 We have just about an hour, which is really great, because we are accompanied here by three very well-respected attorneys, and who are known for their intelligence as well as their loquaciousness. So we will give each of them a few minutes to introduce themselves as well as their areas of expertise. I want to invite you all. We have some topics we're going to cover, but if you have any questions for the panelists, you are very welcome to tweet them at me at jory.com on Twitter, and I'd be happy to work those into the conversation. We have to say, as Wendy likes to tell me, that these lawyers are not your lawyers, so bear that in mind. Definitely, if you have specific questions related to your projects, you should retain your own counsel. And friends, our safe word today is amicus brief, so if we're going on too long, we can use that to just give to the next question. But I would like to start maybe with my colleague Jamie, if you don't mind sharing a few minutes of introducing yourself and your areas of expertise, please. Hi, I'm Jamie Clark. I grew up in Minnesota. I live in LA now. I am from and currently the general counsel of the open standards and open source group Oasis, which created a lot of stuff over the last 20 years or so, although not quite as much as Wendy's group, who's been terribly prolific. We probably lived mostly in the e-commerce and structured documents area, so if you've heard of Oasis, you've heard about it either because of security stuff, like SAML or Stix and Taxi, or you've heard about it because of structured e-government stuff like open document format. I happened into this because when I was a baby lawyer a long time ago, I had some clients come to me and say, so I got some salesman from a large company that wanted to sell me all this electronic stuff, and I don't have to use paper anymore. I can reduce it all to records and have it all be electronic, only I just don't know if any of that will work if I go to the court and say, Your Honor, here's my contract. I have shown this paper or this tape or something. Does that work? Is it enforceable? And in 1998 or so, it wasn't. So I got dragged into about 15 years of trying to make sure electronic signatures actually were recognized as legal signatures, which as you know is kind of old hat now, but boy were courts confused by those things in the first place. And so eventually I went pro, went to my wife and say, honey, can I go work for a foundation and take a pay cut of about nine-tenth of my salary and do cool internet stuff for the rest of my life? And she said, oh, fine if you have to. So here I am, working for Oasis, mostly helping keep their open source and open standards programs on the straight and narrow and kind of doing things in ways that are cooperative and usually not illegal and moral or fattening. We are all lawyers in different roles. And I just want to say our job is actually pretty well predicted. I mean, you could actually do a UML chart for our job because the idea is as a package, we're supposed to take all those crazy bad things can happen to you and roll them up into black boxes and give you rules and suggestions and guidelines and templates for how to do your thing without having to think about us. And then we're supposed to basically disappear. Basically if facilitators and lawyers and rules people and license people do a good job of creating your community and helping you guide through stuff and figure out what to avoid, then you can just go off and be doubts and work on stuff and have committees and cooperate and never have to crack a rule book or a Robert's Rules or a procedure thing or a license. We really ought to be just making it possible for people to collaborate in a safe space without running into, you know, multiple kinds of legal problems. So if we do our job well, hopefully we become invisible. So far, not so good. Yeah, usually refer to us as an API to the rest of the legal system where hopefully you don't have to worry about the implementation details. Sometimes it does leak through. So hi, I'm Luis Villa. I am an attorney, former programmer. I got involved in my baby lawyer story is that I was at Zimium, which some of you may remember as a Linux desktop start-up in the very distant past. We got acquired by Novell. I was involved in the diligence there and dealing with Novell's lawyers and I naively, arrogantly thought, oh, I can do better than this. So anyway, since then I've been slowly learning how wrong that was. First at Mozilla, then for a while at Greenberg Charg, big law firm working with many of you probably work for companies that were my clients then, then at Wikimedia and now at a start-up called Tidelift. What we do at Tidelift is we are building a platform to help open source developers get paid for making open source work better. We believe that you can think of it almost as a red hat for the rest of the stack where we make things more secure, more reliable, we make the legal stuff go more smoothly and in exchange enterprises pay us for that and we pay the actual developers who are doing the work, right? The original open source developers, not some random schmo in the cloud or a contractor, but the people who actually created the value because we think open source has created literally hundreds of billions of dollars worth of value and it's time for open source developers to capture even a tiny little fragment of that if that can be done, then we will all be better off, right? Both the developers who capture some of that value and hopefully the companies that are our customers by making it a little more robust. My interest in this stuff has always been about licensing and about how people work together and licensing is a way that that happens, they're not the only way. So yeah, I guess, yeah, come with that. Thank you. I'm Wendy Seltzer. I am Strategy Lead and Counsel at the World Wide Web Consortium W3C. I got there through a winding path of interest in law and open source and in the early days of fighting the copyright term extension and copyright claim overreach. I founded the Chilling Effects Clearinghouse project now known as Lumen Database tracking notice and takedown requests and giving people the legal information to help them fight back against misguided requests. And like Lewis and Jamie, my interest has been in the ways that law can help creative people do the things that they want to do without the law getting in the way, whether that's artists creating works that build upon the creative works of others and add new things to our cultural discourse, fighting some of the copyright restrictions or coders trying to work together to develop interoperable platforms that anyone can use without paying patent royalties to someone who comes in asserting that everything you've made is an infringement