Displaying posts by Bradley M. Kuhn
Considerations on a non-profit home for your project
byon December 5, 2013
I came across this email thread this week, and it seems to me that Node.js is facing a standard decision that comes up in the life of most Open Source and Free Software projects. It inspired me to write some general advice to Open Source and Free Software projects who might be at a similar crossroads0. Specifically, at some point in the history of a project, the community is faced with the decision of whether the project should be housed at a specific for-profit company, or have a non-profit entity behind it instead. Further, project leaders must consider, if they persue the latter, whether the community should form its own non-profit or affiliate with one that already exists.
Choosing a governance structure is a tough and complex decision for a project — and there is always some status quo that (at least) seems easier. Thus, there will always be a certain amount of acrimony in this debate. I have my own biases on this, since I am the Executive Director of Conservancy, a non-profit home for Open Source and Free Software projects, and because I have studied the issue of non-profit governance for Open Source and Free Software for the last decade. I have a few comments based on that experience that might be helpful to projects who face this decision.
The obvious benefit of a project housed in a for-profit company is that
they'll usually always have more resources to put toward the project —
particularly if the project is of strategic importance to their business.
The downside is that the company almost always controls the trademark,
perhaps controls the copyright to some extent (e.g., by being the sole
beneficiary of a very broad CLA or ©AA), and likely has a stronger say
in the technical direction of the project. There will also always be
“brand conflation” when something happens in the project (
the project do it, or did the company?), and such is easily observable in
the many for-profit-controlled Open Source and Free Software projects.
By contrast, while a for-profit entity only needs to consider the interests of its own shareholders, a non-profit entity is legally required to balance the needs of many contributors and users. Thus, non-profits are a neutral home for activities of the project, and a neutral place for the trademark to live, perhaps a neutral place to receive CLAs (if the community even wants a CLA, that is), and to do other activities for the project. (Conservancy, for its part, has a list of what services it provides.)
There's also difference among non-profit options. The primary two USA options for Open Source and Free Software are 501(c)(3)'s (public charities) and 501(c)(6)'s (trade associations). 501(c)(3) public charities must always act in the public good, while 501(c)(6) trade associations act in interest of its paying for-profit members. I'm a fan of the 501(c)(3)-style of non-profit, again, because I help run one. IMO, the choice between the two really depends on whether you want the project run and controlled by a consortium of for-profit businesses, or if you want the project to operate as a public charity focused on advancing the public good by producing better Open Source and Free Software. BTW, the big benefit, IMO, to a 501(c)(3) is that the non-profit only represents the interests of the project with respect to the public good, so IRS prohibits the charity from conflating its motives with any corporate interest (be they single or aggregate).
If you decide you want a non-profit, there's then the decision of forming your own non-profit or affiliating with an existing non-profit. Folks who say it's easy to start a new non-profit are (mostly) correct; the challenge is in keeping it running. It's a tremendous amount of work and effort to handle the day-to-day requirements of non-profit management, which is why so many Open Source and Free Software projects choose to affiliate or join with an existing non-profit rather than form their own. I'd suggest strongly that the any community look into joining an existing home, in part because many non-profit umbrellas permit the project to later “spin off” to form your own non-profit. Thus, joining an existing entity is not always a permanent decision.
Anyway, as you've guessed, thinking about these questions is a part of what I do for a living. Thus, I'd love to talk (by email, phone or IRC) with anyone in any Open Source and Free Software community about joining Conservancy specifically, or even just to talk through all the non-profit options available. There are many options and existing non-profits, all with their own tweaks, so if a given community decides it'd like a non-profit home, there's lots to chose from and a lot to consider.
I'd note finally that the different tweaks between non-profit options deserve careful attention. I often see people commenting that structures imposed by non-profits won't help with what they need. However, not all non-profits have the same type of structures, and they focus on different things. For example, Conservancy doesn't dictate anything regarding specific CLA rules, licensing, development models, and the like. Conservancy generally advises about all the known options, and help the community come to the conclusions it wants and implement them well. The only place Conservancy has strict rules is with regard to the requirements and guidelines the IRS puts forward on 501(c)(3) status. Meanwhile, other non-profits do have strict rules for development models, or CLAs, and the like, which some projects prefer for various reasons.
