Open Source Security
Welcome at » Not with a bang, but a whimper

Not with a bang, but a whimper

Roy Fielding[1] finally quit the OpenSolaris community today, see his resignation letter[2]. The kettle finally boiled over and the realization come to many (but not all) that Sun is publishing their Solaris code for marketing purposes, rather than creating an independent, community-led, open source project with the ability to make real decisions.

It seemed so promising at first: “[T]hey made promises about it being an open development project. … Sun gave up its right to make arbitrary decisions regarding the phrase ‘OpenSolaris’ as part of its public agreement with the community in the form of the Charter. That was a self-imposed restriction in exchange for the benefits of community-driven development, freely made, and cannot be changed except in accordance with the charter itself (for example, by amending or dissolving the charter).” (excerpt from Roy Fielding’s resignation letter) But it was a sham: “The charter has therefore been violated. … Sun agreed that ‘OpenSolaris’ would be governed by the community and yet has refused, in every step along the way, to cede any real control over the software produced or the way it is produced, and continues to make private decisions every day that are later promoted as decisions for this thing we call OpenSolaris.” (excerpt from Roy Fielding’s resignation letter)

To be fair, most developers recognized the community as a sham right away merely based on the copyright and patent assignments required by the contributors agreement[3]. To date, Sun has received 578 patches[4], which represents a rate of 0.6 patches a day (first patch dated 6/17/05, there were some earlier undated contributions). Linus gets more patches while he is brushing his teeth than OpenSolaris gets in a week. Despite Roy’s efforts to build a real community, contributing to OpenSolaris always has been and seemingly always will be, corporate welfare.

For me, the realization that Sun just doesn’t get it, and never will, was crystallized the day I was turned away from an OpenSolaris Users’ Group meeting for refusing to sign an NDA.

It is a credit to the Solaris engineers that a few hearty souls want to soldier on amidst the wreckage: “Nonetheless I believe the time has come for a reboot and I am looking for other like-minded people to stand and form a full Board for positive change.”[5] And others who are even contemplating forking: “We will need to build out our infrastructure so that we can host development, mailing-lists and etc.. Once that is done, we will need to make the case to start moving development to the new organization/infrstructure. This will mean that even Sun employees will have to chose to move their development work to a community ‘controlled’ development infrastructure.”[6] It is to them, that I dedicate the title.

[1] http://en.wikipedia.org/wiki/Roy_Fielding
[2] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004488.html
[3] http://www.opensolaris.org/os/about/sun_contributor_agreement/
[4]http://www.opensolaris.org/os/bug_reports/request_sponsor/
[5] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004487.html (Yes, the author of this email is a Sun employee.)
[6] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004477.html

21 Responses




  1. Hi, Emily … can you tell me more about your user group experience? I will follow up on that immediately. Thanks. — Jim

  2. Emily Ratliff




    Hi Jim,

    Thanks for your interest. I tried to attend the very first user’s group meeting in Austin. Unfortunately, since it was held at the Sun site, signing in to attend the event required all attendees to sign the NDA on the standard visitor’s access agreement. I complained about it and was told in no uncertain terms that it was either sign or leave. Another user who was waiting to be escorted to the room said that I wasn’t the first person to be turned away. It was the very first user’s group meeting her in Austin, so it has probably been at least a year and a half since that took place.

    Thanks,

    Emily




  3. Ah, ok. Building security. That’s a pain in the butt for us too sometimes. :) I just wanted to make sure the NDA wasn’t specifically related to OpenSolaris. There are no NDAs on OpenSolaris, so that’s why it jumped right out at me. However, for the inconvenience and confusion I certainly apologize. We do have many user groups run by Sun people around the world, and if they hold meetings at Sun facilities they have to work with the building security policies in their area. Many do that pretty easily now, but when we started a couple of years ago it caused a bit of confusion. But for some groups it’s more difficult, so they choose to go to a bar or a restaurant, and I know some of the bigger groups have relationships with local universities and companies to use larger facilities. Anyway, I’ll send a note to the Austin guys with this link. Perhaps they’ll have a better explanation than I have. :) Or better yet, perhaps they are meeting at different locations now. — Jim




  4. I agree with Jim, it sounded like the requirement to sign something was around building security and not something concerning OpenSolaris (which has nothing requiring an NDA in any fashion.)

    Emily, I also think you paint an overly pessimistic view of the contributions to date. The fact is that the source code for OpenSolaris came from the open sourcing of Solaris itself. Sun did not and could not simply cease the development of the latter while it built the infrastructure for the former. So what’s happened over time is the work of as number of people both within and outside of Sun to move all the various bits of infrastructure (from the source code management system (SCM) to the bug tracking system to the architectural review mechanism) outside of Sun.

