CodePlex, the new Microsoft that’s old
The new Microsoft Open Source consortium (CodePlex), as seen from www.consortiuminfo.org (in self Q&A style, emphasis mine) :
Q: So now let’s cover the basics; how is the Foundation set up?
A: Microsoft organized CodePlex under the non-profit laws of the State of Washington, which may be a good neutral choice, or may not. Most attorneys (myself included) aren’t familiar with Washington law, so it’s hard to tell (I always use Delaware law when forming a new non-profit, since its laws are very flexible, and most attorneys have some familiarity with it). Also, CodePlex has not been set up as a membership organization, which is very unusual for an organization operating in an area that usually relies on consensus in order to be credible.
Q: Is that good or bad?
A: In my view, it’s bad, because it means that the Board of Directors not only has complete control, but the Board is also self-perpetuating (i.e., the directors elect their own successors). Moreover, there are no term limits on how long a Board member can serve. In this kind of organization, the Board is not answerable to the participants, and the participants have no say or control at all over how the organization is managed or evolves.
Q: But as long as the Board is balanced, shouldn’t that be OK?
[...]
In this case, individuals and companies that decide to participate in CodePlex won’t be able to vote for the directors at all. At minimum, this means that CodePlex will have to work very hard to convince others that the Board really is balanced, and therefore will look out for the best interests of all stakeholders, and not just the company that is paying all of the bills.
Q: Is there any way to tell from the documents how likely that will be?
A: There’s one provision that particularly concerns me. Currently, the Board has six members, and the Bylaws provide that the successor board that will be appointed within 100 days will have only five members – that’s a very small board indeed.
[...]Q: Why do these templates matter?
A: In two ways. First, the CodePlex site says that the Foundation will be promoting their use throughout the industry. Second, the site states that CodePlex is intended not only to develop and promulgate best practices, but to host open source projects as well. Unless CodePlex is set up in a truly neutral fashion, that will lead many people to worry that Microsoft wants to create and legitimize “their” kind of development environment, where Microsoft can feel safe launching projects (all of the initial projects under consideration are Microsoft projects) under IPR rules, and under licenses, that fit their view of what open source should be all about.
Whether it likes it or not, Microsoft is likely to be held to a higher standard with CodePlex than another company might, due to it’s historical hostility to open source, and to it’s current mixed messaging on the same topic. I expect that unless significant changes are made, many people will conclude that CodePlex is intended to become some sort of “alternative universe” of open source development, populated by Microsoft business partners, where only the more limited types of open source licenses are considered to be good options for developers to use. Those licenses are fine for some purposes, but most developers – and even commercial companies - don’t choose them today. If CodePlex flourishes under this type of regime, I won't be surprised if Microsoft (as would most other vendors in the same situation) begins to tell customers that this type of patent-friendly environment is what open source software is “really” all about.
When you combine this with the assertions at the CodePlex site that a primary goal is to get more software vendor employees participating in open source projects across the board, you can easily see why the community might fear that CodePlex has been formed in part to recruit legions of new project participants that will have a new and different agenda than the existing members of the already existing projects that they join.
Welcome to ConsortiumInfo.org
Wednesday, October 07 2009 @ 06:53 AM EDT
The CodePlex Foundation: First Impressions (and Recommendations)
Slashdot It! 
DiggThis 
Add to Del.icio.us
Monday, September 14 2009 @ 10:29 AM EDT
Contributed by: Andy Updegrove
Views: 10,155
Well, it’s been a busy week in Lake Wobegon, hasn’t it? First, the Wall Street Journal broke the story that Microsoft had unwittingly sold 22 patents, not to the Allied Security Trust (which might have resold them to patent trolls), but to the Open Inventions Network. A few days later, perhaps sooner than planned, Microsoft announced the formation of a new non-profit organization, the CodePlex Foundation, with the mission of “enabling the exchange of code and understanding among software companies and open source communities.”
Not surprisingly, more articles were written about the apparent snookering of Microsoft by AST and OIN than about the new Foundation. But while the tale of the 22 patents is now largely over, the CodePlex story is just beginning. Microsoft says that its goal for the new Foundation is to create an open and neutral environment, and that the formation documents posted and governance structure described at the CodePlex Foundation site can provide a foundation for such an organization. The CodePlex site also makes clear that the Bylaws you can find there are just a starter set, stating, “Our governance documents are deliberately sparse, because we expect them to change.”
That’s good to hear, because I’ve reviewed all of the material at the CodePlex site, and I think that quite a bit of the governance structure will need to change before CodePlex can expect to attract broad participation.
