Asterisk creator: Consider open source VoIP, think twice about hybrid-hosted

Companies selecting a VoIP solution must choose from a dizzying array of options, including whether a hosted, hybrid-hosted or premise-based telephony system will work better for them, and whether the benefits of open source outweigh the potential risks.

Digium CTO and Asterisk creator Mark Spencer called the proprietary hybrid-hosted model "very evil" during the Internet Telephony Expo West 2007 in Los Angeles, leading to a conversation-starting blog posting by SearchNetworking.com site editor Amy Kucharik. Kucharik recently spoke with Spencer to get some clarification on his position and controversial comments, and to hear his thoughts about open source VoIP and what it means for business users.

Why is proprietary hybrid-hosted VoIP 'very evil'?
Mark Spencer: A lot of this is a bit of a hyperbole in terms of the scale I try to put things in. Are the lines quite so black and white? But the biggest problem with hybrid-hosted as it is currently implemented is that it actually takes away even more choice from the customer than a traditional proprietary product. The reason for that is that under a hybrid-hosted model, the ability to control the system is removed from the customer and placed in the hands of the vendor. So when you think about it, open source is trying to move things to where there is customer control; the hybrid-hosted model is that you really don't even have access to your configuration information because it's all held there. If they change what the feature set is or how it's presented, you don't really have any choice about how to use that. It's not so much that the hosted model itself is inherently bad; there's certainly a lot of technical benefit to having a hosted environment. It's an easy way to get started. But it is, I think, dangerous to customers not to be able to get out of it if they outgrow the sise that makes sense or if they become unhappy with that vendor. They're really locked in even more than they are with a traditional proprietary vendor.

Do you think there are certain companies for which it is more or less dangerous? The hybrid-hosted model seems most beneficial for SMBs, which don't have the staff or the desire to manage the phone system in-house; they just want to pay somebody and have it work.
Spencer: I think that it's one of several models that can work for an SMB. Some SMBs like to have premise-based solutions if they're cost-effective enough, and some SMBs want to have something that's hosted; I mean, it just kind of depends on the company. But when your SMB starts to turn into more of an enterprise, as you start to grow, that's when this starts to be an acute problem because you're really locked in to this vendor in a way that's very difficult to break away from.

And not only that, but what you see in the product today may or may not be what the product is tomorrow. Think about how many people have used Windows XP, and now you have Windows Vista that's come out. Imagine if all of a sudden Microsoft changed it so that when you went to your computer it was now running Vista because they thought that was the better system. Think about how many people really don't like Vista right now. If your operating system were hosted, you really wouldn't have a choice. Whatever the person hosting it decided you should have is what you'd have. It just doesn't feel like a safe model for someone who's used to the open source world, where you have a tremendous amount of control.

I would like to set the record straight on the Digium waiver. [Fonality CEO] Chris Lyman has mentioned it in various interviews. Does Digium take code from its community and release it in a closed source product?
Spencer: I will get you a copy of the license agreement that's used when people submit patches. But I would sort of summarise it as this: The purpose of the license agreement is that Digium should clearly retain its ability to license the code and combine the code in whichever ways it sees fit. As an example, this is required to be able to offer G.729 support for Asterisk because G.729 is not available under the GPL, because it's heavily patent-encumbered. So without the ability to have this kind of control, it would be very difficult for us to do that, and by the way, these "waivers," as some people call them (they're really license agreements), are built off the waivers that the FSF (Free Software Foundation) requires, so if you contribute to GCC or the GNU C library or something like that, you have to do a very similar document for them.

The biggest difference, not to get too technical here, is that the FSF requires you to assign them the copyright of the changes that you make, whereas the Digium model is that you simply license us the ability to use that code however we see fit. It's really about giving the maximum amount of control in terms of what we can do in terms of our own licensing. So Digium does license the code of Asterisk commercially, but we don't take contributions and then make those code changes available under proprietary licenses and not under an open source license. Anything that is made available under the proprietary license in terms of the Asterisk code base has been made available under open source -- and certainly that would apply to any kind of contribution that has been received that was integrated into Asterisk in the first place.

