Open Source Licenses
It is possible to write and distribute software, with no license
whatsoever, but in the past decade it has become popular to attach to any
released software some sort of license, defining the
obligations of the person who downloads or modifies the software.
Software (or any other creative work) released with no strings whatsoever
(and, in particular, with an irrevocable termination of any creator rights
under copyright law) is said to be in the public domain.
One large category of public-domain works are those for which copyright
has lapsed; this category does not include any working software as
copyright has a substantial lifetime (70 years from the author's death, in
the United States). Perhaps some of Ada Lovelace's work for the Difference
Engine (in the 1840's) can be considered software (though it never ran on
anything); it is certainly now in the public domain. Alan Turing died in
1954; his work on programming does not enter the public domain until 2024.
There is some legal question whether an author even has the legal ability
to place his or her work irrevocably in the public domain, on the theory
that potential rights under copyright can never be terminated.
The GNU public license is the earliest, perhaps mostly because the GPL
tries to accomplish something legally tricky: it requires that any
modifications must remain as open source. When the GPL was first written,
people not concerned about this sort of thing would most likely use no
license at all.
MIT
We will, however, start with the MIT license, which is perhaps the
simplest. Here it is, from opensource.org/licenses/MIT:
Copyright <YEAR> <COPYRIGHT
HOLDER>
Permission is hereby granted, free of charge,
to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission
notice shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The only restrictions are the inclusion of the copyright notice and the
waiver of liability. There is no rule that the source must be distributed;
the copyright notice can be included in the executable. This is not
spelled out explicitly however.
The waiver of liability might not be legally binding (though I am aware
of no cases where this has been contested, if the software was distributed
for free). You might think this odd, but the legal theory is that no
creator of a product can escape negligence liability simply with a waiver.
Were this not the case, nothing would stop vehicle manufacturers from
claiming they were not liable for poor design. It is easy to claim in
court that software errors are due to "negligence".
In 2009 the European Union proposed new laws on software that were
intended to make it harder for companies to escape liability for software
problems. The way the draft was worded, it appeared to make it impossible
for Open Source to escape such liability. However, the laws were
ultimately not adopted. Ironically, one version of the laws would have
made it possible for software vendors to require that customers waive
liability at the time the software was sold. Free software, not
being sold, could not benefit from such waivers.
The X Consortium added to the MIT license a paragraph restricting use of
the X Consortium name.
Software released under the MIT license can be:
- Used in commercial server-side systems
- Combined with other software into a system that is then sold
- Improved, and then sold as an improved version
People who see their open-source work as a contribution to society
sometimes have an issue with one or more of these. On the other hand, if
you want your software to be used, you may find that GPL-style
licenses are too restrictive.
Daniel Haxx wrote the cURL package and released it under the MIT license.
As a result, Haxx's email address appears in the license terms in odd
places. In-car sound systems, in particular, often incorporate cURL, and
so desperate users occasionally contact Haxx for help (daniel.haxx.se/blog/2016/11/14/i-have-toyota-corola):
Hello sir
I have Avalon 2016
Regarding the audio player, why there delay between audio and video when
connect throw Bluetooth and how to fix it.
Haxx appears to find this mildly entertaining. Sometimes it can be a
nuisance.
There's a good in-depth analysis of the MIT license and common variants
at writing.kemitchell.com/2016/09/21/MIT-License-Line-by-Line.html.
Note the "limitation of liability" section.
BSD
The original Berkeley Software Distribution of Unix came with the
original "four-clause" BSD license. The most common BSD license version
today is the following "three-clause" version (opensource.org/licenses/BSD-3-Clause):
Copyright <YEAR> <COPYRIGHT
HOLDER>
Redistribution and use in source and binary
forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain
the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the copyright holder
nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The waiver of liability is more elaborate. Binary distribution is
explicitly permitted, as is redistribution. The new clause is that the
names of the copyright holders (any of them, as each new contributor may
add his or her name) may not be used to promote the program.