Over the past 22 years, I’ve helped structure scores of open, consensus based consortia and foundations, and represented over 100 in all (disclosure: they include the Linux Foundation; a full list can be found here). In this blog entry, I’ll show where I think the legal and governance structure of CodePlex has wandered off the open path, and offer specific recommendations for how the structure could be changed to give people (other than Microsoft business partners) confidence that CodePlex will be an organization worth joining.
Since there’s a lot of ground to cover, to make it an easier read I’ll use the self-interview approach that I’ve picked up from Steve O’Grady over at RedMonk.
Q: What’s the sixty thousand foot guidance on how to set up an organization that will inspire confidence that it’s safe to join?
A: It’s all about three closely related factors: appearances, control mechanisms, and broad support. What you want to do is to create a structure that you demonstrably _can’t_ control. If you claim that you want the organization you launch to be neutral, and then people find “gotchas” in the documents, you’ve lost the credibility war on the first day of battle.
It also helps enormously to launch with multiple partners, rather than try to add them later after people are no longer paying attention. You’ll never get more press than on the day you do your public launch, and if both competitors as well as allies are standing next to you on the stage as co-founders, that sends a powerful message that the organization really is not under any individual company's control.
For this reason, new organizations traditionally operate in stealth mode until they sign up an impressive roster of co-founders, so that people pay attention, and figure that there is broad industry support for what you want to accomplish. If instead you’re out there all alone, then people wonder why that’s so.
In this case, Microsoft launched without any co-sponsors (it has been theorized by many that the launch date was accelerated to offset the adverse publicity generated by the disclosure of the sale of the 22 patents), which I think was a mistake. If you go through the CodePlex site, you also learn that, while additional sponsors will be welcome, Microsoft has provided $1 million in funding for the first year’s operation. Microsoft will also provide the staff that will run the organization.
While it’s good that Microsoft is willing to provide so much economic support in times like these, it’s not helpful in building trust that the organization really will be independent and neutral. For better or worse, if all of the money and all of the staff come from one company, it will be hard for most folks to believe that CodePlex it will really be neutral in action.
Perhaps most significantly, when you go through the formation documents in greater detail, you also start running into “gotchas.” Some of these can be easily changed, and perhaps were meant to be open for discussion. But others (such as the decision not to form CodePlex as a membership organization) are so fundamental that I expect that Microsoft doesn’t intend for them to change.
The bottom line is that forming a successful consensus-based organizations is a bit like stepping through the looking glass – you win by giving things away, not by extracting value from others or controlling them. You have to create a place where people can be expected to conclude that it's safer to be a part of the organization, than to stay outside. Consequently, if it looks like you've kept too much control, the best you can hope for is to form a glorified user group. I’ve written extensively on how to form an organization that is convincingly open, for example here and here.
Q: So now let’s cover the basics; how is the Foundation set up?
A: Microsoft organized CodePlex under the non-profit laws of the State of Washington, which may be a good neutral choice, or may not. Most attorneys (myself included) aren’t familiar with Washington law, so it’s hard to tell (I always use Delaware law when forming a new non-profit, since its laws are very flexible, and most attorneys have some familiarity with it). Also, CodePlex has not been set up as a membership organization, which is very unusual for an organization operating in an area that usually relies on consensus in order to be credible.
Q: Is that good or bad?
A: In my view, it’s bad, because it means that the Board of Directors not only has complete control, but the Board is also self-perpetuating (i.e., the directors elect their own successors). Moreover, there are no term limits on how long a Board member can serve. In this kind of organization, the Board is not answerable to the participants, and the participants have no say or control at all over how the organization is managed or evolves.
Microsoft got distracted
This is old now, but I didn't register it here, so
a) Someone might actually find it here. Yeah, I think you (the readers) are all in my head, but ok;
b) Personal archive.
So... Story at linuxfountadion.org
The details are that Microsoft assembled a package of patents “relating to open source” and put them up for sale to patent trolls. Microsoft thought they were selling them to AST, a group that buys patents, offers licenses to its members, and then resells the patents. AST calls this their “catch and release” policy. Microsoft would certainly have known that the likely buyer when AST resold their patents in a few months would be a patent troll that would use the patents to attack non-member Linux companies. Thus, by selling patents that target Linux, Microsoft could help generate fear, uncertainty, and doubt about Linux, without needing to attack the Linux community directly in their own name.
Microsoft has "changed". That one never gets old...
