« Movies for the Weekend of 11/30/2007 | Main | Clarifications on the Open Letter »
Sunday
Dec022007

Why the Dislike for CDDL?

Disclaimer: Although I was employed by Sun at the time the CDDL was created and chosen as the license for the OpenSolaris code base, I was not involved in either of those processes and was not privy to any of the related discussions. I am not making any attempt to speak for Sun, and all information provided in this post is either based on publicly-available information or my own personal opinion.

In reading discussions about what has happened with OpenDS, I've seen a wide range of reactions. This is to be expected, but one thing that I have found to be a bit surprising is that there have been some comments that are critical of the Common Development and Distribution License (CDDL). This isn't the first time that such comments have been made, as I've heard them ever since the license was first created, but I am a little puzzled by them and the fact that they have persisted for so long. I think that the CDDL is an excellent open source license and that many of the negative comments stem from not really understanding it, while others may have something to do with the fact that the open source community in general has been and continues to be somewhat suspicious of Sun (who authored the CDDL).

The CDDL was originally created as a potential license for OpenSolaris. This drew a lot of criticism because many people, especially those in the Linux community, wanted Sun to use the GNU General Public License (GPL). Since GPLv3 was nowhere near complete at the time, if Sun did choose GPL then it would have to be GPLv2 but that would have been completely impossible for Sun to do in a reasonable way. While Sun certainly owns copyright on most of the code in Solaris, there are parts of the code that Sun licenses from third parties. Since GPLv2 doesn't play well with non-GPLv2 code, if Sun had chosen to use GPLv2 for OpenSolaris, then they wouldn't have been able to include some of those third-party components (especially those that interact directly with the kernel) which would have made it a lot less attractive for potential users. In that case, about the only people that would have been happy would be those in the Linux community because they would have been able to take the best parts of Solaris and pull them into Linux. OpenSolaris itself wouldn't have been really useful until they had either re-written the third-party components or convinced their respective copyright owners to make them available under GPLv2. Other operating systems which use non-GPL licenses (like the BSD-based variants, which have gotten a lot of benefit from the OpenSolaris code) wouldn't have been able to use it, and third-party vendors (especially those that need kernel-level interaction, like hardware device drivers) would have also found it much less attractive. It is possible that some of these concerns could have been addressed by creating GPL exceptions, much like they have done with Java, but even still there would have been significant deficiencies that GPLv2 doesn't address like legal concerns about code which is covered by patents. Rather than try to pigeonhole OpenSolaris into GPLv2, Sun chose to look at other options, including the possibility of using their own license, which ultimately led to the creation of the CDDL.

Before I go any further, let me briefly describe the primary types of licenses that exist in the open source world. They fall into three basic categories:

  • Licenses which preserve open source at all costs, like the GPLv2. These licenses require that any software that uses code under such a license must always be open source. In other words, you can't use code licensed in this manner in an application with closed-source components. This is very good for the community that releases the code under this license, since it ensures that they will always have access to any improvements made to it, but it's less friendly to downstream developers since it creates significant restrictions on how they might be able to use that code.

  • Licenses which preserve freedom at all costs, like the BSD and Apache licenses. These licenses place very few restrictions on how other developers can use the code, and it's entirely possible for someone to take code under such a license and make changes to it without making those changes available to anyone else, even the original developers.

  • Licenses which attempt to strike a balance between open source and freedom, like the Mozilla Public License, the CDDL, and GPLv3. These licenses generally require that any changes to the existing code be made available under the terms of the original license, but any completely new code that is created can be under a different license, including one that is closed source.

As someone who has done a significant amount of both open source and closed source development, I really like licenses in this third category. If I make code that I have written available under an open source license, then I like the guarantee that this code will remain open. On the other hand, I also like giving others the freedom to do what they want with their own code, even if some of their code happens to interact with some of my code, and I know that commercial users are much more likely to shy away from licenses in the "open source at all costs" camp than licenses in the other two categories.

So what are the specifics of the CDDL? It's based on the Mozilla Public License, but clarifies some things that the MPL doesn't cover. The basic principles of the CDDL are as follows:

  • CDDL has been approved by OSI as an official open source license, which means that it meets all of the minimum requirements defined at http://www.opensource.org/docs/osd.

  • CDDL is a file-based license. This means that if you make any changes to CDDL-licensed software, any existing files that you modify need to remain under CDDL, but any new files that you create can be under whatever license you want as long as that license isn't incompatible with CDDL.

  • Similar to the above point, CDDL is very friendly when interacting with code under other licenses. This makes it easy to mix CDDL-licensed code with libraries under other licenses, or to use CDDL-licensed libraries in a project under a different license.

  • CDDL includes an explicit patent grant clause, which means that if any of the code is covered by patents then anyone using or extending that code is also granted the right to use those patents. It also includes a clause that terminates the usage rights of anyone who brings patent-based litigation against the code.

  • CDDL isn't a Sun-specific license, and is suitable for software written by anyone. The only mention of Sun in the license is to indicate that Sun is the license steward and the only entity able to create new versions of the license

See http://www.sun.com/cddl/ and http://www.opensolaris.org/os/about/faq/licensing_faq/ for further information about CDDL license terms.

