1. 67
  1.  

  2. 25

    I would love to see some examples where a company changed the license of their codebase to comply with a dependency. I have never seen this happen in my entire career, even though they are obligated to. I have seen countless examples of people rewriting code to rid of a dependency with an incompatible license, I have even done it myself.

    I understand and respect the pure ideology of strong copyleft licenses (that in a perfect world, everything would be open source), but I don’t believe that it actually yields more open source in the world. In practice, people simply avoid it and it yields more duplicated work that ends up either proprietary (more common worst case) or more permissive (best case).

    It is difficult to prove, but I feel that the “leading by example” ideology of permissive licenses is responsible for far more code being made open source in practice (though I acknowledge this is not everyone’s goal).

    1. 16

      I think OpenWRT exists because linksys had to do this.

      I was just looking into this question myself today and have this history of openwrt on my reading list if that helps.

      1. 5

        Linksys did that, and then stopped maintaining the code, and switched to another OS for most of its hardware. Was that VMX, perhaps? I don’t remember. Some commercial OS. They stated that the reason was that linux needed too much RAM, which I find difficult to believe. Slimming down a linux kernel is IMO likely to be simpler than porting a code base to a new OS, so I tend to believe that Linksys’ stated reason was a polite lie. They did release a single model that ran linux, and I bought that model.

        1. 4

          I believe it was VxWorks

          1. 1

            All the vendors do a fantastically bad job.

            https://www.youtube.com/watch?v=PLXmPgN6wVs

            1. 1

              When you say that everyone in a specific field does a fantastically bad job, you should also consider the possibility that your assessment might be off, and why that might be the case.

          2. 2

            Queued that up as well! I also had a WRT54G(L) for a very long time, excellent device.

          3. 12

            I have seen countless examples of people rewriting code to rid of a dependency with an incompatible license

            This is a very good case, IMO, and is my primary motivator for using (A)GPL on most of my newer work. I would much rather force the big bads to rewrite my code than simply profit off my work, and we have some evidence that they will do that to avoid (A)GPL sometimes.

            I would love to see some examples where a company changed the license of their codebase to comply with a dependency.

            I think to be fair on this one you have to also include all the code that started or stayed freedomware because of the requirement. This would include the example from the OP of the same downstream hosting the other project in compliance.

            1. 13

              I would much rather force the big bads to rewrite my code than simply profit off my work, …

              I don’t know who you imagine is “the big bads”, but in reality it’s a lot of people like me who release all their projects under permissive licenses like MIT.

              1. 11

                You can use an (A)GPL’d dependency on an MIT’d project, just the resulting “combined work” is effectively (A)GPL’d. Some projects even have build flags to choose to build in “GPL mode” or not depending on which dependencies you use. It’s all about goals.

                If you want your software to be used to build nonfree products so badly that you reimplement something under the GPL to use as a dependency for your otherwise MIT’d project… I mean, more power to you, right? It’s your choice.

                We have examples of Apple, Google, VMWare, Linksys, and others doing rewrites to avoid using GPL’d code, and I would say that is the point, for me.

                1. 15

                  I wrote before:

                  It is difficult to prove, but I feel that the “leading by example” ideology of permissive licenses is responsible for far more code being made open source in practice (though I acknowledge this is not everyone’s goal).

                  My goal is to provide as much value to the society as possible through each unit of my effort. I want people to use my code, I want people to profit from my code even if I get nothing for it, I want people to build things they otherwise wouldn’t have built because my code enables it. I am going to make the effort to make my code as accessible and permissive as possible, this often means avoiding (A)GPL dependencies and often duplicating effort in the process.

                  I recognize that your goal is not the same, and that’s fine. I just hope that you also recognize the reality that Apple/Google/VMWare/Linksys etc don’t care at all, they’ll simply not even look at AGPL code and move on. If they find AGPL code in their stack by accident, they will purge it. If they’re caught in a situation where they are in legal trouble, they will do the absolute minimum to comply with that version and purge it moving forward.

                  Overall, my bet is that choosing strong copyleft licenses has more of a net-negative effect on people who share my goal than any measurable effect on “the big bads”.