Red Hat had this to say, emphasis mine:
The Open Invention Network (OIN) learned recently that Microsoft was planning to auction off some of its software patents, which we understand it marketed to trolls and some other non-practicing entities. It also used marketing materials that highlighted offensive uses of the patents against open source software, including a number of the most popular open source packages.
This looked to us like a classic FUD effort. To unleash FUD, you assemble a lot of patents of uncertain value, annotate them with a roadmap for the companies and products to be targeted with the patents, put the lot in the hands of trolls schooled in patent aggression, and then stand back and wait for the FUD to spread with its chilling effect.
[...]
DOS ain’t done ’till Lotus won’t run
An old story, unreferenced, but I've seen it elsewhere a few times.
It is too bad that magazines like Infoworld cannot (or do not) bring their old material into the World Wide Web. As the debacle unfurled, Infoworld sent an editor to interview the highest guy at Microsoft in charge of DOS. The interview went like this:
IW: "Lotus 1-2-3 is the most popular application running on PCs today. Your new version of DOS does not work with it. Didn't you do any testing?"
MS: "Yes of course we did testing."
IW: "What were the results of your tests?"
MS: "We knew there would be problems."
It was only afterward that the phrase "DOS isn't done until Lotus won't run" was exposed.
In case you didn't live through this history (I did):
Microsoft was a partner in the L.I.M. specification that allowed programs to access extended memory. L.I.M. = Lotus, Intel, and Microsoft.
Microsoft changed Windows and (and through it their new spreadsheet product, Excel) to do LIM access on word boundaries instead of byte boundaries. Then they changed the LIM driver to only work on word boundaries, and to cause a fault in the programs that attempted access on byte boundaries. Super conveniently, they didn't bother to notify Lotus (or Intel) that they implemented a we-are-going-to-break-all-your-programs change to the L.I.M. spec.
They shipped DOS first, and apologized later. Except they didn't apologize. They ran advertisements picturing a jet fighter pilot crash helmet. "Crash proof. Doesn't it make sense to get your applications from the people who make your OS?"
More history: the first time you launched Lotus 1-2-3 in Windows with the new DOS, the dialog box said "This program has violated system integrity. You should reboot to ensure proper operation of the system. If it happens again, consult with your application vendor."
Clearly the blame was pointed at Lotus 1-2-3 by Microsoft in Windows. But what changed?
DOS was finally done when Lotus wouldn't run.
Infoworld also interviewed people at Lotus. Infoworld asked if Lotus was going to sue, and the Lotus person said no, for two reasons. One, that Lotus was still dependent on Microsoft and DOS (reading between the lines, it looked like they were saying they've sabotaged us once already, and could do it again). Two, the lawyers at Lotus asked the engineers about the change, and came to the conclusion that Microsoft would claim they made the change because "it is better". Word boundaries for memory access are easier than byte boundaries.
The evil here is that the change was made with malice aforethought toward Lotus, AND, the notification of the change was withheld from Lotus.
Lotus would probably have agreed that word boundaries were better. The crime was they were denied an opportunity to prepare for the change.
But proving to a judge (and this was before judges were at all tech-savvy) that Microsoft didn't innocently bungle a line of communication or two was not a case the Lotus lawyers thought they could win. The technical argument "it is better" would have to be offset by "no it's not. it is memory wasteful" which in the age of 2MB RAM machines meant something.
As for your claim that people wouldn't buy the new DOS - they didn't. Microsoft slip-streamed the new version of DOS to Hewlett-Packard, Compaq, et. al. They told HP (and everybody) "Here is a new version of DOS. Include it with your new machines instead of the old version of DOS." As the debacle unfurled, HP had to quick issue old versions of DOS to everyone that that got screwed. (I was one of those HP customers at the time).
I realize that you are probably a Microsoft shill that will always attempt to discredit the deliberate damage Microsoft inflicted on it's biggest competitor. Which is why I am going to call you out on it. If you don't want to be called a shill, then you need to not be a shill.
The truth is Microsoft changed DOS and knew it would completely screw over Lotus. They had tested it. They wrote a Windows error message to shift the blame to Lotus 1-2-3.
Frankly, it was a huge dis-service to the whole world that Lotus did not take Microsoft to court. Crime shouldn't pay.
All we can do now is remember that Microsoft cannot be trusted.
Shall I tell you about the FIVE different ways Microsoft wrote / altered programs to screw Novell? And then there is IBM and OS/2. Stac and DoubleSpace. Sun and Java. Netscape and Navigator. There is more....
