Some time ago, the Debian Developers decided to include Mono in the default Debian installation. This move was controversial, and provoked a discussion. After considering the different opinions, I decided to voice mine.
Mono is an open source implementation of the Microsoft .NET platform. Since it is licensed under a DFSG-compatible license, it is in the Debian main repository, and is formally eligible for inclusion in the Debian default installation.
In fact, however, Microsoft has many software patents that cover .NET, and consequently, Mono. A friend of mine estimated them on more than 100. Under a jurisdiction that allows software patents, a Mono user will be a gross violator of Microsoft intellectual property, and can be successfully litigated on this base.
It is true that Microsoft has covered ECMA standards 334 and 335, that describe a part of Mono, with their Community Promise. However, these standards are only a small part of Mono: most of it is not covered by anything that will protect its users from litigation.
The language of .NET / Mono, C#, is also a Microsoft intellectual property. It is not covered by any protection against litigation; it is not even an ECMA standard. Microsoft never licensed anyone, except the .NET platform users, to use it. Legally, using it could be enough to make you vulnerable to litigation, and certainly may aggravate a Mono user’s IP violation situation (ie. may increase the sums that may be successfully litigated from the user).
Also, Microsoft has a long record of actions against FOSS. (The recent contribution of GPLed drivers to the Linux kernel is a good first step to a change, but is not a sufficient proof that Microsoft have changed their politics completely.) In addition, it has, by its own claims, pushed many FOSS users into signing a “patent protection” agreements, which are effectively a payment from these users to Microsoft for using their IP, ie. patents, in FOSS. There is also information that they have considered outsorcing the “defence against violation of their IP” to external patent litigation companies. It is known that these companies tend to be far less considerate and much meaner in their approach.
Imagine that you have at hand the source code of some proprietary software, without any license. If you use it as if it was FOSS, its owner may decide to not interfere, and to leave you to use, modify and distribute it in any way you like. However, this is up to the owner’s whim, and thus makes the software not free. In some cases, it may be reasonably believed that the owner has no interest to go after you, and will like you to use, modify and distribute it freely. However, until the owner has taken the appropriate legal steps, eg. licensing this code under a free license, it remains proprietary. In short: what makes a software not free is not the fact that you are already denied its freedom, but the fact that you don’t have the complete legal right to enjoy it, and someone can legally deny it to you.
If a code infringes on patents, this puts it into the same position. The patents owner can at any moment litigate against the code user or author, and require them to pay him an amount of money, and/or to destroy the source (and possibly the compiled) code, and/or to stop writing further versions, and/or to stop distributing it, etc. This amounts to denying the user or author all freedoms they may have with the code, be that the four Stallman freedoms, or any other. The fact that the code itself may be under a free license, and may even be written by you personally, doesn’t change this. Hence, this code actually is not FOSS.
Using patent-encumbered software without having completely arranged the patent rights first is exactly as illegal as stealing proprietary code. It is true that owners of software patents do not often use them in litigation. However, this does not matter: what matters is that legally the patents owner may go after the users, and deny them the software freedom, exactly as if this is his proprietary software.
A prudent reader may note that if you don’t have a license for a code, this means that you may not use it at all, and deciding to use it as if it was FOSS would be automatically illegal. However, exactly the same is valid with the patents encumbering a software technology: if you haven’t got a legal permit to use them, their usage at all, eg. in a code, would be automatically illegal. So, the situation is the same.
Some readers will probably say that this is just one software in the sea of Debian, and that in the default install it supports only one application. This, however, is not a serious argument: not so long ago, just a few lines of code removed from a single Debian application (the SSH key generator) left many thousands of huge servers, loaded with vast amount of well-secured software and managed by excellent professionals, completely open to a very simple attack. Legally, Mono is a security hole with a larger risk and more devastating consequences than the SSH blunder. What this argument actually tells is how easy will be to remove this security hole, and how little damage this will do.
Some readers will probably point that no software can ever be guaranteed to not infringe on every patent in existence. This is true. However, no software also can ever be guaranteed to not contain a snippet of proprietary code, since all proprietary code is even harder to check than all patents. And yet, we accept that software can be free. It is one thing to know that such a distant possibility can never be excluded completely, and it is completely different thing to know for certain, or for reasonably certain, that a code does contain blocks of proprietary code, or does infringe on existing software patents, controlled by an entity that is not friendly to FOSS.
Some readers may also say that if a sign appears that users may really be endangered because of the Mono usage, it may be removed. However, the installed infrastructure tends to stay: what is removed today from the repositories may stay for years on the user computers. Also, even if Mono will be removed instantly from everywhere, it will be too late then: Microsoft, or some patent litigation company, will probably have collected in advance proof for many thousands of Debian users that they have illegally used for some time Microsoft IP, and will be able to sue them even if the offending code is already removed. Collecting will be very easy: it will be enough to check whether you are running a Mono-containing Debian, or have run it for some time. If the user did, the onus on proving that you never installed the default-tagged Mono may be on him/her, and it may be impossible to irrefutably prove this. Another thing that tends to stay even if the error is fixed is the public image, especially in the eyes of the high-positioned company executives: once Debian gets the image of a distro bearing a high legal risk, it is not going to wash off in an year or two.
Until the Mono patent dependency is completely resolved, using it puts the user to the same risks as illegally using a proprietary software. That is, in fact Mono is not free or open source software.
