laid go-to-market plans.
Palamida has many people to thank for their success, the unprecedented insight into community challenges and the ongoing evolution of who we are and what we will become as a company. As an involved member of the open source community, we welcome continued community feedback as we grow into 2008.
-- Melisa LaBancz-Bleasdale
