Open source licence series - R3: The world needs audit licenses
Open source grew, it proliferated… and it became something that many previously proprietary-only software vendors embraced as a key means of development… but the issue of how open source software is licenced is still the stuff of some debate.
The Computer Weekly Open Source Insider team now features a series of guest posts examing in the ups & downs and ins & out of open source software licencing.
Mike Hearn, lead platform engineer at enterprise blockchain company R3 writes from this point forward.
Why the world needs audit licenses
Many [software] programs grant the right to share and modify their source code.
The rapid spread of this model has enabled the software industry to scale up to larger codebases that would have been completely impractical if every component required a complex approval and purchase process. Just as importantly, it helped mitigate lock-in risk, enabling organisations to utilise ever bigger and more powerful platforms without associated exposure to vendor exploitation or stagnation.
I want to look at why the world needs audit licences.
Walking the open core tightrope
The so-called ‘open core’ model is hard to get right.
[As we know, the open-core model primarily involves offering a “core” or feature-limited version of a software product as free and open-source software, while offering “commercial” versions or add-ons as proprietary software.]
A common error is to open too much, leading to a Docker-style situation in which your commercial version is duplicated by other firms, leaving you with no business and a large maintenance bill. Other firms bet on becoming a managed service provider but find themselves forced into a license change when big cloud operators prove better at selling services than them.
The key is for open source platforms to get the balance right — so Corda is an example of an open source, decentralised database platform.
Editorial flag: Corda is developed by R3, so Hearn is talking about his own company’s product. The software is an enterprise blockchain platform that allows developers to write an application that is deployed on open source Corda and individual firms on the enterprise version can interoperate with those who are using open source.
Corda focuses on the needs of the largest companies and thus comes with an extended commercial version. Although still in its early days, it appears to be walking on the right side of the open core tightrope. As a result, customers choose to support the ecosystem and themselves by purchasing the enhanced version. Yet, some users do go live on the fully open source edition, pointing to a low lock-in risk.
Developers behind open source platforms need to recognise the importance of keeping customers happy, or else, they may simply leave the platform. By collectively insisting on open core licensing, enterprise blockchain users put themselves into a powerful position over vendors, befitting the decentralised ethos of the space.
I’d also point out that better security needs a new approach to licensing. With security demands increasingly coming to the fore across all sectors, a new approach to licensing is required to keep pace with this trend.
Enclave-oriented computing
Bringing enclave-oriented computing to the mainstream could be the security solution needed.
Enclave technology like Intel SGX enables a client to audit the code running on a remote server. A cryptographic ‘handshake’ reveals the hash of the program you’re securely connected to. Enclaves allow the removal of trust from a service operator: now anyone can audit the workings of a service and prove to themselves how data gets used. Think of it as an automatically enforced privacy policy. It is even possible to build services where the service provider doesn’t see any data at all.
Editorial flag: Hearn’s comments are valid and interesting, but it is worth noting that he is again steering the conversation towards technology that his company develops. As noted on Ledger Insights, Conclave – a play on enclave – is the name for R3’s research product which hopes to make ‘enclave-oriented computing’ (EoC) accessible to developers.
For this scheme to work, users must be able to read and compile the source code of the service. Open source licenses automatically meet this requirement but it’s unreasonable to expect all enclaves to be fully open source. We need audit licenses – new agreements that allow understanding and replication of the enclave build without granting distribution or modification rights.
Trade secrets must be protected without creating awkward processes. There’s no reusable out-of-the-box license that meets these needs as it’s rarely been a requirement before. However, developing such licenses and open source text can enable a new era of enclave-oriented computing for everyone.