of their patent. I think law can actually help in creating and reinforcing common infrastructure. So the best uses of law I think of are things like patent commitments and copy left places where people agree not to assert legal claims against one another but to pool their resources and create opportunities for them and others to build value on top of this shared infrastructure. So at W3C I work on our process and our patent policy to help make that work for the ways that people are developing web standards. So that sets us up. Let me say one thing. Wendy's way too shy. Wendy is on the board of directors of Tor. She was one of the early staff members of EFF. I mean I just try to get cool by standing around her. So read her resume. She's got an incredible background. We're both basically the legal people at two large standards consortiums but she's the cool one. Well you get to keep that one. Agreed. Plus one. Wendy. Badass. You've also set us up really nicely to talk about a text that has been kind of making the rounds quite a bit in the open source world and also among your community as well which is the Eleanor Ostrom's work on governing the commons. And we have talked a lot about sort of the commons common infrastructure support but then there's also this idea of the tragedy of the commons that is doomed to fail. And we started with a really lovely conversation last night. You said it really well Louis that not all commons are tragic. I wonder if you could introduce us to that. Yeah sure. So I mean I think one way that we think of ourselves is as engineers of healthy commons. And there's this I think for a long time particularly in the U.S. but globally a lot of economists have pushed this vision of the tragedy of the commons and that all commons ultimately are overrun. The people take too much and give too little. And I wanted to set the table a little bit for today's conversation by saying that actually Eleanor Ostrom who won the Nobel Prize for Economics in 2009 I believe devoted her career to studying all the commons that aren't tragic, right, that do succeed. And she identified over 900 commons in her research. Often they were water commons in fact some of them originally in LA. And I then spent a career and the careers of many grad students identifying common themes, right. What are things that actually make those commons work? And I'm going to go through and highlight a few of these and they are all going to sound very familiar to you because you're going to have seen them in the communities that you are part of that work well. You're going to have seen them. They're going to ring a bell, right. So one thing that she talked about is clearly defined boundaries. You have to know who's in and who's out, right. Modularity is the word that we use for this in our space, right. We know who's participating and how they participate in a way that's very clear for everybody. There's proportional equivalence between benefits and costs. In other words, you don't want people who are purely free riding. You want to have hopefully some way for them to contribute. She talks about monitoring. You have to know how it's being used. This is something frankly that open source maybe doesn't do so well and could learn from, right, where we have a sense of, we have a sense of our stars on GitHub and our NPM counts, but that's maybe about it, right. She talks about fast and fair conflict resolution, right. The more clear things are, the better for everybody. This is one of the things that we try to bring in in our work is making sure, and one of the things I'm most proud of in my career is the Mozilla public license version two, where it's a copy left, but it's a copy left with very clear boundaries. A couple others that I think I'll skip over here, but the point that I wanted to drive home is that there are patterns that we can know and follow in making healthy communities. This is not magic. It's not something that we have to reinvent all these wheels, and hopefully that's something that lawyers can help with as you all focus on the technology. Let me contextualize that a little bit. What's the point of that list? Well, it got Lin Ostrom, the Nobel, and that's nice, but also you'll find a bunch of public policy issues. You'll find WTO principles about standards and what's a real standard and what's a fake standard. You'll find accreditation bodies in both open source and open standards that test bodies to say, okay, are we going to let you just submit yourself to other places? Are governments going to include yourself in their procurement requirements? And they test a lot of those same conditions. Furthermore, those are the preconditions to fairness. If you're putting an effort, are you likely to get something out of it? Are you likely to get railroaded? Are you likely to get bigfooted? The simple way to look at that stuff from your standpoint, whether it's not just in Node.js, which is fairly mature now and has a pretty good governance system so far, but in any open source or open development shared project is, if you have that stuff there, if you can detect fair conflict resolution, modularity, transparency, yada, yada, yada, then you're probably in a good place and your work's probably going to work out pretty well. Or at least you're going to get a fair shot. If those things are not present, if you're designing a community and you haven't provided for that, or if you're in a place and those things, the project has a very strong chance of failing. So you might think of them almost as health indicators for open shared projects, which includes, you know, standard stuff like Wendy's Organization of Mine and ISO and ANSI and everybody else have been doing for 34 years, but also includes the next open source project created tomorrow. Jamie, one other thing that you had pointed out was that, you know, in a similar vein that standards development organizations kind of get evaluated on the same principles. I wonder if you can speak a little bit more to that. Well, we've been doing some interesting engineering lately because the traditional sources of open development like open standards groups like Wendy's and mine have all been under, we think, good market pressure to adopt open source methods and tools. And so you wouldn't have seen any, you wouldn't have seen a lot of SourceForge material in the mainstream of a W3C recommendation or Oasis standard 10 years ago. There was some because we've always had our standards sort of supported by and SourceForge pre-Github open source builds as kind of proofs of concept. But in terms of where the actual, you know, the canonical standard lives, now you can go to Github and find a lot of them for W3C or Oasis and increasingly even some of the ISOs and the Fuddy-Duddies, I'm sorry, like IEEE are trying to