My thoughts on the CodePlex Foundation

Okay, so yesterday Microsoft announced the creation of the CodePlex Foundation, a "non-profit foundation formed with the mission of enabling the exchange of code and understanding among software companies and open source communities". Well, that sounds very vague, and indeed it is for the moment:

We don't have it all figured out yet. We know that commercial software developers are under-represented on open source projects. We know that commercial software companies face very specific challenges in determining how to engage with open source communities. We know that there are misunderstandings on both sides. Our aim is to advance the IT industry for both commercial software companies and open source communities by helping to meet these challenges.

Meeting these challenges is a collaborative process. We want your participation.

Okay, so here are my thoughts. At first, it seems a bit superflous to have yet another open source foundation. After all, are the Free Software Foundation or the Open Source Initiative not already doing exactly this? And isn't Microsoft one of the least likely companies to be involved in Open Source? Yes and No.

Let me start with Microsoft as a company. They have had their fair share of anti-OSS Crusades, especially against Linux (Halloween Papers anyone?). Also their stance towards software patents goes quite a bit against the OSS thought (and has recently backfired heavily). Their VFAT patent is another brick in the wall that seems to separate Microsoft from Open Source Software.

However, Microsoft is big. And when I say big then I mean that they hold their company meetings in a football stadium, holding 25000+ people. They have more departments than most other companies have employees. And naturally, there are a lot of different directions within Microsoft. In the last few years, the Developer Tools section of Microsoft started to become more open. WiX was the first product to be licensed as Open Source, and many more would follow, especially such important ones around ASP.net. Microsoft also launched their own Source Code portal - CodePlex - in 2006 which may still have a few rough edges, but works really well for me. And People like Sara Ford are really pushing this forward.

You can argue whether or not this is really open source, as Microsoft does not really seem to accept patches. There are some legal issues around this (i.e. what if you contribute code you have written at work to Microsoft's Open Source project, but six months later your company finds this out and demands removal of your code from the project because you never had the right to contribute it? Most Open Source projects can fall into that trap, but if you're high profile like Microsoft you certainly want to be careful.) and I found that it isn't that different from many other projects. Try contributing some code to the Linux Kernel or the Apache Web Server, who are also having high requirements and a QA/Testing cycle.

I think the DevTools section really understood the value of Open Source, also in terms of acceptance. For example, Classic ASP.net sometimes required using Reflector to understand some of the Magic that is going on, for example around Global.asax. ASP.net MVC is now Open Source, which doesn't mean anything for possibly 95% of all users (number made up), but for the 5% that really need to understand or change some inner part, it's a blessing. It's also a sign of the competition coming from Ruby on Rails, Grails or Django.

So from my perspective as a C# developer, Microsoft and Open Source are not two opposite extremes, and the CodePlex Foundation doesn't seem to be like something aimed at destroying Open Source, because I see it being led by the people who are OSS people at Microsoft.

That leaves the question: Why another OSS Foundation? Or more precisely: What can CodePlex Foundation add?

Well, in my opinion, it's the Microsoft name behind it. Of course they say they are independent and stuff, but even if they are, I think that the Microsoft name is huge. I have to say that I am blessed to work in a company that has no issues using Open Source software, but I also know many companies who do not understand the concept. Many companies still believe that if you use OSS Software (even just downloading an executable and using it), you have to put your entire software under open source. Also, many companies still believe that open source software is buggy, insecure and written by socialist left-wing communist terrorists. Well, some certainly is, but it's not like there isn't some horribly bad commercial software as well.

The FSF and OSI Images are closely tied to all of this. FSF, OSI, Linux, Open Source - all a bunch of Hippies, opposite to real companies like IBM, Oracle, Microsoft et al. Luckily, this wrong perception is gradually changing, but the fear still stays. But now, having a behemoth like Microsoft suddenly standing behind an Open Source Foundation could be a big enabler. You know the saying "No one ever got fired for choosing Microsoft?" It's usually used in the context of choosing some software that the company is unfamiliar with, so usually they play safe and choose the big name.

That is one win that CodePlex Foundation could bring: Raise the awareness that Open Source may be high quality software backed by big companies. In the mid-term, this could eliminate some of the mentioned "misunderstandings on both sides" mentioned in their mission statement.

So, CodePlex Foundation wants to know what they can do to help? Well, the biggest problem with Open Source is that there is a gazillion of licenses. There is the GPL, the LGPL, the BSD License, the MPL or the MS-PL. The OSI currently lists 65 different open source licenses. Sixty-Five. How is anyone able to know which ones are compatible? Can I mix MPL with BSD and MS-PL? What about the Apache License?

Also, some of them are really restrictive, like the GPL. And I think it's the GPL that causes all this fear around Open Source because companies still think Open Source = GPL. Now, don't get me wrong: I think the GPL is doing a great job to make sure that code stays open. But it's also a big blocker because companies naturally feel their secrets threatened if they use anything that even looks like GPL. And as the GPL Violations show, many companies learn this the hard way. But there are also big misunderstandings around this. For example, you can freely use GPL code in a web application without having to provide the source code to it. That is, unless it's Affero GPL or AGPL, which was created specifically to close this loop hole. On the other hand, you can almost always safely use LGPL code because this only requires modifications to itself to be released again under LGPL, but it's not viral and does not affect your application.

The other extreme to the GPL is BSD or MS-PL code which basically says "Do what you want, but credit us". But I still don't know what the difference between BSD and MS-PL really is, except something around patents. That leaves me with the question: Can I safely mix BSD and MS-PL code?

In my opinion, this is the #1 task that needs to be resolved in the Open Source world, and the CodePlex Foundation with it's aim at corporate entities should (or even: would have to) make this easier. I'm envisioning a very graphical site that essentially says "if you have this license, these are your duties", a bit similar to how Creative Commons presents their licenses. Or what about a Mix-And-Match page where I can say "I have code under LGPL and under MS-PL. Can I mix them? Do I have to take any precautions? If they are incompatible, how can I still mix them? (i.e. can I just put the GPL Code in a different project and use it from a Non-GPL application using public interfaces?)"

CodePlex Foundation, please give us something "Executive-Friendly" that can be used to convince reluctant decision-makers. This would be my #1 wish.