What Is An API? The Clue Is In The Name…

At the end of my testimony in the recent Oracle v Google trial in San Francisco, Judge Alsup asked me to explain what an API is. My answer aimed to simplify the answer for a general listener while remaining recognizable to most programmers. Here’s what I said. Continue reading

Time For A Security Team For OpenJDK

In my InfoWorld column today I consider the recent news that Java 8 is going to be substantially delayed because Oracle’s development staff have had to focus on security issues. I wonder if fully and inclusively engaging the community – especially with a proper security team like other open source communities use to great effect – would help avoid similar delays in the future?


☝ Is Open Source Good For Security?

I’ve two stories about the discovery and resolution of bugs in important software packages – Solaris and Java – that suggest a properly-functioning open source community gets security problems fixed faster than a closed process. Read about it on ComputerWorldUK.

☆ Rating OpenJDK Governance

I used to be a member of the Interim Governance Board for the OpenJDK project I helped Sun start to host an open source implementation of the Java platform under the GPL. For various reasons, the governance was never fully defined and the entire subject has been silent for over a year. There’s other context I assume most readers understand listed on CWUK. This week, news emerged that I am no longer a Board member (neither a surprise nor an issue for me), and that a governance proposal has been published.

How does the proposed OpenJDK governance fare when ranked against the open-by-rule benchmark I outlined earlier in the week? Scoring below involves +1 for each positive implementation of a rule, zero for each non-detrimental implementation or omission and -1 for each implementation that detracts from an open-by-rule governance.

Rule Data Evaluation Score
Open, Meritocratic Oligarchy “The Governing Board consists of five individuals:

  • The Chair, appointed by Oracle;
  • The Vice-Chair, appointed by IBM;
  • The OpenJDK Lead, appointed by Oracle; and
  • Two At-Large Members, nominated and elected as described below.”
This is initially a closed plutocracy comprising mostly people who have never been involved in OpenJDK, as long-term Free Java leader Mark Wielaard has pointed out. The initial Board is all appointed by Oracle and IBM and they have picked only people they can trust to represent them and taken few risks (only Doug Lea has spoken out in the past, when he resigned from the JCP) and omitted key OpenJDK contributors Red Hat and Google (and recent joiner Apple). Future Boards will always comprise at least two Oracle staff and one IBM member. Interestingly, this is not conformant with the original OpenJDK Charter, which gave a majority of seats to elected representatives.

There is scope for the Board to be grown in the future and it’s theoretically possible eventually for the Board to have community-appointed members outnumbering the Oracle-IBM axis, but the rules are poorly defined and there’s undoubtedly scope for them to be gamed in order to maintain control.

Scoring 0 for closed/open given the benefit of doubt for the possible expansion process; -1 for non-meritocratic majority; -1 for non-representative oligarchy.

Modern license (not mentioned in governance) OpenJDK uses a complex licensing arrangement based on GPLv2 plus a variety of exceptions. GPLv2 has decent implied patent protection according to most legal sources I have consulted. It’s actually a good combination of licensing both for software freedom and as the basis for Oracle to build a business around the code, but it’s not mentioned anywhere in the governance so could presumably change at any time based solely on Oracle’s choices.

If the governance committed to maintaining GPL as the license I’d score this as +1 but the lack of mention makes it 0.

Copyright aggregation “A Contributor is a Participant who has signed the Oracle Contributor Agreement or who works for an organization that has signed that agreement or its equivalent. Only a Contributor may submit anything larger than a simple patch.” Copyright is explicitly aggregated solely in Oracle’s hands. There are actually good historic reasons for this and without it I doubt that either IBM or Apple would be involved in OpenJDK since it would be impossible for Oracle to privately license the resulting Java implementation to them under terms they would accept (neither of them like GPL). Furthermore it allows the existing Java licensing arrangements to be sustained, meaning OpenJDK can be the locus of development for Java SE.

While I would rather see the overall copyright vested in a non-profit foundation, the pragmatic balance of factors means I score this as 0.

Trademark policy (not mentioned in governance) The OpenJDK trademarks are all dealt with outside the scope of the governance and are the exclusive property of Oracle who even claim control of their use within the source, a context I’m surprised to see alleged trademark law is applicable. This clearly scores -1. -1
Roadmap “If a Governing Board member objects in good faith to a technical or release decision made by the OpenJDK Lead then that decision may be appealed via the following process.”