find ways to put their stuff there because that's where people want to find it. You know, I mean, do you have an SPDX tag on your standard? Well, if you don't, if you're taking, you know, your comments against the standard and you're not getting them as PRs, then a lot of people won't know where to find it or know what to do with them or be able to, you know, communicate that in a modern development environment. So we are kind of fishing in the same streams now. There is a difference which I think is worth mentioning and this is not about licensing which we'll get to later. Standards have the benefit of having 20 or 30 years of experience with government and large company procurement. People kind of know, institutional adopters kind of know we're a safe place to borrow material and so if something is created as a standard, you know, you don't get a lot of flak from some European Commissioned Department that wants to adopt it because they're comfortable with standards. You know how to do that. The whole web accessibility movement, which was just practically missing from some of the early parts of the web, got started as a consortium project, W3C and now it has been readopted and picked up and enacted its law in Europe and everybody's guidelines and everything, but basically the thing that made it comfortable for large agencies and large governments and large companies to broadly adopt it because of the stability of having an infrastructure like W3C's approval process to rely on. So a benefit we get from open standards is that everybody knows what they are. The history of procurement of open source work has been spotty because a lot of lawyers and a lot of companies were very standoffish about it at first. It seemed as a more chaotic process. Its licensing was regarded as not as clear and not as reliable and so open source as it matures is finding a better kind of frame within procurement as a safer place. For us at Oasis, we are now actually creating some open standards using open source licenses and so it's been sort of interesting to take that stuff back to an ISO or a procurement agent and say, yeah, it's a standard but it's also open source and yes, that's okay and it won't bite you, which is kind of a new concept for a lot of traditional users. But what I want to convey here is that there's a sanctioning aspect. There's a operating according to known rules and procedures and licenses so that people know that as a source of whether it's code, specs, models, or APIs that you're a safe place from which users can widely adopt your stuff. That sense of how to run things safely and clearly and with known licensing and known consequences and known boundaries is hugely important when the people who we talk to come to us and say, hey, I heard there's this thing, there's this module from something called the Node.js Foundation that does this yada yada thing which I've never heard of. Can I use it? Is this as safe as if I went and used an ISO standard? Bottom line, you want the answer to be yes. You know, one thing that may make that really concrete, lawyers are like programmers. You could do a whole great panel just on analogies between lawyers and programmers, but one way that I think there's this nobody ever got fired for buying IBM and in the same way we as lawyers seek to say, ah, nobody ever got fired for choosing this license or choosing this standard spotty, right? Where it's a well-accepted, everybody knows. Maybe you don't know the details, right? There are a lot of lawyers who use a lot of open source licenses who could not actually explain to you how they work, right? But because they're well understood, they're well, they know that other lawyers know, and so there's that network effect of learning around these things. Good, Wendy. Yeah, and I think that serves as a way of sort of division of expertise that programmers don't have to be experts in the licensing conditions or in all of the possible governance structures that could be used. They can take patterns from organizations that have done some of that work, found patterns that work well, and or, you know, relied upon that work in legal enforcement, that work for government regulation, and that work for communities that, you know, our process, W3C's process is often accused of being too long and unwieldy and too detailed, but at the same time it saves people from reinventing that structure every time they're trying to make a new decision. Yes, sometimes you may need to reinvent something because conditions have changed, but if you're doing something that's been done before, the patterns that worked well in the past may well serve you too. And so that's low friction, low barrier to reuse helps get the focus on writing the best spec, making the best security considerations and privacy and accessibility and strong interoperability and testing and the things that we need to get a clear base of running code. So I want to ask about the importance of having multiple stakeholders, but you actually just touched on something, because we are speaking to a room of developers and programmers, and these documents are written for lawyers. What does a developer need to know about their open source license? What's the small thing? Well, there are two key bundles of rights that are included in most licenses, the copyrights and the patents, and copyright is a protection for ideas fixed in a tangible medium of expression. Your code is copyrightable, and those using it need a license that permits them to copy it as they do when they use or modify or run the code. And patents, which are the idea, the function of code and anyone can claim, well, the inventor can claim protection of the functionality even in something that somebody else implemented. And so a lot of open source licenses and a lot of standards bodies work to develop various ways of pooling patent protections or defensive rights so that when, so for example, a W3C, we have a royalty-free patent policy. Anyone who contributes to a, participates in the development of a specification commits that they will not assert patents on so-called essential claims to that spec. That even if they have patents in their cupboard, they won't assert them against somebody who's trying to make an interoperable implementation of a spec. The significance there is that if you're doing something in Wendy's shop under that patent policy, not only is everybody promising that you can use, but also they're promising that they won't sue you if you use the other guy's contribution. So if Wendy, Louie and Joy are our committee, each of us may promise that we will let you use our contributions, duh, but also if there's a final product, you come out of a process like the standards process, and this is true in a couple of open source projects, but not most. That