It is not clear if the BSD license was originally understood to apply
cleanly to improvements added by others; the BSD group likely thought that
clause 3 above would apply only to them.
The original BSD license included a fourth clause:
All advertising materials mentioning features
or use of this software must display the following acknowledgement:
This product includes software developed by the
<organization>.
That actually is a fairly intrusive requirement, which is why
it went away.
Wind River sells an operating system -- VxWorks -- for embedded systems
that is based on BSD Unix. In basic terms, Wind River can do this because
the BSD license allows the creation of proprietary derivative works. Wind
River has argued that basing their OS on Linux would not be an option,
presumably because they'd have to open-source all their changes and that
would cut into their market. (In slightly more complex terms, in 2001 Wind
River bought BSDi, the owner of the core of BSD Unix from which
OpenBSD, FreeBSD and NetBSD were forked. But they didn't need to buy BSDi
for licensing rights; this purchase was more about getting employees and
software tools.)
Apache
The license from the Apache Software Foundation is a bit long to paste
in; here's the link: www.apache.org/licenses/LICENSE-2.0.
The part you paste in to the source files is shorter:
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain a
copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
The first section of the actual license includes a definition of multiple
terms.
The second section includes an authorization under copyright. This
authorization allows the creation of derivative works; that is, you can
modify the software.
Section three includes a new feature: each contributor must waive any patent
rights, or, more specifically, grant a free license to any users of the
software. The idea here is that if you have a patent, and release or
modify software under the Apache license, you cannot sue other users for
patent infringement. Even if those other users make further modifications
to the software. Here is the clause:
3. Grant of Patent License.
Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge,
royalty-free, irrevocable (except as stated in this section) patent
license to make, have made, use, offer to sell, sell, import, and
otherwise transfer the Work, where such license applies only to those
patent claims licensable by such Contributor that are necessarily
infringed by their Contribution(s) alone or by combination of their
Contribution(s) with the Work to which such Contribution(s) was submitted.
If You institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work or a
Contribution incorporated within the Work constitutes direct or
contributory patent infringement, then any patent licenses granted to You
under this License for that Work shall terminate as of the date such
litigation is filed.
The penalty for suing over patents, though (in the final sentence), is
that you lose any patent rights granted to you by other contributors. You
do not lose the right to use the software itself. And if a later
user adds a feature that causes the entire package to infringe on your
patents, you can sue.
In this post, hodlerlaw.com/2013/12/02/the-apache-license-version-2-0-and-the-anti-patent-treachery-clause,
J Hodler suggests that the Apache patent clause has symbolic significance
only. The real risks of patent litigation are from so-called
non-practicing entities -- companies that don't actually create anything,
and so don't use the Apache-licensed software in question, and large
companies (think IBM and Microsoft), who usually (though not always) also
avoid Apache-licensed software.
Section four spells out the requirements for redistributing the software.
This clause lets you redistribute for sale, but you must attach the
original license terms.
Section five says that any contributions by default have the same
license, but you are allowed to negotiate different
terms.
The MIT, BSD and Apache licenses (and also many others) are collectively
the permissive licenses. You many release a proprietary
modification. The GNU licenses prevent this.
The GNU General Public License
This is the one that says that if you make changes, and you distribute
them, then they too must be open source.
Richard Stallman wrote the first version of the GPL in 1989. This was
followed in 1991 by GP v2. To allow the use of GPL libraries in non-free
projects, it was accompanied by the "Library GPL", or LGPLv2. GPLv3 was
released in 2007.
The actual texts of the licenses are here:
Here is the important GPL2 clause, that defines the copyleft
feature [here and elsewhere, all bold emphasis is added]
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on
the Program, and copy and
distribute such modifications or
work under the terms of Section 1
above, provided that you also meet
all of these conditions:
a) You must cause
the modified files to carry prominent notices
stating that you
changed the files and the date of any change.
b) You
must cause any work that you distribute or publish, that in
whole or in
part contains or is derived from the Program or any
part thereof,
to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the
modified program normally reads commands interactively
when run, you
must cause it, when started running for such
interactive use
in the most ordinary way, to print or display an
announcement
including an appropriate copyright notice and a
notice that there
is no warranty (or else, saying that you provide
a warranty) and
that users may redistribute the program under
these conditions,
and telling the user how to view a copy of this
License.