0BTW, I don't think how a community comes to that crossroads matters that much, actually. At some point in a project's history, this issue is raised, and, at that moment, a decision is before the project.
Conservancy's Coordinated Compliance Efforts
byon May 29, 2012
Conservancy announced today its new coordinated Free Software license compliance effort. As you might guess, in between getting things together for Conservancy conferences, making sure developers get reimbursed on time, and all the other primary work of Conservancy that I'm up to each day, I've been spending what hours that I can coordinating this new effort.
This new program is an outgrowth of the debate that happened over the last few months regarding Conservancy's GPL compliance efforts. Specifically, I noticed that, buried in the FUD over the last four months regarding GPL compliance, there was one key criticism that was valid and couldn't be ignored: Linux copyright holders should be involved in compliance actions on embedded systems. Linux is a central component of such work, and the BusyBox developers agreed wholeheartedly that having some Linux developers involved with compliance would be very helpful. Conservancy has addressed this issue by building a broad coalition of copyright holders in many different projects who seek to work on compliance with Conservancy, including not just Linux and BusyBox, but other projects as well.
I'm looking forward to working collaboratively with copyright holders of many different projects to uphold the rights guaranteed by GPL. I'm also elated at the broad showing of support by other Conservancy projects. In addition to the primary group in the announcement (i.e., copyright holders in BusyBox, Samba and Linux), a total of seven other GPL'd and/or LGPL'd projects have chosen Conservancy to handle compliance efforts. It's clear that Conservancy's compliance efforts are widely supported by many projects.
The funniest part about all this, though, is that while there has been
no end of discussion of Conservancy's and other's compliance efforts
this year, most Free Software users never actually have to deal with
the details of compliance. Requirements of most copyleft licenses like
GPL generally trigger on distribution of the software —
particularly distribution of binaries. Since most users simply receive
distribution of binaries, and run them locally on their own computer,
rarely do they face complex issues of compliance. As the GPLv2
The act of running the Program is not restricted.
Some Thoughts on Conservancy's GPL Enforcement
byon February 1, 2012
As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.
This weekend at SCALE, I gave a version of a talk I've given many times (also available as an oggcast), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.
Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.
Copyleft Through Copyright
The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.
Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2). GPLv2§4 says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.
Speaking For the Users
Copyleft's unique way of using copyright means the parties who may
enforce are copyright holders (and their designated agents). However,
the victims of the violation are typically thousands of users who have
bought a product that included the GPL'd program. The goal, therefore,
is to get source code that these users can actually use to compile and
install the software. In GPLv2-speak, the goal is to get the all
complete source code, which includes
used to control compilation and installation of the
Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT and SamyGo, both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.
The Standard Requests
The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:
- Compliance with all Open Source and Free Software licenses in
I started using this request regularly around 2002 because violators express a concern that, if they come into compliance due to my efforts, what stops others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say:
Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate.
Of course, the detailed license requirements are different for different licenses, so I've had to become an expert on the specific requirements of all FLOSS licenses over the years. For example, for permissive, BSD-like licenses, the only compliance required is typically that copyright notices be displayed appropriately on proprietarized versions. Meanwhile, the LGPL permits some types of proprietary combinations, but not others. GPLv2 and GPLv3, of course, have different requirements when it gets down to some details. The goal is to make sure that whatever each license requires is what's being done for the program under that license.
Meanwhile, particularly with embedded systems, requiring compliance on everything is basically a de-facto necessity anyway. Most embedded firmwares are built with a single build system (or, a set of steps that expect all relevant sources to be present), and as such, asking for the GPLv2-required
scripts used to control compilation and installation of the executablefor one program means asking for them for other programs too, since it's the same scripts.
- Appoint a Compliance Officer.
This is a requirement that actually predates my involvement in enforcement. I believe it was instituted at other organizations back in the 1990s. The goal is simple: have a single point of contact who can be reached regarding any future violations.