also means that if you use my contributions, Louie won't sue you, and if you use Joy's contributions, Wendy won't sue you. This is a significant improvement in terms of stability, and so for example, ripped out of the news yesterday. Anybody watch Twitter? See Jack Dorsey saying, oh gosh, you know, I've just realized that maybe there should be a multi- company standard for tweets or for social media anyway. Duh, duh, okay. And you know, I mean, that's great, good for him. And without any comment other than that, I would love to see something like that happen. I'll just point out that W3C had a project on that like what, eight years ago? I mean, Evan Promedu made it up, who's up here, by the way, made up status net maybe 10 years ago now and worked out a system for a while, and it became an activities at W3C, and they went through all the things. Basically, that whole idea got laundered through a process of multiple stakeholders and multiple contributors and final licenses, and so basically, yeah, Jack, we already have one of those. Now, maybe it'll be adapted, maybe something else will be better, but my point is you are better off when you start from something that's been established through a process with multiple stakeholders, which is your point, and with some kind of stable understanding about the licenses, which is your point. And there are a lot of good things out there that have come from that process, which is why we're all advocates of reuse, not reinventing the wheel every time and refighting all of the licensed battles. I was actually going to say, you know, Jory, you asked, like, what should we know? Yes, yeah. There's really one thing you should know, and that is who else is using it, right? Like, if you only know one thing, we are, and I say we here, both about programmers and about lawyers, we are herd animals. And so the idea that, you know, it's actually, there was a time when I first got involved in all this stuff, the, you know, everybody knew all the licenses, right? Like, literally to become a Debian developer, which was sort of, in some sense, the spiritual forerunner of being, of having a package on NPM, you literally had to pass a test to show that you knew all this stuff about all of the licenses, right? And in some ways, that was good. Everybody was an expert. Everybody had deep knowledge. And in other ways, that really got in the way of actually doing the thing we want to do, which is actually write some code, right? And I think in some ways, in some ways there's a sense of something, there's some loss there, right? But it's also, I think, you know, simply looking around the room and being like, you know what, the entire rest of the industry has been using the BSD license for 30 years, and it hasn't melted down yet. Like, that's actually a pretty good proof point for like, actually maybe we can probably keep using it for the next 30 years, and it probably won't. Now, if you get, if you mind me a drink tonight, I will tell you all the ways in which it might melt down, but that's for another conversation. Doom and gloom. But I think, so this came from Twitter, but I think there's a bit of attention here, right, where we want to simplify things enough and just say, don't worry about it, developer community, just, you know, it's okay, we got it covered. But at the same time, we want to make sure that these communities are like, you know, knowledge is empowering. Like, we want them to feel like this is knowable to them. And so, you know, what is the right sort of balance for that, you know, nervous developer who's trying to think about licensing their first project? Like, really, is it just, you know, pick? Well, I think if you're in a company, talk to your company's lawyers. If you're working on your own, talk to a friendly lawyer, and think about what it is that you or your organization are trying to protect. What are you trying to create and what legal structure helps you to do that? And, you know, we have big companies and small companies and individuals who contribute to open standards and who contribute to that royalty-free pool because what they want to protect is the ability to interoperate and the ability to work with others in a safe environment where all of them know that none of them is going to pull a patent out of their back pocket and undermine this web we've created. And, yeah, there's room for patents and there's room for proprietary stuff on top of that stack. You have the core interoperable web and then you have optimizations that people can patent and applications that people can sell on top of that. And, you know, over time, the core of the common royalty-free piece grows and there are new opportunities further out on the edge to develop something proprietary. And, you know, that, you know, grow the interoperable core and build something of your own on top is a powerful strategy and it can be a good strategy for selling your services, for selling your products, for expanding the value that you provide and create. Yeah, I mean, I think that that's the key really is understanding what it is you want to do, right? If this is a small piece of, I don't want to say throw away JavaScript, right? But we know that there are a lot of modules on MPM that were a sort of weekend hack and are never going to be more than a weekend hack. And in that case, putting it under the same license that everybody else uses on MPM, BSD here, MIT, something like that, so that everybody else just uses it in the same way they're used to is probably going to achieve your goals, because your goals for publishing a weekend hack are like, I hope it's useful to somebody. And, you know, and if it is great and if it's not, I'm not going to worry about it, right? But if you're like trying to start a business or you are already part of a business and you're trying to work with other businesses, then things get more complicated and you have to ask deeper questions. You know, I will say there's a spectrum here of not knowing anything on one side actually going to law school on the other side. Do not recommend that. If you're thinking of that, I will buy you the drink and we'll discuss tonight. You know, and somewhere in between there are a lot of good resources. In particular, I really like there's a board member of the Python Software Foundation, Van Lindberg, also a former engineer turn lawyer, has written a really excellent book that explains a lot of these concepts and that explains a lot of these concepts in like engineer accessible frameworks. And I highly recommend that book because it is, you know, unfortunately like the optimal level of understanding if you're asking complex questions like how do I work with other companies is probably closer to book length than panel length. Of course. I am blanking on the name of