Considerations on a non-profit home for your project
byon December 5, 2013
I came across this email thread this week, and it seems to me that Node.js is facing a standard decision that comes up in the life of most Open Source and Free Software projects. It inspired me to write some general advice to Open Source and Free Software projects who might be at a similar crossroads0. Specifically, at some point in the history of a project, the community is faced with the decision of whether the project should be housed at a specific for-profit company, or have a non-profit entity behind it instead. Further, project leaders must consider, if they persue the latter, whether the community should form its own non-profit or affiliate with one that already exists.
Choosing a governance structure is a tough and complex decision for a project — and there is always some status quo that (at least) seems easier. Thus, there will always be a certain amount of acrimony in this debate. I have my own biases on this, since I am the Executive Director of Conservancy, a non-profit home for Open Source and Free Software projects, and because I have studied the issue of non-profit governance for Open Source and Free Software for the last decade. I have a few comments based on that experience that might be helpful to projects who face this decision.
The obvious benefit of a project housed in a for-profit company is that
they'll usually always have more resources to put toward the project —
particularly if the project is of strategic importance to their business.
The downside is that the company almost always controls the trademark,
perhaps controls the copyright to some extent (e.g., by being the sole
beneficiary of a very broad CLA or ©AA), and likely has a stronger say
in the technical direction of the project. There will also always be
“brand conflation” when something happens in the project (
the project do it, or did the company?), and such is easily observable in
the many for-profit-controlled Open Source and Free Software projects.
By contrast, while a for-profit entity only needs to consider the interests of its own shareholders, a non-profit entity is legally required to balance the needs of many contributors and users. Thus, non-profits are a neutral home for activities of the project, and a neutral place for the trademark to live, perhaps a neutral place to receive CLAs (if the community even wants a CLA, that is), and to do other activities for the project. (Conservancy, for its part, has a list of what services it provides.)
There's also difference among non-profit options. The primary two USA options for Open Source and Free Software are 501(c)(3)'s (public charities) and 501(c)(6)'s (trade associations). 501(c)(3) public charities must always act in the public good, while 501(c)(6) trade associations act in interest of its paying for-profit members. I'm a fan of the 501(c)(3)-style of non-profit, again, because I help run one. IMO, the choice between the two really depends on whether you want the project run and controlled by a consortium of for-profit businesses, or if you want the project to operate as a public charity focused on advancing the public good by producing better Open Source and Free Software. BTW, the big benefit, IMO, to a 501(c)(3) is that the non-profit only represents the interests of the project with respect to the public good, so IRS prohibits the charity from conflating its motives with any corporate interest (be they single or aggregate).
If you decide you want a non-profit, there's then the decision of forming your own non-profit or affiliating with an existing non-profit. Folks who say it's easy to start a new non-profit are (mostly) correct; the challenge is in keeping it running. It's a tremendous amount of work and effort to handle the day-to-day requirements of non-profit management, which is why so many Open Source and Free Software projects choose to affiliate or join with an existing non-profit rather than form their own. I'd suggest strongly that the any community look into joining an existing home, in part because many non-profit umbrellas permit the project to later “spin off” to form your own non-profit. Thus, joining an existing entity is not always a permanent decision.
Anyway, as you've guessed, thinking about these questions is a part of what I do for a living. Thus, I'd love to talk (by email, phone or IRC) with anyone in any Open Source and Free Software community about joining Conservancy specifically, or even just to talk through all the non-profit options available. There are many options and existing non-profits, all with their own tweaks, so if a given community decides it'd like a non-profit home, there's lots to chose from and a lot to consider.
I'd note finally that the different tweaks between non-profit options deserve careful attention. I often see people commenting that structures imposed by non-profits won't help with what they need. However, not all non-profits have the same type of structures, and they focus on different things. For example, Conservancy doesn't dictate anything regarding specific CLA rules, licensing, development models, and the like. Conservancy generally advises about all the known options, and help the community come to the conclusions it wants and implement them well. The only place Conservancy has strict rules is with regard to the requirements and guidelines the IRS puts forward on 501(c)(3) status. Meanwhile, other non-profits do have strict rules for development models, or CLAs, and the like, which some projects prefer for various reasons.
0BTW, I don't think how a community comes to that crossroads matters that much, actually. At some point in a project's history, this issue is raised, and, at that moment, a decision is before the project.
Conservancy launches a new brand identity
byConservancy is pleased to announce our new logo and wordmark as part of the evolution of our organization's brand. on February 28, 2013
The Binary Tree logo and updated wordmark reflect a cleaner and more modern representation of Conservancy's commitment to promoting, supporting, and defending Free, Libre, and Open Source Software (FLOSS) projects.
The Binary Tree logo, designed by April Ricafort-Custodio using Inkscape, incorporates a binary tree diagram - representing both a fundamental principle of computer science and our various member projects - into a streamlined version of Conservancy's shade tree silhouette. The wordmark was created using Open Sans Condensed, a sans-serif typeface designed by Steve Matteson and licensed under the Apache License, Version 2.0.