(Exception: if the Program itself is interactive but
does not normally
print such an announcement, your work based on
the Program is
not required to print an announcement.)
By way of explanation, the following clause also appears:
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
And this, which defines the legal nature of "copyleft":
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
As far as patents are concerned, GPLv2 states:
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all.
This clause means that, if for some external reason you cannot legally
distribute the source code (either due to patents or copyright or some
other reason), then you cannot distribute the binary either. Rms called
this the "liberty or death" clause.
How murky is the GPL?
Some people feel the GPL is quite clear, and in some ways it is. But
consider the following question:
Is a Linux kernel module covered by the GPL?
That is, if I write and distribute a Linux kernel module, which is sort
of a "plug-in" to the standard Linux kernel, perhaps a driver, do I have
to distribute the source?
[Kernel modules might be device drivers, but they also might add
functionality. They might implement a different TCP congestion-control
mechanism, or an alternative network transport layer like SCTP, or a disk
interface for a database, or an alternative file-system interface.]
According to the GPL, your module is covered by the GPL if it is a "derivative
work", which is a legal term in copyright law. But is
a kernel module a derivative work?
If your module is a driver, that basically means it implements functions
open(), close(), read(), and perhaps write() and ioctl(). That's a pretty
limited interface. Even if your driver is written specifically for Linux,
it is arguably a freestanding set of functions. Except that the driver
probably uses Linux locks and memory allocation, which means it (a) links
to the rest of the kernel, and (b) uses some Linux include files.
If you're writing an arbitrary module, you almost certainly include, say,
module.h, and likely others. And, again, you probably use kernel locks,
kernel time functions, kernel memory allocation, and other things. So
that's looking more like a derivative work.
But then there's NDISwrapper, a Linux wrapper to support the use of
Windows device drivers (particularly Wi-Fi drivers) on Linux. NDISwrapper
is completely open source, but the Windows drivers it allows linking to
are not open source. And clearly using them in Linux without the
developer's consent doesn't bring them under the GPL.
Finally, the Linux licensing page (kernel.org/doc/html/v4.16/process/license-rules.html)
spells out explicitly that user-space programs that use the Linux kernel
interface and Linux include files are not to be considered
derivative works:
The User-space API (UAPI) header files, which
describe the interface of user-space programs to the kernel are a special
case. According to the note in the kernel COPYING file, the syscall
interface is a clear boundary, which does not extend the GPL requirements
to any software which uses it to communicate with the kernel.
Legally, this is might not be considered automatic: user-space programs are
dependent on Linux, and often on special Linux features. But if this rule
is made explicit for user-space programs, and not for kernel modules,
might that imply that the latter are derivative works?
Linus Torvalds has long tacitly accepted proprietary, binary-only Linux
loadable modules.
For an email chain on this including Torvalds, see yarchive.net/comp/linux/gpl_modules.html.
LGPL
Then there is the Library GPLv2. In the preamble it states:
The reason we have a separate public license for some libraries is that
they blur the distinction we usually make between modifying or adding to a
program and simply using it. Linking a program with a library, without
changing the library, is in some sense simply using the library, and is
analogous to running a utility program or application program. However, in
a textual and legal sense, the linked executable is a combined work, a
derivative of the original library, and the ordinary General Public License
treats it as such.
Because of this blurred distinction, using the ordinary General
Public License for libraries did not effectively promote software
sharing, because most developers did not use the libraries. We
concluded that weaker conditions might promote sharing better.
Here is the LGPL's Section 2 (left), side-by-side with the GPLv2 Section
2 (right).