the book. He's going to look up the name of the book for you. So if you're in that space, God willing, you do some of your work in an organization where they've got good and hardened rules and you can generally conduct yourself without worrying about it because the rules take care of it for you. They license the rules but also disclosure rules. You know that Node.js just adopted it's a new IPR policy as I understand it so that I'm not an expert on it but one of the questions is okay, what does that cover? How does that cover me? How much disclosure is required? Am I in a competitive position where I am trying to donate some things but keep other processes outside of my donation so that they can be my competitive advantage if you read the old Shapiro and varying book information rules. It talks richly about how the way to play the open source game from a enterprise point of view is to figure out what to give away to enjoy network effects and what to keep for your own proprietary processes. Everybody is doing that. Everybody has some things, some UX, some methods, some algorithm, some spin, some profile. That's their secret sauce. The best thing I can tell you as a lawyer to non-lawyers is going to these things knowing darn well what your secret sauce is, if any and what parts you're trying to give away and get everybody else to use the parts of it to you or somebody else in your environment is trying to keep for themselves. When you get that wrong or when you're not clear or when the organization where you're doing the work is fuzzy and not careful, you get problems and if those problems involve large economic risks people sue each other and bad things happen. One word. Rambus. R-A-M-B-U-S. Look it up, 10, 20 years ago. We were all on each other like a pack of wild dogs because there were disclosures. The disclosures were thought to be not very clear. There was an allegation that you lied to me about your patent. Well, we didn't tell you. Well, we never said we didn't have one. Well, I'm going to sue you. Suit dismissed. Run to a regulator. Regulator looks at it and says, yeah, it wasn't against the rules because the rules are crappy, but it was deceptive anyway. We're looking in places where they have clarity good and above all knowing what you're trying to protect and knowing what you want to share. So I think this segs really well into this discussion of how IP and patent policies of different organizations sort of reinforce common and I think you all were kind of touching on that. So I wonder if you were talking about if you were just doing your weekend project and you select MIT because everybody else is reinforcing that system. Can you speak to other ways in which our policies here can help reinforce that and improve the commons? So it's not so tragic. I can start with one. The W3C royalty free patent policy offers a reciprocity term that you can condition the royalty free promise on everyone else's promise to make their patents available on the same spec on the same terms. And that reinforces the Austrian principle of community, having a defined community. Those who are in and who are willing to commit to sharing the work of keeping this open get the rights to your work as well. And those who want to free ride who want to take but not give well they face the risk of litigation by any one of the participants who is otherwise making their patents available royalty free. So it's a anyone is free to enter so long as they're willing to make that commitment. And that's a little lightweight community boundary that says here are the conditions, here are the rules that you need to agree to if you want to be part of this commons. And that helps to build the spirit of good faith interaction and cooperation that then can grow the commons. Yeah, I mean there's so many this is a tough one to impact so let me also give one example. So there some of you may be aware that there's a couple different ways that you can say what the license on a code is for a long time the default was I'm just going to have a file called copying and I'm going to put the license in there and that's going to be good enough and then some large corporations got involved or like that still makes us a little nervous because we don't have we you know say Joe Schmo comes along and gives you know submits a pull request we didn't call them pull request but you know submits a pull request have they agreed to those legal terms in that in that one file how do we know that they've how do we know that their employer has agreed to those terms so one of the first early evolutions in open source licensing was something called a contributor license agreement where when a new contributor would come in off the internet and say hey I have an idea here's here's a patch everybody would the gears would grind to a halt and everybody would say hey that looks great please fax me this please print it out fax it to me or certified mail also fine and we will literally put it in a filing cabinet of the Apache Software Foundation and we'll keep track of it just in case right and in fact I'm aware of a situation this is semi public given my track record you can probably guess who it is here but I've been aware of a case where a company sued over a piece of code and the Apache Software Foundation opened up their file cabinet and said but you gave us this piece of code it says right here you gave it to us and the company backed down right and so it wasn't a like purely hypothetical well here's the thing I have been doing this for 20 years now and I'm aware of exactly one case in which that has been helpful and there are literally thousands of these things on file if not tens of thousands right oh okay value stuff you know deep competition that's not a real thing by the way notes has CLA's doesn't it I think you guys do it I mean you guys do it as you know bytes set in a github register at the moment but you got CLA's it's just that they're not we don't fax them anymore but let me but at some point somebody said hey you know what in most of these cases the original things were written such that you could literally like if some random shmo off the internet came submitted a patch and it turns out they were lying about the source you could sue them about it which was like nice in theory but in fact is a practical matter you know none of us are what we would what lawyers call deep pockets right we're not like if Oracle wants to like come sue Joe Schmo Oracle is going to realize like the cost is not worth like the benefit here right because they are going to spend a lot more on lawyers than whatever Joe Schmo has in his pockets to give to Oracle right Oracle are vindictive sons of bitches but you know they're not dumb um former client but I still have thoughts uh so we so a lot of communities were a