Publications

Microsoft's Open Specification Promise: No Assurance for GPL

March 12, 2008

Download:

There has been much discussion in the free software community and in the press about the inadequacy of Microsoft's Office Open XML (OOXML) as a standard, including good analysis of some of the shortcomings of Microsoft's Open Specification Promise (OSP), a promise that is supposed to protect projects from patent risk. Nonetheless, following the close of the ISO-BRM meeting in Geneva, SFLC's clients and colleagues have continued to express uncertainty as to whether the OSP would adequately apply to implementations licensed under the GNU General Public License (GPL). In response to these requests for clarification, we publicly conclude that the OSP provides no assurance to GPL developers and that it is unsafe to rely upon the OSP for any free software implementation, whether under the GPL or another free software license.

Irrevocable but Only for Now

Microsoft makes its promise “irrevocably,” but upon careful reading of the entire OSP, this promise is weakened considerably in the definition of Covered Specifications. In that provision, Microsoft clarifies that:

New versions of previously covered specifications will be separately considered for addition to the list.

Because of this narrow definition of the covered specifications, no future versions of any of the specifications are guaranteed to be covered under the OSP. Each new version is subject to Microsoft's ongoing discretion on a case by case basis. In other words, every time a specification changes, Microsoft can effectively revoke the OSP as it had applied to previous versions of that same specification. Microsoft states that it will commit to renewal of the promise for future versions of specifications subject to standardizing activity “to the extent that Microsoft is participating in those efforts,” which means that Microsoft reserves the right to cancel the promise with respect even to standardized specifications, by merely withdrawing from the relevant standard-setting workgroup or activity. While technically an irrevocable promise, in practice the OSP is good only for today.

The OSP Covers Specifications, Not Code

The OSP covers any of the Covered Specifications, and Microsoft's promise applies to “full or partial implementation,” according to its FAQ, but Microsoft also states:

The OSP does not apply to any work that you do beyond the scope of the covered specification(s).

This statement clarifies the qualification in the very first sentence of the OSP that the promise applies only “to the extent it conforms to a Covered Specification.” The OSP will apply to implementations of the specifications, but only to the extent that such code is used to implement the specification. Any code that implements the specification may also do other things in other contexts, so in effect the OSP does not cover any actual code, only some uses of code. Free software is software that all users have a right to copy, modify and redistribute, and as Microsoft points out in the OSP, there is no sublicensing of rights under it. So any code written in reliance on the OSP is covered by the promise only so long as it is not copied into a program that does something other than implement the specification. This is true even if the code has not otherwise been modified, and code that conforms to the specification cannot be modified if the resulting modified code does not conform. Therefore the OSP doesn't permit free software implementation: it permits implementation under free software licenses so long as the resulting code isn't used freely.

No Consistency with the GPL

The OSP cannot be relied upon by GPL developers for their implementations not because its provisions conflict with GPL, but because it does not provide the freedom that the GPL requires. Relying on the OSP is unsafe because new versions of specifications could be excluded from the OSP and because the resulting code could not safely be used outside a very limited field of use defined by Microsoft. GPL developers, with their special sensitivity to issues of preserving downstream freedom, will be unable to rely on the OSP with confidence.

In its FAQ regarding the OSP, Microsoft confuses the issue further, saying:

Because the General Public License (GPL) is not universally interpreted the same way by everyone, we can't give anyone a legal opinion about how our language relates to the GPL or other OSS licenses, but based on feedback from the open source community we believe that a broad audience of developers can implement the specification(s).

While not attempting to clarify the text of the OSP to indicate compatibility with the GPL or provide a safe harbor through its guidance materials, Microsoft wrongly blames the free software legal community for Microsoft's failure to present a promise that satisfies the requirements of the GPL. It is true that a broad audience of developers could implement the specifications, but they would be unable to be certain that implementations based on the latest versions of the specifications would be safe from attack. They would also be unable to distribute their code for any type of use, as is integral to the GPL and to all free software.

As the final period for consideration of OOXML by ISO elapses, SFLC recommends against the establishment of OOXML as an international standard and cautions GPL implementers not to rely on the OSP.1

1 SFLC's analysis of the OpenDocument Format, written in an opinion letter on behalf of our client Apache, is available on our website at http://www.softwarefreedom.org/resources/2006/OpenDocument.html