Superpatterns Pat Patterson on the Cloud, Identity and Single Malt Scotch


CDDL as a middle way

In a recent blog post, James McGovern reckoned that my "perspective on CDDL is somewhat insular and indoctrinated". As I was wondering how to reply to this, there was some discussion on the OAuth mailing list on the merits of different licenses. I posted this to the list this morning:

As you survey the landscape of open source licenses (, you should also consider whether CDDL ( gives you what you're looking for.

Disclaimer - I work for Sun Microsystems, on OpenSSO (, a CDDL-licensed project. However, in this instance, I'm not shilling for Sun, just giving my personal opinion.

Based on the Mozilla Public License, CDDL attempts to balance the interests of different sides of the developer community - on a file-by-file basis, any modifications you make to CDDL-licensed source code must be made available under the CDDL, however, if you build CDDL into a 'larger work' you choose how to license your 'new' files.

This is essentially a middle course between GPL and Apache/BSD/MIT (they're not the same, but they do lie on the same side of the license spectrum). If I license my code to you under CDDL, you are free to use it as a component in a 'larger work', but you must make available any changes/fixes to my code.

Anyway - the main thing is to read the licenses, decide which one best fits your intentions, adopt it, and get back to the code. One thing some people overlook is that, as the actual copyright-holder, you are not bound perpetually by your initial license choice. Although the genie is out of the bottle regarding already licensed code, you can decide to stop licensing future versions under an open source license, switch licenses, add new licenses or whatever. Of course, you would consider the needs and preferences of the community that you have (hopefully) built around your code before taking any of these courses of action!

I truly believe that CDDL offers a useful middle path between the 'viral' (all your code are belong to us) GPL and the 'permissive' (take what you like, just don't sue us if it doesn't work out) Apache/BSD/MIT, and this provides specific benefits for business.

James goes on to extrapolate somewhat from his lawyer friend's opinion:

She mentioned that corporate friendly licenses permit redistribution without restrictions on commercial use and don't have broad retaliation clauses. In reading into her position, I would guess that she doesn't like Sun, IBM or Mozilla but would like likes such as GPL 2.0, Apache and MIT though.

Nice guess, James, but I'd like her unfiltered opinion after reading the licenses (you are correct in your suspicion that I've never had a conversation with any corporate lawyers whose primary business isn't technology). The Apache 2.0 license has a patent retaliation clause (my emphasis:

3. Grant of Patent License.

Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

I AM NOT A LAWYER, but this does not seem substantially different from the equivalent section of CDDL:


If You assert a patent infringement claim (excluding declaratory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You assert such claim is referred to as Participant) alleging that the Participant Software (meaning the Contributor Version where the Participant is a Contributor or the Original Software where the Participant is the Initial Developer) directly or indirectly infringes any patent, then any and all rights granted directly or indirectly to You by such Participant, the Initial Developer (if the Initial Developer is not the Participant) and all Contributors under Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively and automatically at the expiration of such 60 day notice period, unless if within such 60 day period You withdraw Your claim with respect to the Participant Software against such Participant either unilaterally or pursuant to a written agreement with Participant.

Understand, I'm not saying that CDDL is the license-to-end-all-licenses, but it is definitely worth considering as an option if you want a middle way.

Filed under: General Leave a comment
Comments (3) Trackbacks (0)
  1. Thanks for unfolding the questions and the assumptions behind them. Thinking of CDDL as a middle way between Apache and GPL demonstrates its potential use, for software development communities. However, I think this is a multi-dimensional "middle," i.e. one dimension has to do with availability of source for what is done, another with greater possibilities for distribution economies. Best wishes, -m.

  2. A fundamental difference between "commercial" and "open source" software developers are the underlying philosophy and perspectives of the entities involved, which is translated in one of a morass of licenses.

    The latter asks: "how can I make money by providing my potential customers with xyz?" while the former usually do not consider their ultimate customers at all — they are scratching an itch.

    The latter want a long line of others to validate their existence by also scratching the same itch!" Validation for the former is making lots of money.

    When the pragmatic perspective of say small businesses comes into play, SMB’s see the former as money grubbers but at least giving them something that works well and speaks to their generalized needs. While the latter are just a bunch of ass scratching, control obsessed zealots.

    Now these zealots want to make money too, but they go about it by trying to find very naïve persons, like on ebay, and selling them free software as part of a web hosting ploy. FREE SOFTWARE FOR SALE! Many of the latter could care less about the ultimate user, they are just plain control freaks who must maintain a heavy hand and who cater to massively large corporations. These are some reasons why Linux in particular and OPen Source in general has failed as a desktop OS

    The single exception, and that exception represents the healthiest and most desirable growth aspect of open source, are the BSD/MIT/Apache folks — Theo Van Raadt’s group with OpenBSD, Apache Foundation, the Postgresql community, etc. Their perspective goes beyond an itch syndrome and transforms itself into creative, purposeful seminal processes that truly advance software for people. If you are an SMB in the know, these licenses are the only ones acceptable.

  3. And if you actually need a patent license that sun is holding back with a TCK license that they tie very non-FLOSS compatible terms with…then it hardly matters what the software license is. I have to admit that I don’t much care for the CDDL, it is long and muddy and I hate to read it without a lawyer present and I don’t really like the company of lawyers that much. On the other hand the new Microsoft licenses are short and clear by contrast…Kind of odd really. (of course…i don’t have warm fuzzies about the FSF licenses either…mainly because I get bored halfway through the manifesto part)

Leave a comment

No trackbacks yet.