    Some of these pieces of infrastrucuture have mostly moved out and some haven’t. But please don’t paint things with such a broad brush just because we’re still in a state of transition. It’s a lot harder to take something previously proprietary that is still vibrant in its own right, then open source it and then help build a community around it. At least Sun didn’t just throw the code over the wall a few years ago.

  5. Emily Ratliff




    Hi David,

    Yes, the NDA was a standard part of the visitors access form that everyone has to fill out and sign in order to visit Sun facilities and nothing secret about OpenSolaris was going to be disclosed during the meeting. But rather than being exculpatory as you seem to think, that just makes it worse. OpenSolaris users (more than just me) were being turned away from an open meeting for being unwilling or unable to sign an NDA that didn’t matter anyway. Not everyone is willing to sign legal documents willy nilly. I’m glad to hear that many or most other user’s groups no longer meet on Sun facilities. During the time that I regularly attended the Austin Linux User’s Group meeting, I was never asked to sign an NDA though the group meet on many different companies’ and government agencies’ secure facilities.

    I agree that throwing code over the wall would have been a lot simpler and that creating the OpenSolaris infrastructure has proven to be harder than anticipated. I also agree that from a Sun perspective the OpenSolaris efforts have been successful primarily from a marketing perspective.

    How long do you expect the state of transition to last? Do you expect that once the transition is complete that developers will come out of the woodworks?

    I will continue to watch with interest the evolution of the community. But unlike you, I don’t expect that when you have finally finished building it that the developers will come. There have been too many breaches of trust (prohibitive SCA, too few non-Sun employees on the OGB, previous versions of documents (SCA and roadmap) just disappearing, closed door power port superseding the open effort … Project Indiana is just the latest in the long stream of community busting events.) and too little power of self-determination granted to the community.

    I wish you the best of luck,

    Emily




  6. “To be fair, most developers recognized the community as a sham right away merely based on the copyright and patent assignments required by the contributors agreement[3].”

    The FSF, Apache Foundation, and many others require the same thing. Are they a sham too?

    Sorry, but I can’t blame Sun for wanting to avoid the mess that Linux has had with copyright assignment for their contributions. The copyright assignment ensures that the community can change the license later, if it sees fit, and helps prevent possible future legal issues.

    Without a signed, legal statement from an individual, is impossible to guarantee the veracity of contributions.

    I have participated in many open source projects over the years; I have absolutely no problem signing agreements to contribute to them because I realise the dangers involved of taking contributions without any guarantees attached.

    I do not work for Sun, and I am one of those independent developers that Sun hoped would help.

    I do have issues with how Sun has handled the naming issue, but I believe that their choice to name the results of Indiana “OpenSolaris” is the right thing to do.

    I also think you’re being a bit over-dramatic about “wreckage”; remember that the OpenSolaris community has tens of thousands of members, but only a few hundred tend to participate in mailing list discussions. As such, I suspect that without an official community wide vote, it is disingenuous at best to claim that the community’s viewpoints are known.




  7. “too few non-Sun employees on the OGB”

    As to your comment about that; blame the community. All of the people with voting rights have chosen to elect Sun individuals. Sun is in no way responsible for the fact that all but one person on the OGB is or was a Sun employee.

    I know; I was one of the community members that “ran” for the last OGB election.

    If community members want to see non-Sun individuals on the OGB, they will have to elect them.




  8. Preamble: Yes, it’s a mess. As you note [5] I am trying to work out what to do next. Not to defend the mess, but I’ve comments on some of your portents of doom.

    NDA: I’m not sure it’s fair to blame the User Group for lousy policies by their host, unless it was still in place second time around – have you returned? You have been very lucky not to encounter this common problem before – for example, Google had exactly the same requirement at their London office in Victoria when I attended a community meeting there recently. As it turns out, the requirement is easily set aside at Sun premises and the Sun folks offering the premises to the User Group ought to have known – did you summon one of them?

    Contrib Agreement: Actually, this is a best-practice recommended by the FSF(1) and used by Red Hat, Novell, MySQL and many many others (even Apache has one). Sun’s is the best there is in my view. You may not like it generically, but I fail to see why it’s a sure-fire indicator of failure in this case.

    OGB composition: The interim OGB that Sun selected was dominated by non-employees. The current composition reflects the voting by the membership rather than Sun’s preference.

    (1) http://www.softwarefreedom.org/resources/2008/foss-primer.html#x1-110002.3

  9. Emily Ratliff




    Hi Shawn and Simon,

    I do draw a distinct difference in assigning the rights to a non-profit foundation versus a for-profit company.