little concerned about this overhead of first faxing you know now it's github stuff but uh and so somebody said you know what look we're not going to go ahead and sue this person why don't we optimize that out and we'll focus on instead simply being able to to notify people hey you should really owe this and own this before you give it to us and we should know who gave it to us right and that is where you got uh the developer certificate of origin the key point being there we know where it came from so that if somebody sues us we can look into it and we can take that code out if we need to right and that's where dco comes in which is the default I believe for open chance all of the projects are actually on different like uh things and so that that's that's part of this new policy is as a new foundation is like okay can we start to figure out like what the um standard practice ought to be among 30 some odd projects that have been doing it differently for years and this is a great illustration but the point the problems that you know js people have when designing a system like that is you got a bunch of people coming in with a bunch of different licenses a bunch of different environments a bunch of different practice in terms of people who like signing stuff and have a six pack of lawyers people who don't some people are comfortable with dco's some aren't and so you have to construct a reasonably safe process but let me try abstract out into an action item for non-lawyers okay what this tells you is that your first question in a development situation where you're contributing stuff you care about into a project you care about is you need to decide whether you're in a relatively weasel free environment because you see if you are full of weasels like ours be the rambus people or some of louis clients or maybe I should say clients opponents but your mileage may vary I forgot one before if you're in a weasel free or a highly competitive or a dueling licenses pistols at dawn environment then all the stuff is going to matter a lot more and you got a lot more chance of contributing a whole lot of things that can't then get swiped away from you or overridden or your project suddenly been deep six because of a lawsuit or a threat of a lawsuit because believe me a lot of people dealing this are not brave warriors they're craven if you go boo boo boo I'm going to see you and you got a lot of money you know I mean I guess the oracle the oracle Google case on which we have no opinion because we have contributions from both sides you got two rather large companies who are apparently not afraid of spending legal I assume that when one of them calls the other the reaction on the other end of the phone is oh my god stars and garages were lost but a lot of the battles between parties who have opposite technical or licensing or patent positions are asymmetric this is not a level playing field so figure out how treacherous and how weasel free your environment is and then you will know how much you want to sort of run for safety and make sure that you're working within a highly structured process or a process that has professional referees a process that's got a lot of output and has a lot of connections into other systems so that there's going to be people who aren't interference for you because they can assure you that when something goes to hell in a standards or open source project at my shop or Wendy's we get calls we try and help them navigate it in some appropriate way without taking sides and that can be a very important function so the maturity of an organization also goes to when that crazy thing happens can you get help let me add one other an unfortunate part of our profession is that we are all professional pessimists it is our job to see the issues coming like we have finally tuned weasel radar and we see those weasels from a lot further off than you do now sometimes they are imaginary weasels and so the unfortunate the balancing thing here is that we sometimes have to be the ones who are delivering this bad news of like circumstances change when you were talking earlier about the patent situation I couldn't help but think when we all got involved patent litigation about software well actually this might not be true for you Jamie but the software litigation about patents patent litigation about software rather has come in waves right where for a long time we didn't even think the software was patentable and then we thought the software was very patentable and now we're back to like maybe it's not very patentable again so it feels like a little bit of a peaceful time right now there are no weasels on the horizon but in fact the Court of Appeals for the Federal Circuit I'm not going to call them weasels on we're being recorded high yes they're wonderful except when they're not and then one day you wake up and all of a sudden software is patentable again and all the lawyers like it's so depressing to me like engineers come to be full of all this energy it's like just help me build the thing and you're like okay but bad news may come you know and you have to be the one who sort of who bears that bad news preemptively I want to sort of add that a lot of our long term weasel radar is looking at edge cases and exception handling and litigation is for the most part in software and the exception most of what we're doing is not suing one another and most of what we're doing in standards and open source is trying to find cooperative solutions because the web isn't going to work the node software isn't going to work if it doesn't work together and saying I'm going to sue you for not interoperating with me is a pretty poor way of getting interoperability much better to say what can you live with what can I live with where's a compromise that makes each of us better off that we've got a package that works we've got a standard that works we've got an API that we all agree to implement not because someone comes down with a lawsuit saying thou shalt but because that's what's going to work for our product and our customer teams and our collaborators absolutely we're all we all have this radar for problems the best lawyers are the ones who have the radar for problems and help you get to a solution anyway right like that's unfortunately I think what separates not great lawyers from great lawyers and we're all spoken for so but like but we have a Rolodex so if you ever have a lawyer saying no to you come find us and we'll hook you up with somebody who will find a way to say find a way to give you answers one more thing all the stuff that we're doing that we think of as being web interface cool screens mobile all that the things you hear 90% of the work here talk about this you know that's one part of the world and perhaps that is a relatively weasel free environment