DEV Community

Gabor Szabo
Gabor Szabo

Posted on • Updated on

Is a project really Open Source without a public VCS?

I am working on several projects monitoring recent uploads PyPI, RubyGems, and CPAN and analyzing them.

One of the most basic items I am looking for is a link to their public VCS on GitHub, GitLab, or elsewhere.

It turns out that a large percentage of them do NOT link to their public VCS.

When I have time I try to track down the repository and either open an issue or send a Pull-Request to change the meta-data of the project to include the link.

Sometimes I even send an e-mail to the authors asking if they have public VCS.

Some tell me they either don't have a public VCS (or no VCS at all). For some I find out that the repository is not up-to-date. eg. in this project I was told the project is internal to some organization.

Are they Open Source?

I wonder, are such project still open source? They might have an OSI approved license, but can someone really access the source code and make changes to the project in a reasonable way?

See point 2. in the Open Source definition

Strictly speaking there is no requirement to have a public VCS, but there is a requirement to have easy access to the source code and to make it possible to change the source code. Do these distribute packages satisfy this requirement?

Top comments (10)

Collapse
 
randalschwartz profile image
Randal L. Schwartz • Edited

I recall the projects we interviewed (for FLOSS Weekly) over the years. Some claimed open source, when they merely published the source code of each stable release. Others had a public VCS, but a private issue tracking system. Some (like Dart and Flutter) were extremely public, with design docs, issue trackers, and accepted pull requests. I'd say there's a sliding scale there.

Collapse
 
geraldew profile image
geraldew

Just to riff a little on Randal's "sliding scale" - here's a set of four type ideas that start from the original Free Software conception and progress through to the more contemporary norm.

  • Free Software / Open Source - when FOSS licensing requires that distribution recipients can be supplied with the source code
  • Open ThingA - where the source code is publicly available - removing the need to request it
  • Open ThingB - where the source code and change tracking (e.g. a CVS) is publicly available
  • Open Development - where the public repository is where external contributors can supply commits for merging in

Really not sure what would make good pithy terms for ThingA and ThingB. Prior language has beaten us to some of the options - e.g. "Source Available" which has often been used for non FOSS software.

Maybe we can make them more unique by putting "code" in there:

  • Open Public Code (ThingA)
  • Open Tracked Code (ThingB)
  • Open Developed Code

I am course, leaving out other possible subtleties - things like issue tracking - in part because that then begs questions about whether that is also on an Open Source basis. For example, does hosting on a proprietary platform like GitHub invalidate its custom aspects as being "open"?

Collapse
 
elabftw profile image
eLabFTW

For me, private issue tracking, where commit messages reference a JIRA number on github really means the project is not open source in the truer sense of the term.

Collapse
 
geraldew profile image
geraldew

Certainly the spirit of FOSS licensing is that for any "distribution" of the software then the source code must be made available to that recipient. But no FOSS license that I'm aware of has ever required that the source code be public.

Quite how explicit licenses are about that requirement varies, although regardless of the mechanisms, access to the source code is implicit in the four freedoms (which covers both the Free Software and Open Source definitions) .

In theory that means there is a path of legality (enforced by copyright law) for a recipient to demand access to (i.e. a copy of) the source code. But like all such things, legality and practicality are not identical.

In this context, to my mind, this begs the question of when "distribution" is happening and exactly who is being obligated.

The original conception seems to have been applying between producer and customer in direct exchanges. Clearly the four freedoms empower a recipient, who has received the source code, to then re-distribute the software to someone else, who can then make the same demand for the source code. But what if the middle party didn't ever get the source code? While their ability to pass on the software sans source code is clearly granted, is it not clear who then carries a requirement to supply the source code. Is the original producer in a position to refuse to supply source code to this extra recipient - on the basis that this was not someone they had distributed it to? We're in IANAL territory there.

  • FWIW, what I've seen of Australian law, such requirements don't usually chain through. In that scenario, the legal path for the final recipient is to convince the middle party to enact their right the source code so as to on-supply it to them in turn. Note that my awareness in that regard is about laws other than copyright, so this is just an analogy. Of course, if the middle party ceases to exist then that leaves the final party in limbo. For the suspicious, yes, that is how/why multi-layered subcontracting acts as a practical legal barrier - I'll let you guess whether that's accidental or by design - but I digress.