The goal, as always, is to help a violator become a productive member of the Free Software business community. Ideally, future violation matters should never be escalated very much: the company should have a person that has some expertise about GPL compliance who can work with anyone who might have concerns about any later product.
- Pay Our Cost of Bringing You Into Compliance.
This was the toughest requirement for me to institute, and I struggled for years about whether it was the right thing to do. I avoided it until someone pointed out to me:
If you're doing GPL enforcement for a non-profit, who should pay the cost of doing enforcement: the folks who send you charitable donations to support your other non-compliance work, or the violators who actually violated the license? Indeed, those who donate probably always comply with GPL themselves, so if violators aren't charged the cost of enforcement, compliant people end up subsidizing violations with their donations.
Ultimately, that was a compelling enough argument for me, but there's one other argument: there must be a deterrent. If the cost of violating the GPL is: “you must merely come into compliance when you're caught violating”, then very few companies would comply voluntarily. How many people would always violate the automobile speed limits if, when the driver is pulled over for speeding, all that ever happened was a stern warning?
A few sometimes ask:
well, where does the money go?. This question is why I think it's essential for GPL enforcement to be done by a 501(c)(3) not-for-profit entity like Conservancy. As I wrote in my previous Conservancy blog post, Conservancy's financial documents are publicly disclosed. So, you want to know the details of the enforcement money from FY 2010? Download Conservancy's FY 2010 Form 990, and take a look at Line 4(c) on page 2, Line 2(b) on page 9, and Line 11(b) on page 10. It's as simple as that.
Conservancy's Enforcement Plans
Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services, and Conservancy has 27 (and growing) projects to care for. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.
I strongly expect that Free Software license compliance and enforcement
will always be a part of my work. I once heard Larry Wall, founder of
Perl, say (when I was still merely a
Computer Science graduate student):
You can never entirely stop being
what you once were. That's why it's important to be the right person
today, and not put it off till tomorrow. Ever since I heard him say
that, I've held it as a fundamental tenet of what I do in the Free
Software community. I believe GPL enforcement is right and necessary
for the advancement of software freedom. So, I'm glad for the
enforcement I've done, and I'm glad to continue doing GPL enforcement
for as long as projects come to me and ask me to take care of it for
them. Like everything else at Conservancy: I'm glad to do the boring
work so Free Software developers can focus on writing code. GPL
enforcement surely qualifies there.
I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.
I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.
It May Be Boring, But Worth Reading Anyway
byon January 16, 2012
For the last few months, I've had the same primary action item on my agenda every single day: finish Conservancy's FY 2010 audit and Form 990. Those who exchange email with me regularly have probably noticed a slowly increasing lag because of this. Fortunately, as for this past Saturday, this work is finally done. Conservancy has publicly posted our FY 2010 Form 990, FY 2010 Independent Auditor's report and our FY 2010 NYS CHAR-500. I know these documents might seem as boring as reading your own tax filings, but I hope in this blog post to convince you that Form 990s are worth reading, by drawing attention to the interesting parts of Conservancy's filings.
What's a Fiscal Year (FY)?
When I first started working in non-profit management years ago, it took me a while to get used to the idea of a fiscal year (often abbreviated FY). The concept, however, is relatively simple. Conservancy was founded in March 2006. As such, Conservancy's first year of operation ended on 28 February 2007, and every year thereafter, Conservancy completes another year of operation on the last day of February.
Therefore, when you take a look at Conservancy's 2010 Form 990, you'll find that the period described is 1 March 2010 until 28 February 2011. So, when you analyze the documents, you have to put your mindset into that period.
What's a Form 990, and Why Is It Public?
I often point out that 501(c)(3) non-profit charities are a form of a government grant. Think of it this way: 501(c)(3)'s not only pay no taxes on any of their income, but also, donors who give to a 501(c)(3) don't (usually) have to pay taxes on the money they give. The USA government (and by extension, the public), in essence, is subsidizing these organizations in two different ways: the government collects no tax money from these organizations, and the donors don't pay any taxes on their donations.