as Lewis suggests but I got to tell you I do and I know Wendy shop has been a lot of work in automotive in IOT in security and those are not 5G good god telecoms those are not free or patent free domains so I think it would be I should say you know I was just listening to the technical steering committee of Node.js earlier today and hearing the guys talk about all their ports of the basic core over all kinds of funky devices that aren't anything like a laptop you know they got a whole bunch of satellites and Lord knows what else running this stuff on the esoteric chips that haven't been invented yet so we are up in that patent filled space even here I actually think that we are in for about a copyright trolling in this space as well how many of you have actually read all the way through the BSD or MIT licenses alright okay well so I oh yeah I get right yeah I know I'm not going to read it now I will tell you that the sort of common mythology about these licenses is that do whatever you want and that is mostly true except for the asterisk of but if you deliver the software to somebody you've got to give them a copy of this license right now that is not hard to do and yet virtually nobody does it right and somebody is going to just as the previous talk in this room was in part about people inserting deliberate security vulnerabilities into people's web stacks I think we are going to see somebody inserted a deliberate legal vulnerability they're going to build a useful library or buy a useful library from the copyright holder and then they are going to they're going to use you know one of the scanning tools to like essentially say hey I noticed that your website is using my library I have only I have never seen public record of it happening well I there's a brief say yes you're also kind of moving toward that last question that I was going to ask about predictions but before we get to that I want to make sure that we talked about the other thing that I know that this room cares quite a bit about which is the sustainability of the commons because the funding was a big role in sort of figuring out the business of open source as well I think everybody here cares about that and had some tidalists have something to say about it yeah sure so we have observed that there's a lot of money floating around for really high profile projects and this is something that WC3 and Oasis have seen as well if you have something that's way up at the top of the stack there's a lot of money floating around in the system right now it's not that hard to get funding for it right it's not easy but it's doable but then you do a scan of what people are actually using and there's literally hundreds of libraries that are somebody's part time project and that plays into questions like the security vulnerabilities that we were seeing earlier and the general just cost of using the stack right you have all spent time discovering that some library you thought you that you were relying on is like oh this actually hasn't been updated in four years and now it doesn't work with something else and and we think that that cost of that way of doing business is bad for developers right like in me it leads to burnout it leads to abandoning projects that you once loved but your day job is now switched from being a job shop to a Ruby shop and now your Java projects are abandoned right or you know I mean this is obviously a Java script shop but you know things that were dependent on jQuery now everybody's moving to view or pick your flavor of the week right and that's that leads to a lot of costs for the businesses that are using it so we think that at least part of the solution here is actually treating this like a business right not just a charity but actually going out and saying hey your business depends on this we can make it more reliable if we pay the developers who are doing the work and that is one approach there's many others right open collective is great they are doing the past the past the hat kind of thing there's industry consortia right I mean W3C Oasis Linux foundation are all essentially passing the hat at the industrial scale in some sense right and that in certain spaces works very well you know tidelift thinks that that's not going to work for the little for the smaller pieces of things right so that's sort of where we're focused on I don't want to turn this into a pitch session but anybody who wants to talk about if you're free to come my other hat I am we're small enough that I am human resources I'm the general counsel and I also had our DevRel team so and so yeah so I drew the long straw of coming to Montreal in December I am the San Francisco office no that's not true as of last week we have two people in San Francisco so let me have some fun with this and throw a rock one of the ways that the balance between big and little players, patent holders, trolls and non-combatants and other sort of asymmetrical parties are going to be disrupted is a prediction I'm going to offer you and that is in spite of the fact that everybody makes fun of it in spite of the fact that all these fat old cis white guys like me who run some of the older organizations seem to not take it seriously the ethical licensed people are going to prevail at some point okay the all software is good no matter what everybody can use anything and I don't care if my stuff is used to jail babies people the old school open source approach that says no one gets to withhold their labor from anything no matter how evil that's not going to be the only model forever read ethical license search the phrase ethical license we're not familiar with this there is a growing set of what I would call new wave approaches or differences or twists on open source licensing that basically create exceptions for various reasons and some of those are going to exclude some large organizations and that's going to mess this all up that it's coming I can I can see it from here that we don't know what's going to happen yet I don't know how fast it's going to happen but there will people be people who are willing to contribute to the commons for some purposes but not for the purposes and that will also cause some kind of regrouping or segregation or set of conditions it'll have to cope with just as the GPL license was disruptive 15-20 years ago and it basically landed in a field of other licenses nobody looked at it and said but if I use this I can't use anything else and oh my god stars and garters I mean believe me the people who were in our jobs as IPR lawyers or software 20 years ago almost all had vapers about the GPL because they couldn't figure out how to use it with anything else and not have the world break and it took a while for people to figure out that there are actually you can have modules next to other