[OpenID] JanRain library licensing (was: Re: On OpenID 2.0)

Dries Buytaert dries at buytaert.net
Wed May 16 07:43:34 UTC 2007 

On 11 May 2007, at 20:06, Josh Hoyt wrote:
>> I'll close with this too - as someone who has implemented a lot of  
>> "open
>>  specs" in the past couple years - having multiple implementations in
>> the wild is actually a very good thing... I've found anyway. Helps  
>> make
>> sure we're reading and writing to the spec appropriately ...
>
> Sorry to single you out, James, but I'm tired of hearing this
> justification for *yet another* implementation. The rest of this
> message is about this topic in general and not directed solely at you.

> There are already many implementations. If your interest is in
> interoperability or spec conformance, your time would be much better
> spent working on conformance testing tools or just testing *existing*
> implementations against each other. One of the reasons that I always
> encourage people to use the libraries that JanRain wrote is so that
> we'll get more in-the-wild testing in different environments and get
> feedback that helps us resolve issues.

What you should focus on, IMO, is a (a) well-documented reference  
implementation and (b) conformance tests that others can use to  
validate their own implementations.  This is common practice -- and  
is what people do with XML-RPC servers, RSS/Atom feeds, Jabber, SMTP,  
HTTP, Java Virtual Machines, you name it.

Saying that there should only be one implementation is like saying it  
would be a lot easier to build the web, if there was only one  
webserver implementation, one web programming language, one CMS  
implementation, and one browser implementation.  It's true but naive.

I'm getting tired of the "you shouldn't roll your own" argument.   
When I just started working on Drupal, people told me exactly that:  
"Contribute to existing CMSes instead!".  Often this argument is  
valid, but occasionally it is not.  I don't regret the fact that I  
ignored that advice.  That said, Drupal uses 3rd party libraries  
where we think that is useful (i.e. Drupal uses the JQuery Javascript  
library), and we use our own code when we think that better suits our  
needs.

We looked at JanRain's implementation in the past, and for Drupal, we  
wanted to have a smaller implementation that duplicates less code and  
that integrates better with our existing framework. Our current Open  
ID module is 12 KB, the one from JanRain is 290 KB. I think Drupal  
itself is only 650 KB.  We already have input filters, we already  
have a database abstraction layer, we already have code to do HTTP  
requests, we already have code to validate URLs,  etc, etc -- and  
we'd rather not duplicate these.

Personally, I think there are two things you can do: (1) you can  
focus on your own (reference) implementation and try to maintain your  
marketshare, or (2) you can facilitate others that write their own  
implementation by providing conformance tests, documentation,  
resources, etc.  I don't think (1) is the winning strategy ...

As soon Wordpress, Typo3, Joomla, Drupal or Firefox ship with an  
OpenID client, we're likely to eat your implementation's  
marketshare.  At that point, OpenID will, in part, depend on our  
contributors (i.e. people like James).  For example, if we are slow  
to pick up advances in the OpenID protocol, or if we only release a  
new version of our software once every two years, then this might  
affect OpenID. We all know how that goes; just look at HTML 4 vs  
XHTML 1 vs HTML 5 vs XHTML 2 vs CSS1 vs CSS2 and the multitude of  
browser woes surrounding that.

The million dollar question is: how can this be avoided?

The reference implementation helps you bootstrap, but ultimately, the  
conformance tests is what will matter.

--
Dries Buytaert  ::  http://www.buytaert.net/

More information about the general mailing list