JDK Release Projects may only be proposed by the OpenJDK Lead and may only be Sponsored by the Governing Board.”

“Every OpenJDK Member will have the opportunity to propose features for inclusion in JDK Release Projects, and decisions about which features to include will be made in a transparent manner.”

Despite being intended to ensure “that sufficient infrastructure is available to Community members” there’s no mention of how releases will be conducted – there should at least be baseline principles. There’s an appeals process, but it is only open to Board members and there’s a clear intent that the roadmap is at Oracle’s sole discretion. This especially applies to JDK releases. The nod towards transparency is a positive sign but contradicted by the appeals process.

While this is all nothing new, it’s hardly “open-by-rule” so a clear -1.

Multiple co-developers There’s a cross-section at FOSDEM. OpenJDK is blessed with enthusiastic co-development from both independent community participants and from corporations like Red Hat, Google and now Apple. It’s a shame verging on an insult that they weren’t involved in creating or starting the governance, but overall this is OpenJDK’s biggest strength and a clear +1 score. +1
Forking feasible IcedTea, multiple co-developers, Classpath history The code is under the GPL, but the copyright is aggregated by Oracle and the trademarks all belong to them. There are enough co-developers outside Oracle to sustain a fork (after all, Classpath was a viable Java implementation before and IcedTea is still running). Chances are that IBM is subject to a no-forking agreement in return for lending its credibility to the governance. The documentation is subject to rules intentionally designed to prevent them being used on a fork.

Overall, this is a tough rule to score but on balance I think forking would be tough but possible. Given all the factors making it tough, I score this as 0.

Transparency “I’m happy to report that, since last November, I’ve been doing just
that: Drafting a set of Community Bylaws in collaboration with John
Duimovich and Jason Gartner of IBM, Mike Milinkovich of Eclipse,
Prof. Doug Lea of SUNY Oswego, and Adam Messinger of Oracle.”
Despite having roots in the work of the previous governance board (which also inherited ideas from OpenSolaris), the governance itself has come from nowhere and that bodes ill for future transparency, no matter how often the word is used in the document. The track record for OpenJDK has shown a mixed history for transparency. The corporate pressures are likely to mean lots of back-room dealings and the governance does little to prevent them.

Again, tough to score. I’m tempted to score this as -1 but the fact there’s  a public governance at all and that Mark promises there will be a ratification step (albeit undefined) makes me give the benefit of the doubt and thus a score of 0.

Summary (scale -10 to +10) -3

-3That score isn’t as bad as it could be, but given that

“The goal of these Bylaws is to foster the long-term health and growth of the Community by enabling and encouraging its members to act in an open, transparent, and meritocratic manner.”

I think there’s still plenty of work required to make them fit for purpose. I’m offering these comments in the spirit of contribution and dialogue. I’d be pleased to help the OpenJDK project in any way I can if they wish during the drafting and ratification process. I’ll be at FOSDEM this weekend speaking on this subject in the Free Java DevRoom, so meet me there if you’d like to discuss anything.

I have hoped from the beginning that OpenJDK would be an open-by-rule community in which everyone with a commitment to Java can participate as equals. Let’s hope this new development can deliver on that vision.

☝ Corporate Open Source Case Studies

The last week has provided a number of interesting – and perhaps surprising – case studies in corporate engagement with open source. This Monday’s Link Post takes a look at Microsoft and Silverlight, Symbian, Oracle and Java and Canonical and GNOME, over at ComputerWorldUK.

⚐ Gosling Webcast

Duke, the Java Mascot, in the waving pose. Duk...

Image via Wikipedia

Next week JavaZone, the conference that brought you Lady Java and Java Forever will be held in Norway. To celebrate the opening of the new ForgeRock Norway office, we’ve arranged for a party just before the conference starts, on Tuesday evening. If you are in Oslo and would like to attend, please send an RSVP to the address on the web site.

As part of that, James Gosling and I will be “beaming in” via webcast to give short talks and maybe even answer a few questions. If you’d like to join the webcast (using DimDim), please register on our website.

%d bloggers like this: