oreilly.comSafari Books Online.Conferences.


Is Open Source Un-American?
Pages: 1, 2, 3

Kerberos and the dangers of embrace and extend

A number of people hammered on the Kerberos issue. For example, Bob Weiler wrote:

Two points regarding Jim Allchin's comments. One is that they have to be taken in light of Microsoft's co-opting of the Kerberos code and their subsequent refusal to share the details of the change on the same basis as they obtained the original specification. This isn't the action of a company that is interested in the well being of their customers, the American taxpayers, or in fair play.

The other point is sort of an aside, but is worth mentioning. As I understand it, due to the way that stock options are accounted for, Microsoft doesn't actually pay any federal taxes, or at least, no where near the same percentage as a 'traditional' manufacturer. Many other tech companies don't either, but then again, those other tech companies don't whine about the GPL either. Microsoft isn't doing anything illegal or unethical here, but it is very hypocritical.

As an actual taxpayer, I'm getting my money's worth from GPL'ed software. I wish I could say the same about Microsoft's products.

Bob Weiler

I replied:

Jim specifically addressed your point about Kerberos in his comments to me. I am not close enough to say that he's right, but he argues that their Kerberos implementation does in fact interoperate. But it does seem to me that there may be some possibility to persuade them to adopt a SISSL-like approach where they document the changes.

Bob replied:

As I understand it, Microsoft's implementation is not interoperable to the extent that you can replace a Win2000 Kerberos server with some other implementation and provide the same functionality to a Win2000 client since the additional functionality is trade secret. As long as you have his ear, you could ask Allchin to release the spec of their Kerberos changes to the public domain. Such an action on his part would speak much louder than words.

I replied:

As a matter of fact, I immediately forwarded your comments on to Jim. I don't know how strategic to Microsoft they consider their enhancements to be, but it would seem to me that this would be a good move on their part.

However, I do want to emphasize the point that you make, since it's a point of disagreement between GPL and non-GPL advocates. GPL advocates argue that failing to make free enhancements to free software is somehow taking something away from the free software community. However, there are many cases where the developers of the software don't in fact support the goals of the free software movement. They put the software out as free software under a non-GPL license precisely because they wanted people to do whatever they wanted with it, including building proprietary extensions if that's what made sense to them. In theory at least, no one is forced to use the proprietary extensions. (I'll come back to that one in a moment.)

I think most of my readers understand the justification for the GPL, and Richard argued the points compellingly in the piece that started this thread. However, I don't see a lot of people sticking their neck out to argue the hybrid view, (which, I should point out, is shared by many noted authors of open source software, most of them in the BSD or other university-license camp), in which software source code is released freely to achieve various strategic goals (knowledge sharing, ubiquity, establishment of a standard, goodwill), while other code may be kept proprietary in order to achieve other goals (revenue, control, or whatever.)

I'm a big proponent of this view, which says that it's the right of the author of software to dispose of his or her creation in any way that he or she wishes. I take this back to literature. I curse the fact that many an author has requested that his unpublished work be burned upon his death, but I completely honor the right to do so. An author may give her work away, sell it, keep it, or destroy it. No one has the right to Stephen King's next novel because they liked the last one. Ditto for software.

Now, consider the case of a program that's built upon the work of others. If you give me a gift of your program, and tell me I can use it in whatever way I want, I am free to give it away in turn, to keep it for myself, or to incorporate it into a new product of my own, which I might sell rather than give away. If on the other hand, you give me that same gift with the stipulation that I must give away anything I build with it, then I should follow that stipulation, or not use the software.

"I support Microsoft 100% in their right to build and distribute a set of proprietary extensions to Kerberos ... If the original authors of Kerberos didn't want them to have that right, they should have used the GPL."
-- Tim O'Reilly

This is the situation with free software. We have a well-known license that says "I'm giving you a gift. You may pass it along to others, or build on it. But if you do so, you must give it away with this same requirement." We also have well-known licenses that say "it's okay to do whatever you want with this, including building proprietary extensions."

So I want to be absolutely clear that I support Microsoft 100% in their right to build and distribute a set of proprietary extensions to Kerberos, if that's what they want to do. If the original authors of Kerberos didn't want them to have that right, they should have used the GPL. I strongly urge any author who wants their software to be kept free and not used as the basis for proprietary extensions to use the GPL. As Richard argues so eloquently, it's the best tool we have to ensure ongoing freedom of a piece of software.

But I also urge the proponents of the GPL style of software freedom not to muddy the water by asserting that their goals are also the goals of all free software authors. I remember Bob Schiefler of the X Consortium (who is one of my heroes) stating so clearly that he was developing software that he wanted to be used as a base for further development, whether that development occurred as free or proprietary software. I don't know whether the Kerberos authors shared Bob's "build a platform" objectives, but they used a similar license. If they regret that choice, they are free to say so.

So, if I believe Microsoft has the right to build proprietary extensions to software like Kerberos, why do I believe they should release those extensions? The reasons are pragmatic. Here are some possible answers (Microsoft would have to explain the actual ones they choose):

  1. There is good evidence that freely available software and source code leads to unexpected innovations and other improvements (e.g. bug fixes) from people you don't already know. In the absence of any good reason for keeping software proprietary, giving away unrestricted source should be the default behavior whenever building on any previously free software.