In this light, I believe that Mono has no place in the default install of Debian; that in fact, it has no place in the Debian main repository, and possibly in Debian at all. I understand that this is a drastic conclusion, and will not be accepted easily. What lead me to it is not emotions, but facts and logic: if you want to dispel my doubts (and eventually yours), please find key omissions in the facts and the logic I used.
If Mono is allowed into Debian at all, this must be in a special repository, say “encumbered”, together with every other software that is formally free, but is known or reasonably suspected to be encumbered with patents that open the user to litigation risk. This repository must be accompanied by a prominent warning about the potential risks its programs carry. (This doesn’t mean that these programs are bad, or broken, or not useful. It simply means that their legal status is, unhappily, not the one all we would like it to be.)
Of course, every Debian user is free to deinstall Mono. However, if something is in the default install, chances are that the most users will not deinstall it. Thus, as long as Mono is in the default Debian install, it is practically granted to stay on the most computers Debian is installed on – and this is dangerous both for the users and for the FOSS community as a whole.
In reality, Debian home users will probably be safe from litigation based on Mono patents. However, it is not the case with the businesses.
Microsoft have, by their words, signed patent protection deals with some companies, based on their claims of having IP in the Linux kernel. Most businesses know, or will be advised by their IT staff, that these claims will be hard, maybe impossible to prove (and yet, Microsoft signed some). However, there is no doubt that the MIcrosoft IP in the .NET / Mono will be very easy to prove. So, if Mono is accepted in the default install of an official Debian release, Microsoft will be able to sign a patent protection deal with any business that uses Debian, and is big or rich enough to merit sending them a warning letter, and arranging a half-hour meeting. And what one should reasonably expect from a company in their position is to do it.
This process has at least one vicious-circle element. What deters Microsoft from crushing FOSS with their monopoly power is that Internet is a client-server technology, and a big percent of the servers are running Linux. By filing away this percentage through the leverage Mono gives them, Microsoft will be able to gradually go deeper, and to use more and more aggressive approaches.
What the businesses (and organizations etc.) may do?
Some may choose to pay the protection price (which I expect to be about just enough to make Microsoft products look the better alternative; combined with some discount from Microsoft, this will probably mean that these businesses next upgrade cycle will be switching from Debian to an MS platform).
Others may decide to abandon Debian after being served a litigation request. (If they have developed infrastructure based on it, this may be costly.) Some of them will probably move to another Linux distro, most probably one that is not Debian-based. Some, however, will probably choose another platform that will not give them legal headaches – Apple or MS. In both cases, however, they will not be able to avoid some payment, since there will be proof that they have illegally used for some time Microsoft IP. The options offered in their negotiations with Microsoft about this payment will probably have a decisive influence over where these businesses will go.
After some businesses get litigated, most other Debian business users will have to promptly take a decision. Since for most of them will be easy to legally prove that they have used for some time Microsoft IP, they will be in the same position as the businesses that are already litigated. (Actually, the smart businesses will recognize the threat even before the litigation wave begins, and will move away from Debian as quickly as possible. They may be safer than the most.)
In short, the usage of Debian by businesses and organisations will probably more or less gradually decrease to near zero. This will have two important effects. First, the individual Debian users and specialists will find their Debian skills useless on the job market, and many will probably move to other Linux distro (or maybe to another platform at all). Second, this will probably demotivate many Debian Developers, to the degree that they will abandon their work for the Debian Project. (Some others, who are paid by companies to work on Debian, will probably be reassigned to other projects.) This, in turn, will undercut the richness and the quality of Debian, and thus its appeal. Also most of the distros based on it will have to either move to another base distro, or to increase sharply their expenses in order to support their packages, or to limit their richness and quality, too.
The overall effect on the other distros is hard to predict. On one hand, they will get some of the users that switch away from Debian. On the other hand, they will lose some users that will be scared by the wave of action against Debian, and will assume that no Linux user is safe. The other distros will surely try to counter this false assumption, but one must not forget that there are very strong IT players who are well-connected in the media, have enormous marketing budgets and are interested into strengthening it. So, my guess is that the other distros will lose more than they will get.
My action plan
This prognosis may be a worst-case scenario. However, this is the type of scenario a prudent IT manager should have in mind. (And, given the Microsoft record, their current position and the market situation, this scenario is more probable than in most other cases.) Given this, I will have to do the following:
I wll counsel all my business clients who use Debian to consider moving away from it, preferably to a non-Debian-based distro. The best time will be their closest upgrade cycle, or the first stable Debian release that contains Mono in the default install, whichever comes first. (Even if they haven’t installed the new release with Mono, or have removed Mono from it, proving this in a court may be a costly process, and I will be responsible for not notifying them of the danger.)
I will discuss with my IT colleagues from other companies which other Linux distro is the most prospective, and the least inclined to putting patent-encumbered software in the default install. I will offer them to write collectively a Creative Commons-licensed tutorial for switching from Debian to this distro. This tutorial will be of use both to us and to other users, when the switch time comes.
I will urge all individual users of Debian I know to get knowledge of the newly chosen distro (or another non-risky one, of their choice), and to be ready to switch from Debian to it, at the first sign that the things go wrong. I will also warn them what signs to watch for.
I will confess (again here, and everywhere else) that this conclusion, and this plan for action, are rather drastic. However, again: they are based not on emotion, but on facts and logic. Debian has been for many years my preferred distro; I type now this on it; I love it. If you can find omissions that will disprove these facts, and/or overturn this logic, I will be enormously happy. However, I am afraid that this may be hard. And that this error, unlike the SSH one, may have far worse consequences.