A ZIP archive of the logo sheet in PDF, SVG, ODG, and PNG formats can be downloaded here. The copyrights associated with Conservancy's logo and wordmark are licensed under CC-By-SA-3.0 USA. The marks “Software Freedom Conservancy,” “Conservancy,” and the Binary Tree logo and wordmark are trademarks of Software Freedom Conservancy.
Conservancy's Coordinated Compliance Efforts
byon May 29, 2012
Conservancy announced today its new coordinated Free Software license compliance effort. As you might guess, in between getting things together for Conservancy conferences, making sure developers get reimbursed on time, and all the other primary work of Conservancy that I'm up to each day, I've been spending what hours that I can coordinating this new effort.
This new program is an outgrowth of the debate that happened over the last few months regarding Conservancy's GPL compliance efforts. Specifically, I noticed that, buried in the FUD over the last four months regarding GPL compliance, there was one key criticism that was valid and couldn't be ignored: Linux copyright holders should be involved in compliance actions on embedded systems. Linux is a central component of such work, and the BusyBox developers agreed wholeheartedly that having some Linux developers involved with compliance would be very helpful. Conservancy has addressed this issue by building a broad coalition of copyright holders in many different projects who seek to work on compliance with Conservancy, including not just Linux and BusyBox, but other projects as well.
I'm looking forward to working collaboratively with copyright holders of many different projects to uphold the rights guaranteed by GPL. I'm also elated at the broad showing of support by other Conservancy projects. In addition to the primary group in the announcement (i.e., copyright holders in BusyBox, Samba and Linux), a total of seven other GPL'd and/or LGPL'd projects have chosen Conservancy to handle compliance efforts. It's clear that Conservancy's compliance efforts are widely supported by many projects.
The funniest part about all this, though, is that while there has been
no end of discussion of Conservancy's and other's compliance efforts
this year, most Free Software users never actually have to deal with
the details of compliance. Requirements of most copyleft licenses like
GPL generally trigger on distribution of the software —
particularly distribution of binaries. Since most users simply receive
distribution of binaries, and run them locally on their own computer,
rarely do they face complex issues of compliance. As the GPLv2
The act of running the Program is not restricted.
Some Thoughts on Conservancy's GPL Enforcement
byon February 1, 2012
As most of those who know me are aware, I've been involved in GPL enforcement for more than 12 years, across three different organizations, the most recent one being here at the Software Freedom Conservancy. Since 2001, I've written dozens of articles, blog posts, and given at least fifty talks and CLE classes about how to do GPL compliance, and how enforcement actions tend to occur.
This weekend at SCALE, I gave a version of a talk I've given many times (also available as an oggcast), which I've usually entitled something like 12 Years of Copyleft Compliance: A Historical Perspective. I decided to retire this talk last weekend at SCALE (in part because it's now coming up on 13 years), but before I put that material aside, I thought I'd write a blog post summarizing the more salient points that I make in that talk.
Indeed, After all these years of speaking about, writing about, and doing GPL enforcement, I'm occasionally surprised at how much confusion still exists about how and why it's done. I've focused solely on doing GPL enforcement via 501(c)(3) not-for-profit entities, which means I do it only in the public good. I hope this blog post will give a sense of how it works and why I do it.
Copyleft Through Copyright
The primary goal of every GPL enforcement action is to gain compliance, which means getting to users complete and corresponding source code so they can copy, share, modify and install improved versions. The GPL itself is a copyright license that does a weird hack on copyright: it uses the copyright rules to turn them around, and require people to share software freely (as in freedom) in exchange for permission to copy, modify and distribute the software. A GPL violation occurs when someone fails to meet the license requirements and thereby infringes copyright. The copyright rules themselves then are the only remedy to enforce the license — requiring that the violator come into compliance with the license if they want permission to continue distribution.
Up until now, almost all the enforcement I've done has been purely under GPL version 2 (GPLv2). GPLv2§4 says that upon violation, the violator loses permission to engage in those activities governed by copyright: including copying, modifying and distributing the software. The only way to get those permissions back is for the copyright holder to grant them back.
Speaking For the Users
Copyleft's unique way of using copyright means the parties who may
enforce are copyright holders (and their designated agents). However,
the victims of the violation are typically thousands of users who have
bought a product that included the GPL'd program. The goal, therefore,
is to get source code that these users can actually use to compile and
install the software. In GPLv2-speak, the goal is to get the all
complete source code, which includes
used to control compilation and installation of the
Releases of complete and corresponding source have been instrumental in inspiring new user-driven software development communities like OpenWRT and SamyGo, both of which built upon source releases that came from prior BusyBox GPL enforcement efforts.