  2. Goodwill. There are a lot of people who are mad at Microsoft on principle, or because of various hyper-competitive things they've done. Any goodwill points that can be earned can help to even the scale, and make people more forgiving in other areas where Microsoft feels a business need to be more aggressive.

  3. Standards. Microsoft has enough market power to make its own de facto standards in many cases. However, I don't think that network security infrastructure is one of those areas. It's still a multi-platform world when it comes to networking, and the industry as a whole would benefit from agreement on some common standards in this area. When we spoke last week, Jim said as much in explaining why they chose to build on Kerberos rather than starting from scratch in the first place. If common standards are the goal, I'd argue that Microsoft could get there faster by open sourcing their extensions (or at least documenting them completely and openly).

In short, unless Microsoft has big revenue plans for Kerberos, or has a deliberate strategy of co-opting the Kerberos framework so that it becomes not an open industry framework but a proprietary Microsoft one, I'd urge them to free their enhancements.

This last point is a key one. What a lot of independent developers fear is that Microsoft's "embrace and extend" strategy is deliberately designed to take software out of the public domain, and make it Microsoft property. This goes to the heart of the antitrust discussion that's been going on for the past few years. For any other company to make proprietary extensions to industry standards or to free software is likely commercial suicide. But Microsoft has sufficient market share and market power to establish their proprietary extensions as a de facto standard. And this does end up taking away the gift that was originally given, even from people who don't want to use Microsoft products.

Even if this isn't a deliberate strategy, it is an ever-present reality for most developers. Microsoft is the proverbial 800-pound gorilla, and as a result, they need to tread especially lightly when extending free software or open standards. Microsoft will argue, quite rightly, that no one is forced to use their proprietary extensions, that they are a benefit to their customers, and that there's no need to make them available to non-customers. However, because of Microsoft's unique position in our industry, and past history of "embrace and extend" used to "de-commoditize internet protocols" (cf. The Halloween Documents), this position is taken to be somewhat disingenuous by their competitors and critics.

Since I'm on a roll here, I want to clarify just why a company like Microsoft might want to keep software proprietary: money. There's no question that proprietary software has a better business model than free software. (It may not have a better development model, but that's another story.) It's certainly possible to make money with free software, but unless someone demonstrates otherwise, I think it's fair to say that none of the known free software business models produce Microsoft-sized returns. Bob Young of Red Hat once remarked, "My goal is to shrink the size of the operating system market." He believes that Red Hat can own a big share of the smaller pie that would result from making operating systems into a commodity, and so that's a net win for both his company and for customers.

Given the fact that Microsoft is under attack by new business models in which their old cash cow is commoditized, I think it's quite understandable why they would want to use every trick in the book to hold onto their current dominance. Apart from the special requirements of antitrust law, there's no law that says they have to be nice guys in their attempt to do so. In fact, you can even argue (as they no doubt do) that their fiduciary responsibility to their shareholders gives them a moral imperative to defend their business with every tool at their disposal.

My argument for a more open, standards-compliant Microsoft comes from an entirely different point of view than Richard's moral argument for free software. In essence, it is this: software is being commoditized, whether you like it or not, just as computer hardware was commoditized by the introduction of the IBM PC. You can be Apple or Digital, who hung on to their proprietary hardware business model until it was too late, or you can be IBM, who realized the sea change in the industry (and is doing so again), and migrated their business towards a future in which proprietary hardware was not their core business advantage.

In the age of the Internet, it's open standards and network protocols that are going to provide the next platform. What business advantage can you build on that foundation?

Bob then put in the last word. He says he can't disagree with what I've said, but I don't know that I can disagree with what he's said either.

It is clear that you have invested some thought on this, and I don't actually find anything to disagree with here. I was going to write you a fairly long missive, but it wouldn't be fair to make you wade through all that. The bottom line for me is that when Jim Allchin says 'the GPL in un-American', I hear it as 'the GPL is bad for software monopolists in general, and therefore, bad for Microsoft'. Basically, Jim is making that argument that 'what is good for Microsoft is good for the country'. What's more, he is suggesting that legislators should do something about it, in particular, he apparently thinks the government should not allow grant recipients to GPL the software that they write. I don't buy it.

I can see why Jim is worried, the GPL is bad for Microsoft and bad for Microsoft shareholders. I myself expect to be Microsoft-free by the next release of Linux distributions because of GPL software. However, I can envision GPL'ed software being successful enough that Microsoft is no longer a monopoly, but I can't envision any scenario in which Microsoft is not a large and profitable company. There is nothing preventing Microsoft from packaging and selling GPL'ed software in areas where they don't see that they can innovate, and nothing preventing them from spending their development dollars on proprietary software in areas where they think they can innovate. In fact, in essence, the GPL frees Microsoft and other software companies from the cost of developing commodity software so they can spend all of their development resources on innovation.

But Microsoft isn't really all that interested in innovation, they are interested in preventing competition. I don't see any reason why the government should be forcing licensing terms on developers to help them out.


Pages: 1, 2, 3

Next Pagearrow

Sponsored by: