Quoting Steve Litt (slitt@???):

> Yes. So is systemd, and so is Dracut, into which Red hat incorporated
> systemd things and then emptied its older repositories, making forking
> much harder.

As has been noted by others, to preserve the ability to fork from other
versions, wide distribution and mirroring of a codebase's past releases
(and/or changesets) is necessary.

I'd like to tell a story about how the world got Portable OpenSSH and
other completely open source implementations of the secsh protocols.

Tatu Ylönen invented the protocol starting in the middle 1990s (mainly)
as a crypto-wrapped replacement for the Berkeley r-commands, at Helsinki
University of Technology in Espoo (now called Aalto University), under
permissive licensing for the first couple of years. (Compilation
required some external libs, some of them GPL.) Ylönen founded SSH
Communications Security, Ltd. to commercialise it. Some time in early
1996, about the time Ylönen's 1.2.13 came out (1996-02-10), his company
signed a commercial distribution agreement with Data Fellows, Ltd. (now
F-Secure Corporation). Slightly more restrictive licensing was
introduced at that time into all newer releases. Right around the
issuance of 1.2.13, the files for 1.2.1 through 1.2.12 were quietly
removed from the main SSH ftp site and its mirrors. The licence was
changed again starting with 1.2.28, requiring payment for any use in a
commercial setting. The 2.0 series (introducing secsh 2.0 protocols
alongside the 1.3 ones) further restricted terms.

Some years passed. People started realising that they'd been lulled
into complacency, and what was now critical infrastructure was available
only under increasingly restrictive terms.

In August 1999, Björn Grönvall of Sweden found an old tarball of
Ylönen's ssh 1.1.12 and forked it as 'ossh', maintaining this codebase
under the original permissive licence through 2001, fixing and
re-updating the code. OpenBSD Foundation noticed his work, and forked
his fork, creating OpenSSH & Portable OpenSSH as reference implementations
(further updating the code and replacing copylefted components).

The availability of a reference implementation under permissive
licensing (along with expiration of the RSA patents) then helped bring
about development of Dropbear, LSH, FreSSH, PuTTY, and other key
implementations.

If Grönvall hadn't found that old tarball, I'm not sure where we'd be
today.


Another little story: In 1999, I became a VA Linux Systems employee,
just in time to go through the firm's meteoric IPO and the almost
immediately consequent Dot-Bomb stock market crash and collapse of the
firm's business model. To my great annoyance, corporate management
decided to transform the firm from a Linux-oriented hardware company
into a proprietary software firm. One of the two new market focuses
(along with storage software) was an effort to commercialise
SourceForge. What followed was... guess what? I'll just pause and let
you read the outside account by Loïc Dachary of Free Software Foundation
Europe: http://www.advogato.org/article/376.html

Over the past few months the SourceForge development facility, which
hosts a large number of Free Software projects, has changed its
policies. Features for exporting a project from SourceForge have been
removed. The implementation used to be exclusively Free Software but
is now based on non-free software. Finally, VA Linux has become rather
underhand[ed] in their attempts to grasp exclusive control of
contributors' work. SourceForge did a lot of good for the Free
Software community, but it's now time to break free.
[...]

Loïc and others having sent up the alarm, a few people started taking
measures to preserve escape hatches, including Savannah, BerliOS
Developer, Debian-SF, GForge, and FusionForge. I tell a lot of this
somewhat twisted history, and further machinations by the Company
Formerly Known as VA Linux Systems, here: 'SourceForge Forks' at
http://linuxmafia.com/kb/Apps/

GForge, created by original SourceForge architect Tim Perdue the day he
was laid off by VA Linux Systems, emerged as the leading fork. As a VA
Linux Systems, VA Software Corporation / whatever employee, I could not
ethically comment, except for years I had this as one of my .signature
blocks for posting in the open source community:

Cheers,                        Open-source SourceForge retakes the lead:
Rick Moen                      http://gforge.org/  Thank you, Tim Perdue.
rick@???  

As I say in my cumulative .signatures collection,
http://linuxmafia.com/pub/humour/sigs-rickmoen.html:

Archivist's Note: For context, Perdue had been the original architect
of the SourceForge codebase, which was then taken proprietary by his
employer in 2002. After he was laid off, he cleaned up the
pre-proprietary codebase and released it, as a clearly superior
alternative, renamed to "GForge" for trademark reasons. This .signature
of mine aimed to give Perdue's project a small mindshare boost. Since
that happened, the active open source version departed from the GForge
effort and is now FusionForge. N.B.: Timothy Dean Perdue succumbed to
colon cancer on September 16, 2011, aged 37.

May Tim rest in peace.


To sum, there are things to beware of and watch for. Any important
open source codebase needs to have a significant number of years of its
version history widely mirrored, and at least _some_ of the mirrors need
to be entirely untouchable by the maintainers.

Any sudden mysterious code disappearances / unavailability, any
mysteriously requested assignments of copyright ownership (_especially_
if they're deceptively called 'Contributor License Agreements' -- and
I'm looking at you, Canonical, Ltd.), or anything even remotely like
that should raise immediate red flags and get people independently
mirroring everything and preparing to fork if necessary.