jxself.org

Foundations Aren't a Silver Bullet

Sun, 22 Sep 2024

I recently read a blog post extolling the virtues of software foundations as guardians against the dreaded "rug pull," where software is abruptly proprietarized, leaving the community in the lurch. The author argued that having a foundation backing a project provides a safety net, ensuring its continued freedom. While this notion sounds appealing, it's essential to recognize that the mere existence of a foundation doesn't automatically guarantee protection. The reality is more nuanced, and a foundation's effectiveness as a safeguard depends on its type and the degree of control it exercises over the project's licensing and copyright. Let's delve deeper into these factors, exposing the problems.

A foundation's tax-exempt status is a critical, often overlooked factor that dramatically shapes its core mission and legal obligations. The Internal Revenue Code classifies non-profit organizations into various categories, each with its rules and obligations. Two common types encountered are 501(c)(6) and 501(c)(3) organizations. The difference between 501(c)(6) and 501(c)(3) organizations can be likened to a fork in the road, leading to vastly different outcomes for the projects they oversee.

501(c)(6) Organizations: Think of these as clubs for businesses. They exist to further the collective business interests of their member companies. While they might support free software projects, they do so because it's in their member companies' business interests. Their primary duty is to their member companies, even if those interests clash with the broader community.

501(c)(3) Organizations: These are the charities of the foundation world. Their mandate is to operate for the public good. While they might collaborate with businesses, their ultimate allegiance lies with the community and the general public.

This fundamental distinction in legal obligations can dramatically influence a foundation's priorities. A 501(c)(6) foundation, facing a conflict between the community's desire for freedom and its member companies' interests, might be compelled to make decisions that favor the business interests of its member companies, because that is what the law requires, even if those decisions conflict with the broader free software community. This reminds me of the disclaimer often used by legal professionals: "I am an attorney, but I am not your attorney." In this context, the foundation might analogously say: "I am a foundation, but I am not your foundation." This potential conflict of interest should be a red flag, urging caution when considering the long-term freedom of a software project. In contrast, a 501(c)(3) foundation is bound to prioritize the public interest because that, too, is what the law requires, making it a far more reliable guardian of free software. For example, the Free Software Foundation is a 501(c)(3) organization.

I know of some who argue that the distinction between 501(c)(3) and 501(c)(6) organizations is trivial. In an ideal world of puppies and rainbows, this might seem plausible. However, preparing for conflict is crucial when establishing a foundation to protect a software project's long-term freedom. A 501(c)(3) organization is legally bound to serve the public good, providing shelter when rainbows disappear and the proverbial storm cloud approaches. On the other hand, a 501(c)(6) organization prioritizes its members' interests, which might not align with the software project's needs. In a clash, would you rather have an entity obligated to protect you or one obligated to serve those controlling the elements? The choice is clear when considering long-term freedom.

The licensing model also plays an essential role in its ability to resist proprietarization. Strong copyleft licenses, such as the GNU Affero General Public License (AGPL), create a robust defense mechanism. That license mandates that any modifications or derivative works must be released under the same license, ensuring the software's freedom is preserved. Moreover, when a project has multiple copyright holders combined with a strong copyleft license, the distributed nature of the copyright makes it significantly harder for any single entity, even a foundation, to unilaterally alter the licensing terms.

Conversely, non-copyleft licenses offer no defense to proprietarization, opening the door for the foundation to make the software proprietary. I'm again thinking of the difference between a 501(c)(6) and a 501(c)(3) if the organization were to determine that changing the license was in the interests of its member companies.

Some foundations collect project contributors' copyright assignments or Contributor License Agreements (CLAs). While these mechanisms can streamline project management and legal processes in some ways, they also grant the foundation substantial power over the software's future. Even if a CLA doesn't explicitly transfer copyright, it can bestow broad permissions upon the foundation, including the ability to relicense the software and make it proprietary.

This concentration of power can be concerning, and I'm aware of some that try to draw a comparison with the Free Software Foundation, which also accepts copyright assignments. However, this overlooks the nuances of the approach taken by the Free Software Foundation. The FSF, despite accepting copyright assignments, meticulously crafts its agreements to bind itself to maintain the software's freedom. This is an example of the FSF, a 501(c)(3) organization operating in the public's interest. Most foundations, however, don't go to such lengths or make any attempt to curb their powers in any way whatsoever. Their copyright assignments or CLAs are often one-sided, favoring the foundation's interests and potentially leaving the community vulnerable to future licensing changes. If there are more copyright assignments, I'd like to see more do it as the FSF does.

These are all reasons why a foundation's mere existence doesn't automatically defend against proprietrization. Its effectiveness hinges on the myriad details in its structure and practices. Only by understanding the nuanced meanings behind these can informed choices be made and gauge how effective a particular foundation might be at guarding software freedom.

If we combine all of these items, the best levels of defense for an organization to serve as a guardian for software freedom would be provided by having the foundation as a 501(c)(3) organization and the software be under a strong copyleft license like GNU Affero General Public License (AGPL), allowing upgrades to newer license versions, with multiple copyright holders where the foundation either doesn't use a CLA or collect copyright assignments or if they do, the copyright assignments are done in a way as the FSF does also to bind the organization with AGPL-like terms. Of course, this whole blog post is a simplification - there's more to it than this, and as I think about it, I see that this is starting to look a lot like the FSF. Hmm. Imagine that.