February 24, 2005

An open source/commercial relationship gone wrong

Author: Tom Chance

Late last year the relationship between a free software project, Prelude, and a company that hired one of its programmers, ExaProtect Technology, broke down. In a reaction to what it perceived as unethical treatment of its development team, the Prelude project closed its development source repository, not just to ExaProtect but to the world, in an apparent breach of the spirit of the GPL and free software ethics. NewsForge investigates this cautionary tale of a relationship gone wrong.

Prelude is a security program designed to detect and trace malicious intrusions. It has been under development since 1998. According to Yoann Vandoorselaere, the Prelude project lead, ExaProtect has been using Prelude for the past three or four years, basing its security product on Prelude's communication infrastructure. ExaProtect, a French company with a sales turnover of €1,750 million in 2003, is in the business of security management, selling its expertise in administering security systems like Prelude.

Given their relationship, it made sense for ExaProtect to employ a member of the Prelude team, who requested to remain anonymous in this article, to work full-time on the product so that they could further customise it according to their needs. This is the kind of employment that many free software advocates cite as an example of how to make money from software you release under a free license.

After an initial three-month term, ExaProtect and the developer were due to renew their contract for a further three months. But on December 21 of last year ExaProtect notified the developer and the project that it wouldn't, claiming that the Prelude developer had broken the contract by not creating "a satisfactory exchange place between the Prelude and Exaprotect teams." ExaProtect CEO Jean-François Dechant told NewsForge that problems arose with Vandoorselaere, who ExaProtect had previously tried to recruit when he was in a difficult period, an offer that he refused. They had also "tried to establish a contract with a third company, which he refused." Dechant further alleged that two months into the contract with the developer, Vandoorselaere "demanded extremely strongly to take a six-month commitment for this engineer under threat that if we didn't, he would publicly tarnish the image of [their] company." Finally, Dechant claims that Vandoorselaere informed the developer of the end of the contract before ExaProtect had made any decision.

The Prelude team disputes the company's allegations. It immediately closed the development source repository, cutting ExaProtect off from development versions of the software to protect the project team and to punish ExaProtect for what the project described to NewsForge as a breach of "open source ethics." Vandoorselaere declined to be drawn into details for what he described as legal reasons, and instead pointed to the example of ExaProtect hiring a Prelude developer in 2003 to write some custom code under assurances that it would be open sourced, and then reneging on that promise. Free software, Vandoorselaere told NewsForge, is not a right but a privilege, and one he says we will lose if projects don't defend themselves against abusive companies. He suggested that in closing the source repository, the Prelude team was protecting themselves from more abusive behaviour, and defending all free software users.

Of course doing this also damaged every other Prelude user, and so the team published an open letter to the community on January 9 explaining its decision briefly whilst promising to "sort it out" soon.

ExaProtect's reaction was swift. It published a press release (in French) citing two reasons for its failure to renew the contract. First, it said that Prelude no longer met its technical requirements; and second, that relations with the Prelude team broke down. Vandoorselaere, they say, wouldn't work in a constructive manner with them, and overstated the importance of Prelude to the company. Dechant alleges that Vandoorselaere is so "difficult to work with" that "most contributors of this project have left ... during the last three years," pointing NewsForge to this email as evidence of his bad attitude. This allegation is extremely difficult to substantiate, given that egos and tempers often play a colourful role in volunteer-led projects.

NewsForge has viewed legal documents that show that the hired developer did meet his contractual obligations, which Vandoorselaere cites in support of his claims against ExaProtect. In ExaProtect's defence, Dechant said that they paid the developer out of good will.

For years, Vandoorselaere says, the Prelude team was unhappy with the level of recognition and promotion that ExaProtect gave its project. The Prelude team was especially unhappy given that they felt that they had volunteered inordinate amounts of time to satisfy ExaProtect's requests for features and bug fixes. Prelude sent repeated requests for an acknowledgement on ExaProtect's Web site. ExaProject granted the requests in mid-2004 (the acknowledgement is still there).

ExaProtect has made no public statement directly addressing the lack of recognition. However, it has noted, both in its press release and to NewsForge, its contributions to the project in terms of contracts with developers, code, rulesets, and bug reports. The Prelude team has described these code contributions as "insignificant," and in some cases of such poor quality that they were never integrated. The contributions can be found here, and include the contributions mentioned, some of which appear in CVS logs.

The Prelude team is now trying to reach a binding agreement with ExaProtect so that the company won't use Prelude, as it has promised, allowing Prelude to reopen the source repository. Such an agreement seems to be a breach of free software ethics, as the only reason the GPL gives for abridging anybody's free use of a program is a breach of the GPL, which hasn't happened here. But Prelude presses on in the belief that they are justifiably defending themselves and the community. ExaProtect claims that it is no longer using the Prelude software due to the problems with the Prelude team.

Lessons for free software projects

So what can we learn from this episode? The hired developer wasn't in breach of his contractual obligations, though the Prelude team as a whole may have been. Vandoorselaere had worked previously for MandrakeSoft for almost three years; MandrakeSoft declined to comment on his character or work record but made no mention of any problems during or after the period of employment. Likewise the other free software projects that ExaProtect make use of have never publicly complained about their relationship with the company. The clash may simply be one of personalities.

But should free software projects in this position retaliate by closing their development source repository? The company wasn't in breach of the GPL, and so short of changing the license Prelude cannot abridge any user's freedom to use, copy, adapt, and redistribute their software. Companies who make use of free software, and in particular those who fund developers, would be wise to approach these relationships with due caution, and to be open about problems to avoid misunderstandings.

When asked to give advice to other free software developers, Vandoorselaere suggested they always seek legal advice on any proposition from a company, and that they get everything in writing. Of course there will be many projects that cannot afford legal advice, putting them in a difficult position. The Free Software Foundation will help with license violations, but when it comes to other kinds of problems, short of establishing a community legal fund, the community is out on a limb.


  • Open Source
Click Here!