LGPL |
GPL |
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices
stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no
charge to all third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a
table of data to be supplied by an application program that uses
the facility, other than as an argument passed when the facility
is invoked, then you must make a good faith effort to ensure that,
in the event an application does not supply such function or
table, the facility still operates, and performs whatever part of
its purpose remains meaningful.
|
2. You may modify
your copy or copies of the Program or any portion
of it, thus forming a work
based on the Program, and copy and
distribute such modifications
or work under the terms of Section 1
above, provided that you also
meet all of these conditions:
a) You must
cause the modified files to carry prominent notices
stating
that you changed the files and the date of any change.
b) You
must cause any work that you distribute or publish, that in
whole or
in part contains or is derived from the Program or any
part
thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the
modified program normally reads commands interactively
when run,
you must cause it, when started running for such
interactive
use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that
there is no warranty (or else, saying that you provide
a warranty)
and that users may redistribute the program under
these
conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive
but
does not
normally print such an announcement, your work based on
the Program
is not required to print an announcement.)
|
Clause (d) appears to be an
effort to ensure that the LGPL can only in fact be used for libraries.
More specific library-related clauses are the following:
5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library". Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library". The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.
...
6. As an exception to the Sections above, you may also compile or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.
GPLv3
In version 3 of the GPL, the language is, overall, more readable. The
following clause is new:
No covered work shall be deemed part of an
effective technological measure under any applicable law fulfilling
obligations under article 11 of the WIPO copyright treaty adopted on 20
December 1996, or similar laws prohibiting or restricting circumvention of
such measures.
In other words, you cannot use GPL-covered software as a basis for DRM.
Section 5 contains the copyleft feature:
- a) The work must carry prominent notices stating that you modified it,
and giving a relevant date.
- b) The work must carry prominent notices stating that it is released
under this License and any conditions added under section 7. This
requirement modifies the requirement in section 4 to “keep intact all
notices”.
- c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This License
will therefore apply, along with any applicable section 7 additional
terms, to the whole of the work, and all its parts, regardless of how
they are packaged. This License gives no permission to
license the work in any other way, but it does not invalidate such
permission if you have separately received it.
- d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your work need
not make them do so.
Section 6 addresses distribution of binary code:
You may convey a covered work in object code
form under the terms of sections 4 and 5, provided that you also convey
the machine-readable Corresponding Source under the terms of this License,
in one of these ways:
Section 6 also addresses another issue, which Stallman calls "Tivoization".
TiVo built their DVR device with GNU/linux, and you can get their source
code modifications, but their hardware does not allow you to
install software with any further modifications made by you or others. The
license includes a definition of "User Product" that excludes, say,
medical systems.
“Installation Information”
for a User Product means any methods, procedures, authorization keys, or
other information required to install and execute modified versions of a
covered work in that User Product from a modified version of its
Corresponding Source. The information must suffice to ensure that the
continued functioning of the modified object code is in no case prevented
or interfered with solely because modification has been made.
If you convey an object code work
under this section in, or with, or specifically for use in, a User
Product, and the conveying occurs as part of a transaction in
which the right of possession and use of the User Product is transferred
to the recipient in perpetuity or for a fixed term (regardless of how the
transaction is characterized), the Corresponding Source conveyed
under this section must be accompanied by the Installation Information....
The requirement to provide Installation
Information does not include a requirement to continue
to provide support service, warranty, or updates for a work that has been
modified or installed by the recipient, or for the User Product in which
it has been modified or installed.
The apparent reason TiVo included this hardware lockdown was to
prevent users from grabbing and saving the recorded content in raw digital
form.
Section 11 addresses patent claims by contributors:
Each contributor grants you a non-exclusive,
worldwide, royalty-free patent license under the contributor's essential
patent claims, to make, use, sell, offer for sale, import and otherwise
run, modify and propagate the contents of its contributor version.
Also this, in order to address the apparent licensing by Microsoft of
some of its patents to Novell only:
You [Novell -- pld] may not convey a covered
work if you are a party to an arrangement with a third party [MS -- pld]
that is in the business of distributing software, under which you make
payment to the third party based on the extent of your activity of
conveying the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license....