So here is the crux of the matter. Is a producer, who puts the software on a publicly accessible web site, inherently making a distribution to any party that then downloads it? Does it matter if the web site is their own, versus uploading to somewhere more generic (such that this then become the middle party)?

Oddly enough, a good example of this comes from the behaviour of proprietary software, where it is quite common for vendors to make a copy of the software available on request, thereby establishing a direct exchange between vendor and client. Of course, there's usually no FOSS licensing in that scenario but if it was there, then it would be meaningful for the distribution to be direct even if it was so automated that it worked for any applying client. And thus the producer would seem to only be liable to provide source code to those clients to whom it had "distributed" the software. I feel sure I have seen some cases like this over the years - but can't recall any specifically just now.

Of course, in practical terms Gabor is probably right. A producer who is making it too onerous to get the source code is probably avoiding the spirit of Open Source, so their behaviour is likely a better guide than their strict legal obligation.

In a way it's interesting to cast back to the early days of "shareware", which was nearly all about proprietary software but unrestricted/public distribution.

The merging of FOSS licenses and public distribution created a world that muddies the meaning of "distribution". Of course, a later still arrangement is where the source code itself becomes publicly available - to the extent that by now that is considered normal by most (and that some people mistake as being what "open" really means).

  • For various reasons I often find myself hunting down source code that almost disappeared from existing online. Given web rot and that I'm inherently finding very old mentions and references to people having written code and put it only sometime, I can attest that just time can be enough to convert a perfectly good intention into an unhappy search activity. Just this week, I managed to track down some source code for something I need that was untouched from 2006 but was hard to find as all the places it had originally been shared on had long since disappeared. Nothing malicious going on there.

Personally, I tend to view this from the other angle, that Open Source provides ways for producers to show how much and how well they can be trusted. That some don't choose to go very far that way is itself an exposure of their intentions.

Collapse
 
astrojuanlu profile image
Juan Luis Cano Rodríguez

Open Source is Open Source. If the source distribution is on PyPI and has an OS license, technically it's Open Source by the Open Source Definition opensource.org/osd/

Similarly, companies have started spearheading "Source Available" licenses - namely: the code is online, the development is open, but there are some restrictions on what you can do with it that fall outside the OSD. This is not Open Source, and it's fine! OS is a licensing term, it's not necessarily the gold standard of how software should be developed and distributed in our modern world.

Now, I also love when projects link back to their VCS, have discussions in the open, and have a public governance. But we have to start using new terms for these concepts - otherwise, the term "Open Source" gets diluted and folks will want to slap it on everything.

Some terminology that has been proposed over the years:

More ideas?

Collapse
 
szabgab profile image
Gabor Szabo

I think you can upload to PyPI packages that only contain the pyc files from __pycache__. As far as I understand, at best, that would count as an obfuscated version of the source that does not fulfill the requirement of providing the source code.

Collapse
 
astrojuanlu profile image
Juan Luis Cano Rodríguez

Yep, completely agree. Uploading an sdist with only .pyc would not qualify, I'd say.

Collapse
 
szabgab profile image
Gabor Szabo

The question is, do the packages distributed via the various 3rd-party registries properly satisfy the view and modify part of the definition?

Collapse
 
gnulou profile image
LouDogg

Interesting point, certainly find truth in the post.
I'm happy when Gabor posts. Thanks for the read.
This is not low quality, unlike the AI generated response from Flo the factchecker...

Collapse
 
cloutierjo profile image
cloutierjo • Edited

Original open source project sometime has an address(a physical address) for you to send 5 floppy disk 💾 and get back the source code on them. So clearly a vcs is not required, but the source has to be made available in some way upon request.

There is also, I believe, a small exception when you are the original author, you can provide and change your licensing however you want. If you're not using a library that require you to provide your source (gpl) that's still allowed (again imo).

But for your original question, is that open source? clearly if the source aren't available, it is not.