modules and even Moglen wrote some things to make it clear that this wasn't you know eating the entire world it was just for certain areas and that there are ways for this stuff to coexist and they created the LGPL and they made it easier but there will be more perturbation in licensure and more people insisting that other values be supported and that will be stabilized and mess up some of these current relationships and power relationships which I think is going to be really interesting hopefully I retired before I did because I've got thoughts on that I love that you decided like at the very end of this to open the ethical licensing can of worms we are kind of running low on time so I think I will ask you all to make your predictions for 2020 boy I mean Jamie stole mine right out of the I 100 percent agree that that's going to be you know I think the other interesting thing is going to be this is maybe not 2020 thing but in the next say three to five years the security presentation from the sneak guy here was terrifying right nothing new but put a lot of things together this this idea that we can write some letters in all caps and for those of you who have since I guess none of you run the BSE license it says it's got this all cap section that basically says oh yeah if you break it if it's broken hey not my problem your problem right yeah and and that's I think at some point that's not going to hold right I think the security risk to the literally civilization are going to be too high and we're all going to have to clean up you know I don't know how lawyers are going to be involved in that but I suspect we will yeah I think in the doom and gloom portion of predictions I think we're seeing regulators and legislators being lots more interested in what we create with code whether that's round three of the encryption wars of law enforcement need back doors sorry you can't build a secure back door build us one anyhow or you know liability for platforms and for what users post on them you may think the protection that platforms have had against being liable for what users post yet we're more and more concerned about abuse about misinformation about harassment online and finding the right balance between you know who takes responsibility how and what are the legal hooks for that responsibility we build these other kinds of communities on top of software without undermining the protections that we have for building good software is I think going to be a challenge of our next say five years any optimistic predictions okay let's let a light note I think we're going to find that all of the current hyper-categorized beliefs that a standard and a code module and a model and a markup and an API are all different things is going to fall away and simplify because you know what yet we are in a world now where one where all that stuff is one transform away from another and some of the transforms are canonical and bilateral and actually freaking work which is not where we were a few years ago so I think we're going to find that the output you create in whatever form or serialization happens to exist in whether it's a code or a spec or an API whatever it is we're going to discover that there's a much more uniform set of safe principles and methods for procuring finding these things I mean why do we find code or score people's you know PR points on github using code but we don't do that with standards why are Oracle and Google spending $50 million arguing over what an API is we're using the damn things all the time agonizing over their exact categorization I think some of those artificial succincts are going to fall away and it's actually going to render what we all do a lot simpler and so just as we used to see some of the integrated development environments do this you won't be having people hand code so much any stuff you'll be seeing people creating models and then being able to implement them immediately without having to get in there like key blurzels and handcraft every piece of it I think as all that unifies more it will create a simpler and safer environment where a lot of these sneaky distinctions that weasels use to mess up your life will fall away we're going to keep winning I mean I think that's the you know the idea that open source would literally take over the world in the way it has would have sounded ludicrous 20 years ago even 10 and you know all this all the griping that we've got here at the table that's all that's all at the edges of the thing right like the core model works and we're going to keep winning and that's still sometimes I wait you know there's like a legal conference all lawyers get together Microsoft has started attending all of these with their lawyers right like like that was sort of my big like oh right this is this real we're learning yeah and I'll follow up on that that I think we're getting better at building communities around these the around the code and communities that have values and ethics and privacy practices and other things that we value as well as the quality of the code and its interoff so I think we're getting better at building you know code for good society all we do is win let's debate that one some other day I don't want to take away from DJ Khaled over there I know a foundation that I work with who was agonizing over how to create a testing and sort of a certification program and they had this debate that went kind of like this well should we just issue reference code and make everybody use it or should we create a model and require everybody to obey the model or should we create an API with it as a specification and spell it all out make everybody obey the data structure and the code because they needed wide interoperability across a whole bunch of governments for a complicated purpose or should we just set it up set up a test client and say you know this isn't canonical but there's a reference implementation and if you can talk to it you win and you know what their answer was actually their answer was don't care any one of those works which is my point right if we can get to agreed structures then you know you don't have to set up all night with the teams of lawyers worrying about the little Rococo technical details of how you license this little piece of that and whether it's really an API or not whether it's really copyrightable or not or how the patent lawyer should approach it you know if you make this stuff simple as Louie says open development is winning thank heaven well panelists if any of that happens I'll ask you about it next time at the next node plus JS interactive who's been watching Wait Wait don't tell me everyone I will just give it up for these very generous attorneys and please do come to speak with them today about the W3C lift or Oasis thank you all very very much