                  1. 9

                    Apple/Google/VMWare/Linksys etc don’t care at all, they’ll simply not even look at AGPL code and move on

                    again, I consider that a win for me

                    1. 6

                      It sounds as if your primary aim is to prevent some some people from using your code, without blocking access for too many other people. As opposed to the BSD/MIT/Apache licenes, whose primary aim is to make software available for all to use, without any attempt at dividing the world into us and them.

                      1. 5

                        Close. The goal is to prevent some uses which in this world tends to leave out some users.

                        1. 1

                          The goal is to prevent some uses

                          It is obligatory at this point to remind everyone that the AGPL should not be considered a Free Software license, as it does not grant Freedom 0. In fact, its entire purpose is to withhold Freedom 0 from recipients of the software in order to try to gain leverage over them.

                          1. 8

                            The AGPL only triggers if you modify the software (since otherwise no copyright is in play and no license would be relevant). So if you just run unmodified software (freedom 0) the AGPL does not apply or restrict you.

                            1. 5

                              It is obligatory to point out that the people who defined Freedom Zero, and in doing so defined Free Software, also explicitly state that the AGPL is absolutely a Free Software license.

                              Your point is mooted.

                              1. 3

                                The FSF’s stance on freedom is that you shouldn’t be allowed to have too much of it, lest you use it to do things the FSF disapproves of.

                                The AGPL was simply a reaction to the discovery that there were more things of which the FSF disapproved and which had not been foreclosed by prior licenses, so a new license was concocted to ensure that dangerous freedom wouldn’t get around too much.

                                1. 3

                                  The logical gymnastics of both using the FSF’s definition of Free Software while rejecting their definition of Free Software is awesome to behold, and honestly would put Simone Biles to shame.

                                  1. 2

                                    I would flip that around and suggest that the rhetorical gymnastics the FSF uses to try to trick people into thinking their positions are coherent are something to see.

                                    Essentially, they want to bludgeon everyone else with an absolutist position, while never being held to that same absolutism in their own actions. Or, more succinctly, they want to be able to compromise “freedom” when they think doing so will achieve a higher/larger goal. But woe to anyone else who tries doing that – then they’ll tell you that compromising freedom is never acceptable, no matter how good or great the thing you’d achieve by doing it!

                                    Their adoption of the AGPL, which does not conform to their own original definition of Free Software and on those grounds never should have been accepted as a Free Software license, is just one especially obvious proof of that.

                      2. 6

                        My goal is to provide as much value to the society as possible through each unit of my effort.

                        I want freedom for users to educate themselves and contribute as opposed to becoming mindless consumers.

                        That’s why I believe AGPL is a good license for applications.

                        I also believe that for libraries and frameworks MIT, APL or MPL work better to achieve that goal.

                        Having more educated people - in my opinion - is better than having more usable code in the long-term.

                        1. 3

                          Overall, my bet is that choosing strong copyleft licenses has more of a net-negative effect on people who share my goal than any measurable effect on “the big bads”.

                          As someone who also prefers to release under permissive licenses: this, a million times. Big companies will always have a way to work around copylefted software, so it literally is not cutting them off from being able to do things the FSF disapproves of. Like, it’s not causing them to angrily shake their fists and yell “I would have gotten away with it, if not for you meddling Free Software kids!” It’s just causing them to use alternatives that aren’t under the FSF’s licensing regime.

                          Meanwhile, as the FSF gets ever more paranoid about ever more arcane “loopholes” in its licenses, the worries of small-time open-source developers go up as we juggle increasingly large transitive dependency trees that might have anything lurking in them. Not to mention whatever “loophole closure” the FSF might roll out next with brand-new extensions of what is or isn’t a derivative work.

                  2. 9

                    I think the NcFtp client famously changed its licence to the GPL so it could use Readline… then in 1999 or so it switched licences again. The copyright.h file included in ncftp 1.9.5 says:

                    static char copyright[] = "@(#) Copyright (c) 1992, 1993, 1994, 1995 by NCEMRSoft and Copyright (c) 1985, 1989 Regents of the University of California.\n All rights reserved.\n";
                    

                    …but the comment at the top of that file says “All rights reserved” and:

                    Redistribution and use in source and binary forms are permitted provided that: (1) source distributions retain this entire copyright notice and comment, and (2) distributions may not be sold for profit on physical media such as disks, tapes, and CD-ROMS, without expressed written permission.