GPL Enforceability
In 2005, Fortinet apparently used GPL-licensed code in ways that violated
the license. Ultimately they had to release source code for their FortiOS
system.
In 2006 a German court upheld the validity of the GPL in a lawsuit
against D-Link.
In 2007, developers of the GPL BusyBox package sued Monsoon, which
incorporated BusyBox but refused to release their modified source code.
Monsoon eventually settled, opening their source and paying unspecified
damages.
In 2013 a Hamburg court found that Fantec GmbH had violated the GPL in
the distribution of a game module that made use of netfilter.
In 2016 a German court dismissed kernel dev Christoph Hellwig's lawsuit
against VMware for GPL violation. Ultimately the court dismissed the case,
on the grounds that Hellwig could not identify the specific code sections
written by Hellwig that VMware had used.
In April 2017, California federal judge Jacqueline Corley ruled, in the
case Artifex v Hancom, that the GPL was binding even though Hancom never
signed anything. Artifex offered its Ghostscript pdf-rendering software on
both GPL and commercial licensing terms. Hancom used the GPL version,
modified it, violated the GPL, and tried to claim the GPL was non-binding.
In 2021, Stockfish, the open-source developers of a popular chess engine,
sued Chessbase for GPL violations. Stockfish also terminated the GPL
license (perhaps only as applied to Chessbase?). In November 2022, the
parties settled, with Chessbase agreeing to open their code; see www.chess.com/news/view/chessbase-stockfish-reach-settlement.
But this isn't the complete story: chess engines are driven by large
neural networks that have been trained on chess games. Suppose someone
trains a newer neural network and bases their new chess-player device on
that, using some GPL-licensed code. Is the trained neural network covered
by the GPL? Or is this just data, not code? See fossa.com/blog/stockfish-vs-chessbase-gpl-v3,
question 1, for more discussion.
In France, the situation may be different. See thehftguy.com/2021/08/30/french-appeal-court-affirms-decision-that-copyright-claims-on-gpl-are-invalid-must-be-enforced-via-contractual-dispute.
French courts have traditionally regarded the GPL as a contract,
that must be agreed to by both parties. It is possible that the plaintiff
in the case in question, Entr'Ouvert, chose to pursue the idea that the
defendant could be accused of counterfeit goods, rather than
copyright infringement per se. And they lost on a technicality, and
thereby lost the right to pursue other legal strategies. Or, possibly,
they lost because France has less strict rules about copyright.
See also copyleft.org/guide/comprehensive-gpl-guidepa3.html.
As one final observation, see Open
Source Software: An Open Door to Intellectual Property Liability. It
concludes with
In the end, it may be less expensive to pay
more for commercial software, if only to purchase the benefit of the
indemnification that typically runs with the license.
But open-source licensing is not that hard to deal with. The intent is
usually very clear.
Karl Fogel, in Producing Open-Source
Software, lists the following as one common management myth:
If we open source this project, then we'll
have to release all our other stuff as open source too.
The roots of this myth come from misunderstandings of the GPL.
A weaker form of this myth, that is in fact a plausible if unlikely fear,
is that if code covered by the GPL sneaks into a project, then the project
becomes open source whether you wanted it to or not. But this has nothing
to do with choosing whether to be open source. So there's
nothing you can do about it, except to make it clear to your devs that all
code they submit to you they must have written themselves.
Google has strict rules about allowing AGPL (below) software into their
system.See opensource.google/docs/using/agpl-policy:
WARNING: Code licensed
under the GNU Affero General Public License (AGPL)
MUST NOT be used at Google.
Google does not have an absolute ban on just-plain-GPL, but they still
don't like it. See opensource.google/docs/thirdparty/licenses/#restricted:
Third-party software made available under one
of these licenses must not be part of Google products that are delivered
to outside customers. Such prohibited distribution methods include
‘client’ (downloadable Google client software) and ‘embedded’ (such as
software used inside the Google Search Appliance).
