Please Stop Inventing New Software Licences

A few weeks ago, I received an unsolicited email inviting me to try out an exciting new "quantum resistant" cryptography app called Cyph. Because I hate myself, I signed up.

Of particular interest to me was the fact that the homepage loudly proclaimed that it was "Open Source" - and had a public GitHub repo. That was handy, because there were some glaring usability flaws on the sign-up screen. So, being a responsible nerd, I decided to send a pull request to fix them. Aren't I nice?!

The first thing I do before contributing is to check the software licence. I want to make sure the project I'm contributing to is actually open source.

This was not.

There are over a hundred different OSI Approved Licences. For some reason, Cyph have invented their own proprietary licence!

This is a real barrier to getting a community to help with your project. People have to take time to read and understand an unfamiliar licence. If they have an employer, they may need to get their lawyers to approve any work done. A new licence is a hassle.

Cyph's licence was originally the Microsoft Reference Source Licence (MS-RSL) - despite Cyph not being affiliated with Microsoft. The licence says I am only allowed the source for reference use. What does that mean?

"Reference use" means use of the software within your company as a reference, in read only form, for the sole purposes of debugging your products, maintaining your products, or enhancing the interoperability of your products with the software, and specifically excludes the right to distribute the software outside of your company.

This presents several problems.

• "Read Only Form" - if I make a fork on GitHub, or locally, my copy of the source will be writeable. Indeed, I will need to write to it in order to submit a PR.
• Improving accessibility is not related to debugging, maintenance, or interoperability.
• I do not have any products.
• If I create a fork on GitHub, I will be distributing the code.
• I am not a company, nor do I work for a company.

Under the terms of their licence, I couldn't contribute back. I politely complained about this. Cyph's response was to create their own licence! The brand-new Cyph Reference Source Licence (CYPH-RSL).

The new licence is slightly better. It understands that I may be an individual rather than a company, and lets me take a copy of the code to test verifiable builds. But the reference use becomes even more confusing.

"Reference use" further includes use of the software within your organization, in writable form, for the sole purpose of developing and testing changes to the software that are intended to be transferred to the Licensor for consideration of inclusion within the software, and specifically excludes the right to distribute the software outside of your organization except as necessary for transference to the Licensor.

What a tangled web!

What does "intended" mean here? Can I make a copy, make extensive changes, distribute my version of the code and intend to make it available - but never do so? How long a timeframe do I have? What if I work on something for years and intend to transfer it only when it is ready?

The wording still precludes me forking this repo on GitHub. That is not necessary for editing code and transference.

I cannot write a blog post about the changes I've made, because that will be distributing their software and isn't necessary for transference.

At which point, I decided to bow out of contributing. I was looking forward to improving its accessibility, and perhaps racking up some cheap HacktoberFest points.

It's great to challenge the status quo and invent new things. But when you do so, you risk causing confusion. And if you're trying to build a new community of contributors, that just adds friction.