Bruce Perens, one of the authors of the Open Source definition and co-founder of the Open Source Initiative, presented the first draft of a new "Post-Open Zero-Cost" license aimed at addressing the growing challenges of interactions between open source developers and commercial companies in the context of obtaining fair returns on commercial code use. The license allows for additional conditions on commercial use, such as requiring companies to repay the benefits of open source software use either through development or through royalties distributed among the developers.
The key difference between the Post-Open license and existing open source licenses, such as the GPL, is the introduction of a contractual component that can be terminated in the event of a breach of the license terms. Two types of contractual agreements are available: free and paid. Paid agreements allow for the possibility of entering into agreements granting additional rights and are used for commercial distribution of products or modifications made without public disclosure.
The license also defines a "POST-OPEN ADMINISTRATION" organization, which acts on behalf of the licensors, serving as their legal representative, defending their rights when necessary, and distributing funds received based on contributions to the development. The structure of this organization, which must utilize transparent processes and financial mechanisms, has not yet been determined and is subject to future discussions.
Situations that lead to termination of the contractual component include: breach of license terms; claims of patent infringement; imposition of additional terms (for example, adding sanctions to a customer agreement in the event of disclosure of vulnerability patch information); making changes subject to export control laws (for example, for military purposes and weapons development); concealing information about vulnerabilities or obstructing their disclosure; and using code to train machine learning models distributed under different terms. Contractual relations are not terminated immediately, but only 60 days after notification of the violation. If the violation is corrected within 60 days, the granted rights remain in effect.
Among the GPL's problems that the new license seeks to address is its focus on granting rights only, without the ability to take away someone's rights. This feature allows companies to circumvent the GPL's requirement for unrestricted access to source code. Specifically, loopholes related to imposing additional contractual terms on end users that restrict the redistribution of the open source code underlying the product are used to restrict code availability.
For example, when purchasing a RHEL distribution, a customer signs a support and update agreement with Red Hat. This agreement limits data redistribution and stipulates the right to terminate the agreement if the installed copies of RHEL do not match the purchased copies. This forces the customer to choose between the freedom to use the software and maintaining their Red Hat customer status. Vulnerability patches supplied for RHEL are applied to GPL code, and under the license, the user has the right to distribute them. However, this could be perceived as a breach of the agreement with Red Hat and will be grounds for termination of the company's services.
Previously, when changes were published to the repository CentOS, the community turned a blind eye to such manipulations, but after the change in the policy for providing access to the source code of RHEL packages, there was a need to revise the mechanisms for interaction between open source developers and the companies that use their work.
Source: opennet.ru
