[OpenID] JanRain library licensing (was: Re: On OpenID 2.0)

Chris Messina chris.messina at gmail.com
Fri May 18 11:43:22 UTC 2007 

This is actually very solid reasoning... And educational for me.

While my concern is entirely with a consistent and secure user
experience, conformance tests and a clear spec seem tantamount to
having my needs addressed, rather than simply having one
implementation per language.

That said, the first reaction should probably not be to build one's
own OpenID library, but in the case of certain projects, it does, now,
to me at least, make more sense.

Thanks Dries,

Chris


On 5/16/07, Dries Buytaert <dries at buytaert.net> wrote:
>
> On 11 May 2007, at 20:06, Josh Hoyt wrote:
> >> I'll close with this too - as someone who has implemented a lot of
> >> "open
> >>  specs" in the past couple years - having multiple implementations in
> >> the wild is actually a very good thing... I've found anyway. Helps
> >> make
> >> sure we're reading and writing to the spec appropriately ...
> >
> > Sorry to single you out, James, but I'm tired of hearing this
> > justification for *yet another* implementation. The rest of this
> > message is about this topic in general and not directed solely at you.
>
> > There are already many implementations. If your interest is in
> > interoperability or spec conformance, your time would be much better
> > spent working on conformance testing tools or just testing *existing*
> > implementations against each other. One of the reasons that I always
> > encourage people to use the libraries that JanRain wrote is so that
> > we'll get more in-the-wild testing in different environments and get
> > feedback that helps us resolve issues.
>
> What you should focus on, IMO, is a (a) well-documented reference
> implementation and (b) conformance tests that others can use to
> validate their own implementations.  This is common practice -- and
> is what people do with XML-RPC servers, RSS/Atom feeds, Jabber, SMTP,
> HTTP, Java Virtual Machines, you name it.
>
> Saying that there should only be one implementation is like saying it
> would be a lot easier to build the web, if there was only one
> webserver implementation, one web programming language, one CMS
> implementation, and one browser implementation.  It's true but naive.
>
> I'm getting tired of the "you shouldn't roll your own" argument.
> When I just started working on Drupal, people told me exactly that:
> "Contribute to existing CMSes instead!".  Often this argument is
> valid, but occasionally it is not.  I don't regret the fact that I
> ignored that advice.  That said, Drupal uses 3rd party libraries
> where we think that is useful (i.e. Drupal uses the JQuery Javascript
> library), and we use our own code when we think that better suits our
> needs.
>
> We looked at JanRain's implementation in the past, and for Drupal, we
> wanted to have a smaller implementation that duplicates less code and
> that integrates better with our existing framework. Our current Open
> ID module is 12 KB, the one from JanRain is 290 KB. I think Drupal
> itself is only 650 KB.  We already have input filters, we already
> have a database abstraction layer, we already have code to do HTTP
> requests, we already have code to validate URLs,  etc, etc -- and
> we'd rather not duplicate these.
>
> Personally, I think there are two things you can do: (1) you can
> focus on your own (reference) implementation and try to maintain your
> marketshare, or (2) you can facilitate others that write their own
> implementation by providing conformance tests, documentation,
> resources, etc.  I don't think (1) is the winning strategy ...
>
> As soon Wordpress, Typo3, Joomla, Drupal or Firefox ship with an
> OpenID client, we're likely to eat your implementation's
> marketshare.  At that point, OpenID will, in part, depend on our
> contributors (i.e. people like James).  For example, if we are slow
> to pick up advances in the OpenID protocol, or if we only release a
> new version of our software once every two years, then this might
> affect OpenID. We all know how that goes; just look at HTML 4 vs
> XHTML 1 vs HTML 5 vs XHTML 2 vs CSS1 vs CSS2 and the multitude of
> browser woes surrounding that.
>
> The million dollar question is: how can this be avoided?
>
> The reference implementation helps you bootstrap, but ultimately, the
> conformance tests is what will matter.
>
> --
> Dries Buytaert  ::  http://www.buytaert.net/
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>


-- 
Chris Messina
Citizen Provocateur &
  Open Source Advocate-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list