                    …which is granting some rights so clearly they’re not all reserved.

                    Meanwhile, Wikipedia cites a Common Lisp implementation named “CLISP” as having switched to the GPL but I’m not sure what licence it switched from.

                    As perhaps a more famous example, the Objective C system that Mac OS X used at least during the PPC era was GPL’d because back in the day NeXT wanted to use GCC as their compiler, and the FSF said they couldn’t use GCC and keep the Objective C bits proprietary. Of course, as soon as Mac OS X got serious momentum behind it, Apple poured resources into LLVM and Clang…

                    1. 4

                      That is a fascinating journey, thank you for sharing!!

                      Wonder if there’s anything more recent? Mid-90s certainly predates my career. I feel I am more in tune with modern open source culture, also I remember reading somewhere that more permissive licenses like MIT really took off in the era of Github.

                    2. 8

                      At a previous employer we wanted to use an AGPL-licensed library as part of our SaaS offering. We wrote the extensions that directly linked to it into its own microservice and licensed that as AGPL and put it on GitHub. Rest of the SaaS product stayed proprietary since calling the AGPL parts over HTTP does not trigger the AGPL. Well, the legalities on that are very unclear, since “intimate enough” on the GPL FAQ. Not sure if we did the right thing legally, and morally I’m even less sure.

                      Last I heard the library in question was relicensed as BSD, so the issue is moot and nobody is using the old one anymore.

                      1. 8

                        I promise you that Apple did not want to LGPL webkit, but they did really want to use KHTML in it. Google may or may not have open-sourced Blink if webkit hadn’t been copyleft, but they almost certainly wouldn’t have used a copyleft license.

                        1. 7

                          The place I work at builds tools that help other companies stay compliant with open source licenses. A lot of our bigger and most risk-averse customers (e.g. hardware manufacturers) actually take the stance that once GPL is brought into their first-party code, that code is “tainted” (i.e. you can’t make it compliant again just by removing the GPL dependency, because the commits where the GPL dependency were integrated are forever tainted by GPL and are forever in the commit history of any subsequent commits). Their default action is actually to publish “tainted” parts of their code base as open source to stay compliant - they feel that they’d rather publish some maybe-not-super-important parts of their IP rather than risk the trouble of a lawsuit.

                          1. 4

                            Place I used to work had a codebase under GPLv2 (containing lots and lots of GPLv2 source by other people), decided it would be convenient if their stuff was AGPL instead, got told “no that’s impermissible” (I can’t remember if they actually tried it out they got told no before actually trying it) and went with GPLv2 instead of making a huge mess out of it. Dunno if that’s close enough to count.

                            Replacing all the GPLv2 code in there would’ve cost about the company’s yearly turnover times two, prolly, so doing anything other than just complying with the license as written was a non starter.

                            1. 2

                              I know of several cases where the licensing was changed from foo to “either foo or gpl, your choice”, but I don’t think that’s what you really had in mind, right? You had in mind a change that grants users substantial additional rights?

                              So I agree with your intuition that the permissive licenses have achieved more, even if not quite the same.

                              1. 3

                                Right, what I had in mind is more going from “we have a proprietary/commercial license/closed source codebase” to “we open sourced it under AGPL/GPL to comply with the requirements of a dependency we just added or had all along and didn’t realize.”

                                1. 3

                                  Yes, and I think that if that were a significant effect, then I would have noticed it by now.

                                  FWIW I worked at Trolltech until 2001; the team members’ reactions to the mail we got from GNU fans from 1994 until I left weren’t in the least favourable. At the time I thought I was special, we were special, but maybe we weren’t. Maybe most people who are, uhm, educated by GNU fans react negatively to the experience.

                                  1. 1

                                    Curious to hear more, what kind of mail did you get? Do you mean regarding most of the stack being GPL licensed?

                                    1. 1

                                      What stack being GPL? Libc and libX11 wasn’t, etc.

                                      GNU fans sent us a lot of mail that might be described, somewhat uncharitably, as walls of text written by people who had much spare time and little salesmanship talent. For someone who has code to write and customers to help, dealing with yet another clueless wall of text is unappealing or worse.