Finally, here is a blog post from Terminus DB: terminusdb.com/blog/2020/12/08/we-love-gplv3-but-are-switching-license-to-apache-2-0-terminusdb.
Basically, this is a thoughtful discussion of the issues with GPL, leading
them to switch to Apache. The GPL issues were, in brief:
- Cloud providers "steal" open-source packages (but if it happened to
them, they would view it as a success)
- Lots of databases have moved away from GPL
- GPL is toxic at some companies
The Affero GPL
Way back in the last century, the so-called Application Service Provider
(ASP) loophole was known in theory: an ASP could take GPL-covered
software, modify it, and allow paying customers to use the modified
version on the ASP's own hardware. This would not trigger the
source-code-distribution requirement. Today, we would say an ASP is a
software-as-a-service (SaaS) provider or some other cloud provider.
In 2000, Henry Poole worked with rms to develop a response. Poole started
Affero as a web0services company in the following year; he wanted a
GPL-like license that would require other ASPs modifying his code to
distribute the source as well. The Affero GPL v1 (AGPLv1) was published in
2002. Along with the GPLv2 and GPLv3 were also issued corresponding
licenses AGPLv2 and AGPLv3.
Here is the key clause (13) from the AGPLv3:
Notwithstanding any other provision of this
License, if you modify the Program, your modified version must
prominently offer all users interacting with it remotely through a
computer network (if your version supports such interaction) an
opportunity to receive the Corresponding Source of your version
by providing access to the Corresponding Source from a network server at
no charge, through some standard or customary means of facilitating
copying of software. This Corresponding Source shall include the
Corresponding Source for any work covered by version 3 of the GNU General
Public License that is incorporated pursuant to the following paragraph.
One ambiguity of the AGPL is just who is a "user". A company licensing
your platform? Or an arbitrary customer or user of that company?
There is certainly a theory that the cloud in general, and AWS in
particular, has rendered the traditional GPL toothless. AWS is free to
take a GPL package, such as MySQL or an older version of MongoDB, make
whatever proprietary changes it wants, and then make it available within
licensed cloud nodes, but not "distribute" the new version as a
standalone project. Since it's not distributed, the GPL appears not
to apply.
As an example of this, from stratechery.com/2019/aws-mongodb-and-the-economic-realities-of-open-source,
consider the following story. In 2019, AWS
announced on their blog
Today we are launching Amazon DocumentDB
(with MongoDB compatibility), a fast, scalable, and highly available
document database that is designed to be compatible with your existing
MongoDB applications and tools. Amazon DocumentDB
uses a purpose-built SSD-based storage layer, with 6x replication across 3
separate Availability Zones. The storage layer is distributed,
fault-tolerant, and self-healing, giving you the the performance,
scalability, and availability needed to run production-scale MongoDB
workloads.
But in 2017 MongoDB had switched to the AGPL license. So
DocumentDB is a rebuilt clone, perhaps based on an older GPL-licensed
version of MongoDB. As a result, DocumentDB is only a clone of Mongo 3.6.
Did MongoDB dodge a bullet by switching to the AGPL? Or will it ultimately
not matter?
Here's Remy van Elst's story of, well, "I
enforced the AGPL on my code, here's how it went." A site copied his
AGPL-licensed website. From a legal perspective, Elst's story has a
successful ending: after his second email, "[f]our days later, they
responded, stating that they had discussed internally and decided to take
the site offline." But they never did provide their modified source code.
The Server-Side Public License
This was introduced by the MongoDB team in 2018. It is, in essence, the
GPLv3 plus the following clause:
If you make the functionality of the Program
or a modified version available to third parties as a service, you must
make the Service Source Code available via network download to everyone at
no charge, under the terms of this License.
The full license is at mongodb.com/licensing/server-side-public-license.
