The Debian operating system project will not implement Microsoft's proposed Sender ID anti-spam specification under the current licensing terms, it has announced, because they are not compatible with open-source licences.
Debian's rejection of Sender ID follows a similar statement from the Apache server project on Thursday and criticism from the maintainers of open-source projects such as Postfix, Exim and Courier.
"We are... concerned that no company should be permitted intellectual property rights over core Internet infrastructure," Debian's message said. "We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered."
Debian said the current Sender ID licence terms are "a barrier to any Debian package which wants to implement Sender ID or include Sender ID support... we cannot implement or deploy Sender ID under the current licence terms. Indeed, we would be forced to remove SenderID support from software we ship that does support Sender ID upstream."
The licensing dispute marks a serious setback for the anti-spam spec, designed to combat spam by authenticating the source of email messages. Sender ID combines Caller ID for e-mail, proposed by Microsoft, and Sender Policy Framework (SPF), proposed by Meng Wong, the founder of email service provider Pobox.com. While many believe the project could make a significant dent in spam, open-source critics say Microsoft's licensing plans would disrupt the normal distribution of open-source software.
Microsoft has offered a royalty-free licence to anyone wishing to implement Sender ID in their products. The main problem with this, according to an analysis by Larry Rosen, general counsel of the Open Source Initiative, is that open source licences are treated as sub-licensable. "Open source licences contemplate that anyone who receives the software under license may himself or herself become a contributor or distributor. Software freedom is inherited by downstream sub-licensees," Rosen wrote in the analysis, which was cited in Apache's statement last week. "Meanwhile, the Microsoft Sender ID patent licence continues the convenient fiction that there are 'End Users' (S1.5) who receive limited rights. That is unacceptable in open source licences."
Debian said it used Apache's statement as a starting point, but had arrived at its decision independently.
The Apache project stated last week that Microsoft's licence was "generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0." The group said it had raised its concerns as early as 1 March, but no resolution had been reached, despite assurances from the IETF (Internet Engineering Task Force).
Like other critics, Apache's developers said they were concerned the specification was being pushed ahead without serious attention being paid to intellectual property risks, particularly the existence of pending Microsoft patents related to Sender ID. "We feel that dismissal of unspecified, pending, patent claims recklessly shifts the risk and potential burden onto implementors," Apache said.
In his analysis, Rosen argued that under current conditions, if a developer wished to rebrand or redistribute an open source product supporting Sender ID it would have to contact Microsoft directly, which "gives Microsoft information about its competitors' plans that it has no reason to know".
Some open-source leaders have found Microsoft's terms acceptable. Open Source Initiative president Eric Raymond approved of the licence because it requires no royalty payment and may not even require licensees to sign an agreement.
David Anderson, chief executive of Sendmail, agreed with this assessment, and his company has released a Sendmail mail filter supporting Sender ID under its own open-source licence. Anderson said Sendmail had no plans to sign a licence agreement, and didn't see why any other users or developers would need to do so.
Microsoft told Techworld it could not immediately comment on the issue.
A recent survey found that spammers are adopting SPF even more quickly than legitimate email senders, raising questions about the effectiveness of the system. In July, Microsoft said it would begin enforcing Sender ID on its email services regardless of wider industry adoption.