                              2. 1

                                I would love to see some examples where a company changed the license of their codebase to comply with a dependency.

                                I think this is a weird standard. Alternatively: examples where existing reciprocally licensed codebases were built upon instead of started from scratch?

                                • GCC and its myriad of backends including …
                                  • Objective-C
                                • Linux
                                • Webkit / Blink
                                • MySQL
                                • Heaps of emulators
                                • Git
                                • ffmpeg
                                • Blender
                                • VLC

                                I feel like this is a target rich environment. What domains do you care about?

                                (* why is it always a company?)

                                1. 1

                                  Consider it a focus group.

                                  The viral clause affects two groups: People who want to the viral clause to bind others, and people who are bound by the clause and wouldn’t have chosen the GPL otherwise. If you want to know about the viral clause of the GPL, then it makes sense to look at the reactions of a focus group inside each group. GP’s question is a nice way to find some in the latter group.

                                  1. 1

                                    The viral clause

                                    The use of “viral” makes me worry this isn’t a good faith response…

                                    The viral clause affects two groups: People who want to the viral clause to bind others, and people who are bound by the clause and wouldn’t have chosen the GPL otherwise.

                                    GPL code has no agency. That latter group chose to use GPL code. I see no complaints of “we pirated Oracle and now we have to pay a licensing fee” or “we pirated Oracle to get traction, and now we’re forced to rewrite.”

                                    And I think there are more than two groups. e.g. people who specifically choose to work on the GPL projects.

                                    1. 1

                                      “Viral” was common parlance when I learned about the GPL, in the early nineties. I agree that it has acquired more negative connotations since then.

                                      More unaffected groups don’t matter. Unless you want to argue that the pool of people who’ll work on, say, GPL’d code but not APL’d code or closed-source code is so large that it will affect companies’ strategy for theiir implementation work?

                                      1. 1

                                        I think most license selection is driven more by the authors and less by their lawyers, yes.

                                        P.S. https://en.wikipedia.org/wiki/Viral_license#History

                              3. 21

                                I was worried that it’d be some horror story about malicious non-compliance, retaliation, or legal problems, but company just taking down the offending service isn’t that terrible.

                                1. 13

                                  If you drive without a driver’s license you can’t tell the officer, “I was inspired by this other car”, or say “hey man I’m doing this three years already, but now you’ve caught me, I’ll throw away this car”. You’ll be fined anyhow.

                                  1. 13

                                    In terms of what actions they could take now, I guess you’d have preferred them opening up the source but closing down the service is still ceasing to abuse your copyright, so it doesn’t seem like a bad outcome at all.

                                    If you want reparations for the last three years, well, that’s a tangential issue, and you’d probably need to go through courts for that no matter what their actions today.

                                    1. 2

                                      If you want reparations for the last three years, well, that’s a tangential issue, and you’d probably need to go through courts for that no matter what their actions today.

                                      That’s a rather interesting issue. Normally you’d file charges for damages or lost profit, but that’s not really the case here, so I don’t really see what a court could do, really. There have been GPL cases against companies, but that’s where they were still infringing, and shipping products with the software. You can’t just stop infringing by no longer using the software with hardware still out there, where consumers continue to be disadvantaged by not having access to the source code.

                                      With a web service, they can just take it down and there isn’t really anyone who continues to be disadvantaged in any way.

                                      1. 3

                                        In certain juristictions, having a registered copyright might allow for statutory damages on the past infringement. Otherwise, with an actor this small, I agree there’s unlikely to be other recourse. IANAL

                                    2. 11

                                      Only because you are caught by an agent of the law. If you are caught by your non officer parents, you won’t be fined

                                      1. 2

                                        Driving without a driving license is a much greater offence though. And it’s not like police will fine every single last violation; giving warnings is not uncommon.

                                        I wouldn’t be surprised if this is a fairly small company run by just a few people without a legal department or review procedures. What probably happened is that someone set this up in a day as a side project and didn’t vet the license properly. Not great, but … it happens.

                                        Some people are so quick to assume malicious intent in all sorts of things, but I find this is usually isn’t the case.