The situation was complicated by the fact that MongoDB can also be
commercially licensed. So the more common reality for MongoDB modifiers is
that they would be forced either to release their code or buy a commercial
license. Releasing the code makes sense for companies that are modifying
the MongoDB code, but some developers felt that the clause above applied even
if you made a MongoDB-based app available to users. As a result,
the SSPL has seen hard times, and MongoDB has backpedaled a bit.
The Commons Clause
This adds the following (from commonsclause.com):
Without limiting other conditions in the
License, the grant of rights under the License will not
include, and the License does not grant to you, the
right to Sell the Software.
For purposes of the foregoing, “Sell” means
practicing any or all of the rights granted to you under the License to
provide to third parties, for a fee or other consideration (including
without limitation fees for hosting or consulting/ support services
related to the Software), a product or service whose value derives,
entirely or substantially, from the functionality of the Software. Any
license notice or attribution required by the License must also include
this Commons Clause License Condition notice.
This is a very different approach to the same problem (the ASP-loophole
problem): if you offer the software as a service, you cannot charge money
for it. The Commons Clause, however, can be added to essentially any other
license (eg the "permissive" licenses MIT, BSD and Apache),
unlike the AGPL or the SSPL. If you want to sell the software, you can
license that separately. If you want to sell the use of your software on a
cloud platform, and don't want to get a commercial license, your other
option is to relicense the software on open terms, and allow your
customers to install it as an open-source product (or select it from a
list of pre-installed options). Since your modified software is still
free, you are not selling it.
Redis Labs was an early adopter of the Commons Clause. But, due to
significant misunderstandings, they backed off, and replaced the Commons
Clause with the Redis Source Available License. The core Redis is licensed
with BSD, but add-on modules from Redis are license with RSAL. See redislabs.com/community/licenses.
The basic RSAL feature is this:
Software protected by RSAL is designed to be
used as part of an application. We want to help and encourage people to
develop their own applications, but RSAL differentiates between a
“database product” and all other applications. RSAL defines a database
product as any of the following products or services: (a) databases, (b)
caching engines, (c) stream processing engines, (d) search engines, (e)
indexing engines or (f) ML/DL/AI serving engines.
If your application built with
RSAL-protected software is NOT a database product, RSAL defines it as
“your application,” and you can:
- Freely distribute the RSAL-protected software, as long as you
include the following notice on any copy you distribute: “This
software is subject to the terms of the Redis Source Available License
Agreement.”
- Freely modify the RSAL-protected software, as long as your
modification is covered by the RSAL license.
- Freely use the RSAL-protected software, as long as it is not part of
a “database product” offered by a third party other than yourself or
Redis Labs.
But if your application is a "database product", the RSAL
license is not sufficient, and, basically, you have to pay Redis for a
commercial license.
For a contrarian view, see drewdevault.com/2018/08/22/Commons-clause-will-destroy-open-source.html.
Dual Licensing
MySQL has a dual license option: you can accept the GPL, or you can get a
proprietary license from Oracle. You have to pay for the latter, but then
you don't have to share your code additions with others.
It turns out this strategy goes back to the original owners, MySQL AB;
see business.html#mysql. The original
MySQL business model was to give the product to everyone, to
build market share and mind share, and then to sell the product
(or an upgraded version of the product) to those who needed
production-level reliability. Oracle has expanded on that, but not
disproportionately.
One issue with dual licensing is that source-code contributors must sign
contributor license agreements, or CLAs, that give the
receiver the right to offer proprietary licenses. Usually (though not
always) these CLAs do not require contributors to waive all
rights; they only require that the contributor allow the project managers
to sell proprietary licenses. The added code still becomes open source.
In January 2010, Richard Stallman wrote a blog
post in which he comes to the conclusion that dual-licensing is not
necessarily wrong, though the FSF does not license their software that
way. Selling exceptions often seems like a reasonable way for companies to
buy into an option to sell proprietary extensions.
However, in a January
2020 blog post by open-source activist Bradley
Kuhn, Kuhn argues that dual licensing increasingly has a dark side.