The government permits this because organizations like Conservancy must meet a high burden: they must advance the public good through pursuit of their mission. Conservancy does this by facilitating, fostering, promoting, developing, and defending Free, Libre and Open Source Software (FLOSS) for the general public.
To make sure organizations carry out their mission for the public good, and to allow the public itself to verify this occurs, the USA Internal Revenue Service (IRS) requires that, each year, every 501(c)(3) organization file the Form 990, which outlines all the funds received and spent by the organization, and how the organization used those funds to promote its mission. My hope is that if you read the rest of this blog post alongside Conservancy's Form 990 and Auditor's Report, you might be able to better use it as a tool to figure out what Conservancy was up to between the dates of 1 March 2010 and 28 February 2011.
Quick View of Mission, Revenue and Expenses
The first page of the Form 990 has a brief statement of the mission of the organization, and presents the fiscal overview. The most interesting lines related to income are lines 8 and 9, which contain the total contributions, and total service revenue. For a 501(c)(3), “contributions” are gifts and donations given to the organization by donors. That's the type of income with which those who give to non-profits are most familiar.
Program service revenue, which is also sometimes called “related business income”, refers to income that an organization receives while pursuing its mission. Conservancy's most common program service revenue is registration fees for conferences. Those who attend the conference get something in return (e.g., getting to see the talks live), but these conferences are still within Conservancy's mission (e.g., educating the public about Open Source and Free Software). Thus, the IRS considers the income related to Conservancy's mission.
The interesting lines on expenses are probably lines 15 and 17. Line 15 is salaries, which I'll talk about later, and line 17 is all the other expenses. The best places to get more information on what goes into this line is to jump to Part IX of the Form 990 (page 10), or to look at Page 5 (PDF page 6) of the Independent Auditor's Report.
Expenses By Mission Work
On Page 2 of the Form 990, you'll find Part III. This is perhaps the most interesting part. Specifically, it matches up specific expense totals with parts of Conservancy's mission. Included are texts describing the work that was done with those funds. I think this page is particular interesting, because it provides an easy overview of specific mission work and how much the organization spent on that specific work. In other words, it's a cross-section of the expenses totaled against specific mission work, rather than types of expenses (the latter of which is the default elsewhere on the Form 99).
The Public Support Test
In Schedule A, Part II of the Form 990 (PDF page 14), you'll find the public support test. Since this is Conservancy's fifth year of operation, for the first time, Conservancy must take a public support test. There are various ways of calculating the public support test. Conservancy used the 33⅓% test, which requires that at least 33⅓% of the organization's support come from the public. Conservancy's public support percentage is 45.3%.
Earmarked Funds Summary
I've focused here mostly on the Form 990. However, it's worth noting that FY 2010 was the first year in which Conservancy was required to have an independent audit. This is a New York State Requirement (you can see the detail of this requirements on page 4 of the CHAR-500), but even when it's not mandated, it's good for non-profits to have an independent audit anyway. Despite the amazing amount of work our first audit took (it'll get easier in future years, fortunately, now that Conservancy is used to it), I'm very glad that NYS required us to do it, as there's always the temptation to avoid something that's difficult and not mandatory.
Anyway, the most interesting page of the audit's report, in my view, is page 6 (PDF page 7), which shows the exact totals of all earmarked project funds in Conservancy. Individual Conservancy member projects will probably like to be able to see a third-party confirmation on the amount that was given, spent, and remains for their projects.
Yes, You Can See How Much I'm Paid
Part of public filings include the salaries paid to officers, directors, and key employees of the organization. Part VII of the Form 990 (Page 7) has these details. As you can see, I was the only person that Conservancy paid in FY 2010. When you look at the numbers in this section, note that my role changed over the course of the fiscal year: From 2010-03-01 through 2010-09-30, I was a nights/weekends part-time volunteer. From 2010-10-01 to 2010-12-31, I was a full-time volunteer. For the last two months of the fiscal year, from 2011-01-01 until 2011-02-28, I was a full-time employee.
Feel Free to Ask Me Questions
I've started a thread on identi.ca to discuss Conservancy's Form 990. Feel free to ask me any questions that you have there.