                                      2. 9

                                        If we consider this acceptable, then that essentially translates to “violating open-source licenses is fine so long as you don’t get caught”.

                                        So no, I don’t think this is fine at all. Considering it acceptable sets a terrible precedent.

                                        1. 7

                                          Yes, exactly. Site takedown is your best case scenario from a court injunction, and you got it without hiring a lawyer. Looks like a win.

                                          1. 5

                                            I would consider the best scenario in an AGPL case a release of the source code with modifications, and attribution. The entire point of using the AGPL is so that people can benefit from improvements made to the code. Taking down the website is the next best alternative, but in that case there are only losers:

                                            • The customers who were using the service
                                            • Others who would like to host or study the software with those improvements (including the original author)
                                            • Possibly the author not reaching fame due to missing attribution
                                            • Even the company who is no longer able to host the service because they’re not willing to comply, and the hassle they admittedly got themselves into.
                                            1. 2

                                              I absolutely agree, but source release is not something a court can order, it can only be got as a settlement to allow the violator to continue distributing. If they don’t need/want to keep distributing then there is no way to get that so takedown is, under thise circumstances, the best case.

                                              1. 3

                                                source release is not something a court can order

                                                Why is that not possible?

                                                1. 4

                                                  Because of the legal mechanism at play here, namely, a copyright license. Copyright provides the author with certain rights and “right to require source release” is not one of them. The license allows parties to make use of some of the author’s righs in exchange for certain conditions (source release, in this case, among others) but if those conditions are not met it simply means the violator does not have the legal right to make use of the author’s rights. So a court can enfoce that and require they cease using the author’s rights (such as by takedown) but they cannot require the party do things outside that scope.

                                                  1. 3

                                                    Interesting! Thanks for explaining this.

                                        2. 9

                                          It was pretty hard to find an actual email address for this company. Nothing listed on their website, just a contact form. Hidden on their jobs page I found a job listing which included an address and on their General Terms and Conditions page their was a support address.

                                          A bit of an aside, but you can usually find this in the whois information. Most European registrars have this shielded so the CLI whois won’t be too useful, but most (or all?) of the responsible registries have a working whois on their website (SIDN.nl in this case). I found two different addresses by checking hosted.nl and sslchecker.nl (info@ and domain@).

                                          At any rate, dunno why they took the entire thing offline though. My guess would be that it got very little traffic and that providing the source code was just too much effort. And/or maybe it got set up by some intern a few years ago and they’re not quite sure.

                                          1. 2

                                            Yeah, if this service really provided a lot of value to the company they’d do everything in their power to keep it up (even if that would mean a rewrite so they can keep the proprietary bits to themselves)

                                          2. 8

                                            In a parallel dimension where courts are more accessible, our hero sued the company for every dime they made using the unlicensed software.

                                            1. 6

                                              Or alternately, perhaps our hero knew about the Principles of Community-Oriented GPL Enforcement and decided not to go to court first and not to seek the absolute maximum monetary damages.

                                              1. 9

                                                Incidentally, the Software Freedom Conservancy recently announced that they are changing enforcement strategies to prioritize litigation.

                                                From https://sfconservancy.org/copyleft-compliance/enforcement-strategy.html#the-need-for-litigation:

                                                In our private negotiations, pursuant to our Principles of Community-Oriented GPL Enforcement, GPL violators stall, avoid, delay and generally refuse to comply with the GPL. Their disdain for the rights of their customers is often palpable. Their attitude is almost universal: if you think we’re really violating the GPL, then go ahead and sue us. Otherwise, you’re our lowest priority.

                                                1. 7

                                                  The principles are designed to get more compliance. In this case they got compliance, so that’s good. But there is some disagreement about the best strategy to get max global compliance.

                                                  1. 6

                                                    Nah, take the company down without hesitation or remorse.

                                                    It’s not like the company wouldn’t do the same if it was in their financial interest.

                                                    1. 3

                                                      I’m familiar with this document, but I’ve not reviewed it in a few years. Thanks for linking to it!

                                                      It’s my understanding that avoiding court at first is generally the normal course of action preceding litigation.