Commercial users of the FOSS license often feel under considerable
pressure to purchase the proprietary license. Sometimes this is due to
longstanding business-world anxiety about open source, and sometimes there
are allegations of saber-rattling (what Kuhn calls "captious [finding
petty faults] interpretations of the copyleft license") on the part of the
project owner.
Kuhn is most suspicious of the Affero GPL as used to license MongoDB. The
AGPL is less well understood, and there is much less legal
precedent for interpreting it than for the primary GPL. And MongoDB may
have suggested to some corporate users that they were violating the
license terms. But he goes on to say
In theory, proprietary relicensors would only
offer the proprietary license by popular demand to those who had some
specific reason for wanting to proprietarize the codebase — a process that
has been called “selling exceptions”. In practice, however, every company
I'm aware of that sought to engage in “selling exceptions” eventually
found a more aggressive and lucrative tack.
Kuhn is in favor of adding a copyleft license clause that basically says
"if you offer a proprietary license, then the copyleft license switches to
a BSD/MIT license", meaning the project owner loses control.
The GNU
license FAQ says, of dual-licensing, that "to release a nonfree
program is always ethically tainted", but that, legally, dual licensing
does not violate the GPL.
On the other hand, here's a blog
post by George Hosu, who writes "the 'ethically tainted' doesn't
resonate with me. I think this licensing model should be encouraged."
Ultimately, the rationale is that this gives Open Source another revenue
model. Even better, this time it's actually realistic.
Ethical Licenses
And then there are the weird licenses. As Bruce
Perens (co-founder of the Open Source Initiative, which blesses
open-source licenses) writes
in October 2019, once upon a time software freedom meant freedom for
everyone, including those with very different perspectives. In
that era, banning, say, authoritarian governments from using open source
was considered a bad idea.
That was then. Today, here are three licenses cited by Perens with social
strings attached:
- The JSON license, which
requires that "The Software shall be used for Good, not Evil."
- The anti-996 license, which requires commitment to reasonable working
hours
- The vaccine license, which requires users to get vaccinated.
- The Hippocratic license, which prohibits discrimination against
minorities.
The Vaccine License is
strange. Here is the central requirement:
The Vaccine License is a software license
that requires that users vaccinate their children, and themselves, and
that user businesses make a similar requirement of their employees, to the
greatest extent legally possible. The required vaccinations are those
recommended by the user’s national administration, for example the United
States Center for Disease Control. There is an exception for those
who, for medical reasons, should not receive a vaccine.
Keep in mind that this predates Covid-19! The US CDC vaccination
recommendations for those aged 19-26 were, in those days:
- seasonal influenza
- Td/Tdap (tetanus/diptheria/pertussis)
- HPV
One issue Perens addresses is what happens if, say, the US government
uses the software. You can't sue the US government to enforce the terms of
the license; all you can sue for is pecuniary damages. Figuring out the
dollar value of using open-source software without having agreed to the
license terms is tricky.
Then came the Cryptographic
Autonomy License. In late 2019 Perens quit the OSI over that one.
Section 4.2 is entitled "Maintain User Autonomy", and basically says you
may not withhold users from their data, eg by encrypting it. See
also lwn.net/Articles/797065.
Another ethical license is the Katharos license: https://github.com/katharostech/katharos-license
Katharos is the Greek word for "pure" and,
correspondingly, the purpose of the Katharos license is to prevent the
licensed work from being used to promote destructive activities or to
produce other impure or destructive works. ...
The definition of what is "good" can be
considered highly subjective.... The source of "truth" for the Katharos
License, and where the definition of what is "good" and "pure", come from
the Word of God, The Holy Bible.
Here's a draft of the actual license: github.com/katharostech/katharos-license/blob/master/LICENSE_v0.2.0_draft.md.
There is a serious issue here with enforceability: US courts generally
refuse to interpret the Bible.
One more license
I ran into this in an actual project. Here's the website for the license
itself, though: www.wtfpl.net.
Does it matter that there is no disclaimer-of-liability clause?