Historically, there are people who have complained about the idea that Digium licenses the stack both for commercial use and not, but as an example, the GNU C Library is licensed in such a way that you can link to it with a commercial program without violating that license, and people don't complain about that. I think the most important issue at hand here is that there are people who want to use Asterisk without contributing back, and it bothers them that they would be expected to pay some fee or something like that to be able to use that code if they don't want to abide by the terms of the GPL.

Aren't you beholden to the GPL in some way?
Spencer: Digium either owns the copyright to, or has this special extended license to, all code that is distributed as Asterisk. And so Digium can license Asterisk under any terms that it chooses to, and it does license Asterisk under GPL in addition to proprietary licenses in some cases. So Asterisk is released as GPL; it can never be taken out of the GPL, because once it's out there, then it's there. By contrast, Fonality -- or anyone, really, that uses Asterisk or that distributes Asterisk or derivative work -- is beholden to the GPL in the sense that unless they have negotiated a separate license with Digium, the GPL is the license which demands how they can distribute that code.

Are these dangerous legal waters to be in, considering the historical grappling in both the telecom space and with the various open source projects over licensing and patents?

Spencer: There can always be complications around licensing, but one of the advantages of the approach that we have taken is to prevent a situation like the one we saw with SCO and IBM around the Linux kernel, where SCO claims that, "Hey, there's this code that made it into the Linux kernel and it's really our code." That's just about been put to bed now. But this process we have with these documents actually helps us establish exactly the source of every line of code that goes into Asterisk. That means that for any line of code that's in there, we can trace it back to who it came from; we can confirm that there were rights assigned for that code base, which helps provide a much higher level of certainty about the origin of the software that's distributed within Asterisk. And, in fact, one of the main reasons people license Asterisk, whether it's business edition or regular Asterisk, is to be able to get indemnity for that; to have Digium stand behind that and confirm that we're responsible for assuring that we have the rights to the code that's distributed.

How do you answer criticism that the Digium license is really a closed source licensing model?
Spencer: There is absolutely nothing closed source at all about the license. What people provide is a license that permits us to redistribute the code that they are contributing back to Asterisk under any arbitrary terms. We make that code available under open source as well. It is true that we also make it available under a proprietary license, but it's not as if it's only available under a proprietary license; it's also available under the GPL. And again, the example that I provide to this is that if Asterisk were licensed under LGPL, the same license that the GNU C library and all sorts of other free software that people use all the time is licensed under, you'd have the same effect, except that there wouldn't be the revenue source for Digium that's associated with that, and people wouldn't have an economic incentive to use and contribute under the GPL. We think this model is actually better than other open source models like BSD license or LGPL or any of those other open source licenses that would allow proprietary utilisation without any kind of contribution in return.

Since Digium receives some criticism on one side for not giving back to the open source community, and on the other side has to deal with potential customers' suspicions about open source products, wouldn't it be easier to become a closed source company?
Spencer: I think that a lot of the value in Asterisk comes from its being open source. There are a lot of challenges that we've faced from that; people like to make a lot of noise about it, even in incredibly hypocritical ways. You have to be able to look past all that and think about the millions of users out there who are using Asterisk and really deriving a lot of benefit, and the significant number of those who actually do contribute back in different ways -- whether it's supporting our efforts, buying our products, contributing code - and who participate in that and recognise the role that Digium as a company played in managing the whole Asterisk development process, in having programmers working full time on open source Asterisk. All of this benefit that we bring to the community, I think, is well received by most of the people out there.

What in your opinion is the #1 reason why open source is better than proprietary?
Spencer: It all fundamentally comes down to the control that the customer has. The control is not in itself something you can really explain; it's how that maps out into more choices for hardware and software and how it changes the behaviour of your vendor because it can't keep somebody locked out of it. That control is reflected in a lot of ways in terms of how it actually ends up benefiting the customer.

Do you think that the majority of customers in the SMB space care whether they are buying an open source phone system?
Spencer: Absolutely not. The only benefit that open source has in those areas is in its ability to really deliver a better price, better performance or ease of use. Open source is really only beneficial as an engineering model and a marketing model in its ability to measure on those things, because most end users in an SMB are not sophisticated enough to be in a position to address that, if that makes any sense.

I think it boils down