                                                      GPLv3’s termination provision allows first-time violators automatic restoration of distribution rights when they correct the violation promptly

                                                      In theory, OP could consider the violation remedied under this provision of the GPL3 (upon which the AGPL3 is based, IIRC, with the notable SaaS provision added). That halts future infringement but doesn’t address past infringement. It’s on OP to determine if there’s enough juice to be squeezed out to make the effort worth it.

                                                      Copyright holders (or their designated agent) therefore are reasonable to request compensation for the cost of their time providing the compliance education that accompanies any constructive enforcement action.

                                                      This is one of my favorite parts of this community-oriented enforcement mindset. However, a few hours of consulting time versus 100% of the profits of a service that made a company tens or hundreds of thousands of dollars, minus legal fees of probably 1/3… do the latter and donate the proceeds to the SFC or another great open source organization. I believe that’d do more for the community.

                                                  2. 6

                                                    I mostly write MIT or ISC licensed code because I don’t care, and I’m happy if someone use it in any context.

                                                    But what I’ve noticed in most companies I worked for is that the mindset “if the source is available on the internet, I can just steal it and put it in my closed source software”. And this is whether it’s GPL code in a binary, or AGPL on a web service.

                                                    1. 3

                                                      I don’t know if this applies to AGPL but in GPL is not mandatory to have a GitHub/GitLab or even a tarball with your code. It’s just that if they ask for the code you should make it available for them, but it doesn’t need to be released in public. So if you ask a company to put a link to the source code, that’s not what GPL says.

                                                      1. 2

                                                        For distribution under the regular gpl you’re correct. If you ship a product, it’s advised to provide a cd or usb with the source code, then you never have to worry or make it public. General best practice is to just make it available online for convince. You can also include a written offer valid at least 3 years from the last release / support date. Then you have to ship a physical medium with the code. That’s how my company does it for the coffee machines, on request you get a usb stick. I’ve included pictures of that in the article.

                                                        For the AGPL I’m not sure due to the network aspect. Any case, they never provided the source, not online nor offline.

                                                        1. 7

                                                          Okay I think I know, it has to be available over the network. Quoting the AGPL :

                                                          13. Remote Network Interaction; Use with the GNU General Public License.

                                                          Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.

                                                          https://www.gnu.org/licenses/agpl-3.0.en.html

                                                          1. 3

                                                            Thanks for the detailed reply, that’s another aspect of AGPL that it’s different from GPL then (in a good way I think). My intuition that might be similar was wrong. I’ll edit my comment.

                                                      2. 2

                                                        I already spent too much time reading this thread about licensing. That’s why I like MIT/ISC/BSD style licenses.

                                                        “I wrote it, do whatever you want with it, don’t sue me.”

                                                        1. 1

                                                          True “do whatever you want with it” is Unlicense/0BSD/WTFPL. MIT/ISC/2-3BSD also add “I want the clout” clauses :)

                                                          1. 1

                                                            Those specific licenses have flaws, too, the biggest one being failing to defend against patent trolls. The latest technology in permissive licenses is the Blue Oak Model License 1.0.0 (now SPDX-approved). It was written by a group of lawyers to plug the holes in those other licenses while being as simple as possible given current legal requirements.

                                                            1. 2

                                                              I don’t understand any of these “patent trolls” clauses. If I’m “violating” a patent, the court is going to find against me, no matter what license my violating code has.

                                                              1. 3

                                                                You’re right, the patent protection clause doesn’t protect you in that case. It’s meant to defend against a different type of threat.

                                                                Say a patent owner contributes code to your software that uses their patent. Later, after all your users have upgraded to a version including that code, they realize that they don’t want other people using their secret sauce, and they start suing your users for violating their patent. The Blue Oak Model License prevents this by forcing patent owners to license all relevant patents.

                                                                Thus, the license allows maintainers to spend less time evaluating whether code contributions are legally safe and more time evaluating whether code contributions are desirable and correct. The license also gives users peace of mind that their right to run the software won’t be revoked due to a patent threat.

                                                                1. 1

                                                                  That makes more sense, although I’m not sure it’d be legally enforceable? All they have to do is stop using your software, then they’re no longer subject to your license and can sue who they please, surely?

                                                                  1. 2

                                                                    It’s not “your” license at that point; their contributions were released under that license too. They have licensed their patents.