Microsoft cannot be trusted.
Say it with me again: Microsoft cannot be trusted.
ISO is worth nothing
I don't know why I've waited to post this. For several months, it has been known that Microsoft has bribed several companies, country officials of several nations in order to push their idea of standard through the whole world.
There is an actual open standard on office-type documents (no royalties needed, full specs) that is implemented by at least one program and being implement by several others, which stops everyone from having to use the same software for eternity to access those documents. The moment this started becoming a reality, several countries were going to demand the use of programs that implemented a standard for office documents.
Microsoft got scared. Very scared. Office was treatened, and with it also a lot of the necessity of using Window. So they started lobying and bribing (legally, except as concerns to undue influence of the market, which is a subjective matter even to courts). ISO saw a lot of millions and disregarded their own process, and also got invaded by a ton of countries that stagnate it because they don't care to vote on anything else.
Bank Security
Not too long ago, my Halifax ATM card got deactivated because I misentered the PIN number three times in a row. So, the next day, I went into the main bank branch to get some cash from a teller.
I headed to the counter with my card in hand and some ID in my pocket. I explained the situation and asked to withdraw a few hundred pounds to carry me over until a new PIN number arrived. After taking my ATM card, she handed me a slip and asked me to sign. I did that, and she then counted out the money and gave it to me. No questions asked.
Let's count the WTF's:
- (Obvious) Me monging up my PIN three times
- The teller did not ask for ID, aside from the defunct card
- She did not compare the signature to anything, as I never signed the back of my ATM card
- I didn't actually use a signature, instead drawing a big circle with a cross through it
- She did not notice that the card wasn't signed, nor that my "signature" looked like the X-Men symbol
- I was given the cash with no security questions whatsoever
As my mind was boggling at these things, she said "I noticed that you didn't respond to our letter about changing your account to a higher rate. Would you like to speak to my co-worker about that?".
I remembered the letter from a few months ago, and figured I might as well convert the account then and there. So, I went to a tiny office with her co-worker, who then lackadaisically explained why my current account sucked and how the higher rate one was miles better. He said this all while blankly staring into space; I looked over my shoulder to see if he was just reading the pitch off a cue sheet stuck to the wall. The higher rate account was a better deal, so I agreed to switch. And this is where the WTFs start with him.
The banker tapped my account number from my ATM card in, and then printed out a sheet that summarized my details: name, DOB, address, phone numbers, etc. He slid it across the table and asked me to double check that the details were correct. At this point, I could have been any mugger off the street who just withdrew several hundred pounds and had the full details of whoever I mugged. I'm fairly sure I could have closed the account and withdrawn the funds in full, without any security challenges.
Ironically, two days later I get a letter from Halifax telling me that I should stop using their phone banking service and switch to their ultra secure online service.
At least the teller was bright and cheerful whilst giving me the cash.
Why Apple is just like Microsoft: iTunes and Safari
Apple has decided to use it's monopoly on MP3 players to persuade everyone with the necessary layer on a computer, iTunes, to install their silly browser, Safari. They adopted tactics used by spyware companies and made an update to iTunes "recomend" the installation of Safari, forcing you to deselect the install on every update.
asa (of the mozilla foundation) said:
When *installers* bundle extra programs and install them by default (opt out rather than opt in) it's *annoying*. When *updaters* bundle extra programs and install them by default (opt out rather than opt in) it's damaging to the trust relationship that users and vendors have relied on to keep software safe and secure.
Not only do they force you iTunes when you download Quicktime, making you hunt deep in their site for the solo installer, now the iTunes update also throws crap at you. It also helps computer users learning to accept the installation of crap on an update and not demanding better behavior. It probably doesn't help people trust updated either.
On my totally personal experience, if any of those programs AND the iPod is indicative of a different "experience", I must be blind and dumb, because to me it's exactly the same shit, just with different issues.
To watch a Quicktime movie on my PC I have to:
* Install iTunes, have it hijack all my multimedia file types.
* Have all the mime types replaced in my browser (a new plugin to show jpg files, yay!)
* Install an "iPod sync tool" in my system tray
* Have Apple pester me the whole time to install updates to all of the above.
* Have Apple pester me the whole time to upgrade to a "professional" version of something or other.All that to see a dumb Quicktime movie? I think I'll pass...
Different. Somehow...
And what does Safari show the next day?
recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
Completely different.
Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."
Again, completely different.
Do they remind you of Microsoft yet or are you just daft?