CPAL? What's That?

As we covered earlier today, Facebook has released a big chunk of its platform code as open source - using the CPAL (Common Public Attribution License) for their main license. If you haven't been closely following the proliferation of open source licenses, this is probably a new one to you. As with any open source code, it's smart to understand your rights before you start depending on the new platform - especially since some of the provisions of the CPAL may surprise you.

The CPAL was initially developed by social enterprise wiki company Socialtext, and approved by the OSI last year. Since then it has not seen wide adoption, although it is used by several prominent open-source projects, including the xTuple ERP applications and the Mule ESB. It's based on the familiar Mozilla Public License (used by Firefox, among other high-profile pieces of software) with two key modifications.

First, the CPAL includes an attribution requirement. Software licensed under the CPAL may include an exhibit with information about the original developer. This exhibit specifies

that each time an Executable and Source Code or a Larger Work
is launched or run, a prominent display of the Original Developer's Attribution Notice (as definedbelow) must occur on the graphic user interface (which may include display on a splash screen)

In the case of Facebook's open source code, the CPAL requires the display of this information:

Attribution Copyright Notice: Copyright © 2006-2008 Facebook, Inc.
Attribution Phrase (not exceeding 10 words): Based on Facebook Open Platform
Attribution URL: http://developers.facebook.com/fbopen
Graphic Image as provided in the Covered Code: http://developers.facebook.com/fbopen/image/logo.png

While this seems reasonable to recognize the work of the Facebook developers, it does act as a sort of "poison pill" to prevent others from simply cloning Facebook on to their own sites - at least, others who don't want to give prominent credit to a rival.

The other difference between the MPL and the CPAL is in section 15, which closes the ASP loophole: 

The term 'External Deployment' means the use, distribution, or communication of the Original Code or Modifications in any way such that the Original Code or Modifications may be used by anyone other than You, whether those works are distributed or communicated to those persons or made available as an application intended for use over a network.

In other words, if someone builds a web site based on the Facebook code, they must make the source code of their modifications available as soon as they let users into the site - whether or not they ship their own site code as a separate product.

One further note about the CPAL: because it's based on the MPL, it is not compatible with the GPL.  Facebook does not appear to have availed itself of the dual-licensing provisions of the CPAL, meaning that any of Facebook's CPAL-licensed code cannot legally be linked with GPL code.