    As for the comment about wreckage, I meant that as my own characterization not as an indicator that I polled the OpenSolaris community and speak for them. I speak merely as an observer.

    I have not returned. Shame on Google.

    What percentage of the voters were Sun employees vs. non-Sun employees?

    Best of luck to you both, if the OpenSolaris community has any chance of survival it will be due to your efforts.

    Emily




  10. > Shame on Google

    As I recall, even IBM used to have the same requirements when we held BCS meetings at Hursley Park. That was over 8 years ago, but you should expect to see all corporations attempt to make visitors sign-in like this by default. I now assume it will be the case (wherever I am holding meetings, Sun or elsewhere) and negotiate it away or pick another venue.

    > Best of luck

    Thank-you. There are many different approaches to open source and I think OpenSolaris can devise a path of its own.

  11. Emily Ratliff




    > all corporations attempt to make visitors sign-in like this by default

    Just to be clear, I am not objecting to signing in. I’m objecting to signing an NDA as part of the sign in procedure. I don’t mind letting the company know my identity, I do mind being compelled to sign a legal agreement that says that I won’t share anything confidential that I learn while on site. As it was explained to me by the receptionist, they were worried that attendees would glean confidential information from print-outs that might have been left laying around and thus wouldn’t waive the NDA built in to the visitor’s access application.

    Emily




  12. Emily, as Simon says I believe it’s up to each facility. At the Silicon Valley OpenSolaris group meeting, which does meet at a Sun facility in Santa Clara, there is no NDA required to be signed. In fact, the last couple times I attended there was no formal sign in at all.

    I don’t know how long the transition will take – I could make excuses as to why it’s taken so long but I’m sure you don’t want to hear those. Instead, I believe that substantial progrss has been made on a number of fronts. I believe the primary Merucurial repository will be out in the next several months along with at least one of the other consolidations. All of the work for the Indiana project is already being done completely out in the open and there are a number of outside contributors integrating changes directly with any sponsor. And there has finally been progress on a bug tracking system, something which has been tricky since Sun has its own internal bug system which is used for previous versions of Solaris and coordinating those will require an effort.

    If you look at the mail archives for opensolaris-arc@opensolaris.org, you’ll see the architectural review for almost all of the work being done for OpenSolaris is completely out in the open (yes, there are still an occasional closed case but those either are due to clerical mistake or for the rare but real proprietary case.)

    Perhaps it’s a difference in seeing things as being half-full versus half-empty. I’m as frustrated as anyone that certain things have taken as long as they have but I believe strongly that there will be significant improvements seen on a number of fronts this year.




  13. [...] sense that anything would change. There were a few blog mentions from people outside the community (Emily Ratliff on the 14th, rippling to Michael Dolan on the 15th, which in turn rippled to Jim Grisanzio on the [...]

  14. Simon Phipps




    > previous versions of documents (SCA and roadmap) just disappearing,

    Just so you know, I have now made sure that all previous versions of the SCA are available at http://www.sun.com/software/opensource/contributor_agreement.jsp




  15. [...] So that explains why it’s take three long years to try to get basic open source development tools (such as putting Open Solaris source code in a distributed SCM located outside of the Sun firewall) for Open Solaris. It was never was Sun’s intention to try to promote a kernel engineering community, or at least, it was certainly not a high priority for them to do so. This can be shown by the fact that as of this writing they still are using the incredibly clunky requestor/sponsor system for getting patches into Solaris; setting up a git or mercurial servier is not rocket science. This lack is why Linux gets more contributions while brushing his teeth than Open Solaris gets in a week. [...]




  16. [...] source camp, instead it’s more like they just want to take some advantage. OpenSolaris is slow in development progress, and there are complains. For MySQL, they announed some of the new features [...]




  17. [...] Open Source Security » Blog Archive » Not with a bang, but a whimper Linus gets more patches while he is brushing his teeth than OpenSolaris gets in a week.???? (tags: open-solaris linux) [...]




  18. [...] detailing disputes over control of OpenSolaris and the Sun-driven OpenDS directory projects, from February 2008 and November 2007. Sun declined to comment on the specifics of these issues and noted they both [...]




  19. [...] detailing disputes over control of OpenSolaris and the Sun-driven OpenDS directory projects, from February 2008 and November 2007. Sun declined to comment on the specifics of these issues and noted they both [...]




  20. [...] detailing disputes over control of OpenSolaris and the Sun-driven OpenDS directory projects, from February 2008 and November 2007. Sun declined to comment on the specifics of these issues and noted they both [...]




  21. [...] detailing disputes over control of OpenSolaris and the Sun-driven OpenDS directory projects, from February 2008 and November 2007. Sun declined to comment on the specifics of these issues and noted they both [...]