The Standard Requests
The goal of every enforcement action is to yield a license-compliant source release that works for the users. Every enforcement action opens as a conversation, asking the violator to meet a few simple requests so that their permission to engage in copyright-governed activity can be restored, and they can go about their new business as a fine, upstanding, compliant Free Software redistributor. The typical requests are:
- Compliance with all Open Source and Free Software licenses in
I started using this request regularly around 2002 because violators express a concern that, if they come into compliance due to my efforts, what stops others from coming to complain, in sequence, and wasting their time? I suggested that if they came into compliance all at once, on all FLOSS licenses involved, it would be easy for me to be on their side, should someone else complain. Namely, I'd come to their defense and say:
Yes, they were out of compliance, but we've checked everything and they're now in compliance throughout this product. Those who are now complaining are being unfair, since — while this violator had trouble initially — their compliance with all FLOSS licenses is now adequate.
Of course, the detailed license requirements are different for different licenses, so I've had to become an expert on the specific requirements of all FLOSS licenses over the years. For example, for permissive, BSD-like licenses, the only compliance required is typically that copyright notices be displayed appropriately on proprietarized versions. Meanwhile, the LGPL permits some types of proprietary combinations, but not others. GPLv2 and GPLv3, of course, have different requirements when it gets down to some details. The goal is to make sure that whatever each license requires is what's being done for the program under that license.
Meanwhile, particularly with embedded systems, requiring compliance on everything is basically a de-facto necessity anyway. Most embedded firmwares are built with a single build system (or, a set of steps that expect all relevant sources to be present), and as such, asking for the GPLv2-required
scripts used to control compilation and installation of the executablefor one program means asking for them for other programs too, since it's the same scripts.
- Appoint a Compliance Officer.
This is a requirement that actually predates my involvement in enforcement. I believe it was instituted at other organizations back in the 1990s. The goal is simple: have a single point of contact who can be reached regarding any future violations.
The goal, as always, is to help a violator become a productive member of the Free Software business community. Ideally, future violation matters should never be escalated very much: the company should have a person that has some expertise about GPL compliance who can work with anyone who might have concerns about any later product.
- Pay Our Cost of Bringing You Into Compliance.
This was the toughest requirement for me to institute, and I struggled for years about whether it was the right thing to do. I avoided it until someone pointed out to me:
If you're doing GPL enforcement for a non-profit, who should pay the cost of doing enforcement: the folks who send you charitable donations to support your other non-compliance work, or the violators who actually violated the license? Indeed, those who donate probably always comply with GPL themselves, so if violators aren't charged the cost of enforcement, compliant people end up subsidizing violations with their donations.
Ultimately, that was a compelling enough argument for me, but there's one other argument: there must be a deterrent. If the cost of violating the GPL is: “you must merely come into compliance when you're caught violating”, then very few companies would comply voluntarily. How many people would always violate the automobile speed limits if, when the driver is pulled over for speeding, all that ever happened was a stern warning?
A few sometimes ask:
well, where does the money go?. This question is why I think it's essential for GPL enforcement to be done by a 501(c)(3) not-for-profit entity like Conservancy. As I wrote in my previous Conservancy blog post, Conservancy's financial documents are publicly disclosed. So, you want to know the details of the enforcement money from FY 2010? Download Conservancy's FY 2010 Form 990, and take a look at Line 4(c) on page 2, Line 2(b) on page 9, and Line 11(b) on page 10. It's as simple as that.
Conservancy's Enforcement Plans
Of course, I encourage everyone to read the rest of the Form 990 too, and note in particular that GPL enforcement is only third on the list of major activities at Conservancy. I've no interest in making license enforcement the primary activity of Conservancy — indeed, it's but one item on Conservancy's extensive list of services, and Conservancy has 27 (and growing) projects to care for. Many of those projects are GPL'd and LGPL'd, and many of them want Conservancy to handle their enforcement, but that work is always balanced with all the other work going on at this thinly staffed organization.
I strongly expect that Free Software license compliance and enforcement
will always be a part of my work. I once heard Larry Wall, founder of
Perl, say (when I was still merely a
Computer Science graduate student):
You can never entirely stop being
what you once were. That's why it's important to be the right person
today, and not put it off till tomorrow. Ever since I heard him say
that, I've held it as a fundamental tenet of what I do in the Free
Software community. I believe GPL enforcement is right and necessary
for the advancement of software freedom. So, I'm glad for the
enforcement I've done, and I'm glad to continue doing GPL enforcement
for as long as projects come to me and ask me to take care of it for
them. Like everything else at Conservancy: I'm glad to do the boring
work so Free Software developers can focus on writing code. GPL
enforcement surely qualifies there.
I admit, though, that I do find litigation particularly annoying, time-consuming, and litigation also makes GPL compliance take longer than it should. That's why litigation has always been a last resort, and that 99.999% of GPL enforcement matters get resolved without a lawsuit. Lawsuits are only an option, in my view, when a violation is egregious, and multiple attempts to begin a friendly conversation with the violator are consistently ignored. Every lawsuit I've been involved with met these criteria. I hope no violation matters ever meet them again, but that depends on how well the violators respond when someone asks them for the complete and corresponding source code for the GPL'd and LGPL'd components in the product.
I hope that someday, everyone just complies voluntarily with the GPL, so I can go do other things — I used to be a software developer, once upon a time, and I'd love to do that again. But, in the meantime, I'm here to enforce the GPL, to defend software freedom.