In my opinion, the CDDL is a very attractive license for open source software. It certainly doesn't seem evil or unfair in any way, so I have a hard time understanding the bad reputation that it seems to have gotten. It is true that CDDL code can't be mixed with GPLv2 code, but that's not because CDDL is incompatible with GPLv2, but rather because GPLv2 is incompatible with CDDL. GPLv2 is incompatible with lots of other licenses, including other popular open source licenses like the Apache License, the BSD license, and the Mozilla Public License. In fact, the GPLv2 is even incompatible with the GPLv3 (as per http://www.gnu.org/philosophy/license-list.html#GNUGPL). It is unfortunate that the licenses used by OpenSolaris and Linux aren't compatible with one another, but I think that it would have been a mistake to use GPLv2 for OpenSolaris and highly doubt that incompatibility with Linux was seen as a key benefit when CDDL was selected for OpenSolaris.

Our decision to use CDDL for OpenDS was made after careful consideration and was based on the merits of the license. We were certainly not pressured into using it by Sun, and in fact during discussions with Sun's open source office they wanted to make sure that we weren't choosing it just because we thought it was the company line but rather because it was the right license for the project. There are a number of other open source licenses out there, and they have their benefits as well, but if I were to be involved with the creation of a new open source software project, then I would imagine that CDDL would at least be in the running during the license selection process.

Reader Comments (4)

This is not directed at you, more at the framers of the CDDL (and by extension, the MPL). The CDDL/MPL are incompatible because the CDDL/MPL require you to distribute the source *only* under the CDDL/MPL. This isn't a problem when mixing code with other file-based licenses like BSD-alikes, but means it doesn't play nice with entire-work licenses like the GPL (either version). I'd like to see Sun update the CDDL to allow CDDL code to be distributed under the terms of GPLv3, just like GPLv3 allows code under it to be distributed as part of a larger work under the Affero GPL. *goes and writes an email to webmink*

December 3, 2007 | Unregistered CommenterJames

James,

Thank you for your comment. I'm not a lawyer, so take my opinion accordingly, but my interpretation differs from yours.

It is true that section 3.1 states "Any Covered Software that You distribute or otherwise make available in Executable form must also be made available in Source Code form and that Source Code form must be distributed only under the terms of this License." I believe that this is the basis for your comments, but if not then please let me know otherwise.

Section 1 of the license provides all of the definitions of terms used later throughout the license. I don't want to go through the entire chain item-by-item, but based on my reading, "Covered Software" basically means (a) any previously-existing source file that was originally made available under CDDL, whether or not you have made changes to it, (b) any new source file containing any code that was copied from a previously-existing source file under CDDL, and (c) any new source file containing only completely new code that you wrote and opted to license under CDDL. Item (c) is completely your choice, since if you create any new file that doesn't use any CDDL content then you have no obligation to make that new file available under CDDL (although you certainly can if you want to). Items (a) and (b) simply state that if a file contains any CDDL code, then the entire file must be under CDDL. I think that this is perfectly reasonable, since I can't imagine how it would work to have different portions of the same file under different licenses, especially with the possibility of modifying the contents of that file later on.

Note that section 3.5 does say that you can make executables available under any license that you want as long as that license doesn't limit the rights to the CDDL-licensed code, and section 3.6 says that you can create a larger work containing a mixture of both CDDL and non-CDDL code as long as that doesn't limit the rights to the CDDL-licensed code. Both of those seem very reasonable to me.

As far as I can tell, the only potential sticking point in the license is that you can't mix CDDL-licensed code and non-CDDL-licensed code in the same source file. As I mentioned above, I can't imagine how it would be possible to have different content in the same file under different licenses, so this seems like a very reasonable requirement, but it does mean that you can't just take a routine from a CDDL-licensed source file and plop it into a file containing code under another license. However, I don't really think that this is a problem because you can just keep that routine in a separate file that is included by the source in which you want to use it, or you could even make it available as a patch (e.g., in context diff form) and have that patch automatically applied to the source file at build time.

I will admit that I'm not nearly as familiar with GPLv3 as I am with CDDL, but it appears to me that the "aggregate" clause in section 5 of the GPLv3 means that you could create a larger program containing both GPLv3-licensed and CDDL-licensed source files. I have only a passing familiarity with the Affero GPL, and I'm not really sure where I stand on it. I understand the loophole that it tries to plug, but I'm not entirely convinced that it's really a loophole to start with and that's not really a debate that I want to get into.

December 3, 2007 | Unregistered Commenterdirectorymanager

Neil, actually most of the current Mozilla code is under so called tri-license which is really flexible and people are free to choose the license under which they will receive the code, see http://www.mozilla.org/MPL/ and http://www.mozilla.org/MPL/boilerplate-1.1/ for more details.

December 4, 2007 | Unregistered CommenterAnton

The "aggregate" clause in GPLv3 only applies when the files are not combined into a larger program. The point about the Affero GPL is not what it does, but that the GPLv3 allows you to combine works under the GPLv3 with the Affero, provided you follow the more restrictive provisions of the Affero for the work as a whole.

Section 7 of the GPLv3 would allow a larger work to be made from GPLv3 and CDDL components, except that the CDDL doesn't allow it as section 3.1 says "that Source Code form must be distributed *only* under the terms of this License" (my emphasis) but the GPL requires the entire work to be distributed under the GPL.

http://www.tomhull.com/ocston/docs/mozgpl.html is what I use as a reference for why the GPL and CDDL aren't compatible.

http://apoc.freedesktop.org/wiki/ is a recently-freed Sun project that went for GPLv2/CDDL dual-licensing.

December 5, 2007 | Unregistered CommenterJames
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.