your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version
The author suggests a workaround:
you could probably use a similar setup to put a 3D printing slicer online: you would want to have the web application take a set of parameters, and then run the slicing as a background batch job, informing the users when the files are ready for them to collect. You wouldn’t be interacting with the software over the network at all, so you wouldn’t need to release any of your web application as AGPL-3.
IMO the AGPL-3 still applies in this situation. The user interaction with the protected program, in this case, comprises the following steps:
The user specifies a set of parameters to the slicer, over a computer network.
The parameters are given as input to the slicer, which processes the user’s input and produces output files.
The user is notified that the output files are ready, over the network.
Those three steps are an interaction between the user and the protected program over a computer network, using the plain English meaning of the word “interaction”.
There was a period of time during the 20ᵗʰ century when two competing ways of interacting with a computer were termed “batch processing” and “interactive computing”. The author is restricting the meaning of the word “interacting” in the AGPL-3 to a sense derived from this idea of “interactive computing”. I don’t think it is reasonable to interpret the AGPL-3 in such a restricted way. It would imply that the protected slicer code must already be running before it receives the input parameters from the user, and that the protected slicer code must still be running when the output is delivered to the user. This doesn’t make sense for a slicer engine, which is a generally a pure function from its inputs to its outputs. This narrow interpretation would imply that a pure function cannot be protected by the AGPL-3, due to the fact that the function isn’t running when the user’s input is collected or when the output of the function is delivered to the user.
Your interpretation would seem to imply that, for example, any networked application which uses an AGPL’d database is inherently AGPL, since the same logic could be applied to say that the network/process boundaries between the application and the database instance don’t count and the user is really “interacting” with the database instance through the medium of the application.
I don’t think that claim would hold up, and I don’t think it should hold up.
I don’t see where that implication comes from, will you quote the relevant excerpt?
The AGPL is meant to prevent someone wrapping a library’s API with network calls to neuter its protections — there’s nothing wrong with using an AGPL database in a proprietary product, unless your product is a database with a suspiciously similar API to the database you’re using.
Proprietary web todo list that uses an AGPL database? Fine.
Proprietary web database that wraps an AGPL database? Sketchy.
Proprietary “batch job” database that wraps an AGPL database with an extra layer of indirection? Also sketchy. Im not a lawyer, but this strikes me as a silly “one weird trick” that adds complexity without actually circumventing the AGPL protections.
But for the AGPLv3 to apply, you have to modify the program such that it displays an link to the source code. Even if it applies, if the program is way back in the backend somewhere, how would the user see it? Doesn’t make any sense.
A workaround I’ve seen suggested before (in a “I can’t believe this is the license everyone uses” sort of way) is to have the modified version of the AGPL program do exactly what it’s supposed to, serve up responses including an offer for the source code… and then have a closed source proxy server in front of it strip that offer. After all the license requires the modified version of the software to provide that offer, not the person that modified it or the operator of the software.
I’m sure I’d never want to be on either side of a court case about this.
I’m not sure how this would make a difference. Section 13 of the AGPL talks about a user interacting with the modified version. So if a user interacts with the modified program remotely, section 13 doesn’t specify how this interaction is done. It is clear that there will be other software components between the user and the program (router, maybe a CDN, load-balancer…). So adding a proxy server would be just another one.
This workaround concedes that the user is interacting with the modified AGPL program.
Rather it maintains that the modifications to the AGPL program comply with the requirement that “your modified version must prominently offer all users interacting with it remotely through a computer network”. The modified version of the AGPL program does that (is the claim). The license (supposedly) doesn’t require that the modified program is only then used in environments that forward on that offer.
I agree that seems sketchy, is the offer really being made if we know it’s going to be stripped? I can easily see a court finding not.
On the flip side… consider what happens if there are two parties:
One modifies the AGPL program and supplies it to the other, so that it provides a link to download it’s source at the top of every page.
The other studies the AGPL program, doesn’t modify it, and puts it behind the offer stripping proxy.
Who, if anyone, is committing copyright infringement? The first clearly complied with the license. The second didn’t modify the program, so section 13 of the license doesn’t apply to them at all. It seems like neither.
Does this change if one party does both? Section 13 doesn’t appear to put requirements on how the modified software is used, only what modifications are made. When was copyright infringed? When the software was modified (even though it includes an offer of source on every request)? When the software was deployed (even though the license doesn’t appear to restrict deployment behind proxies)?
Like I said, not a court case I would want to be a party to.
(Hopefully it goes without saying that I’m not a lawyer and this is not legal advice. Also that in practice I would hope that people comply with the spirit of the license regardless of whether or not it is binding)
The other studies the AGPL program, doesn’t modify it, and puts it behind the offer stripping proxy.
I’m still not sure about the proxy. However, in this case no modification was done and this modified version is already out there and available. So in the spirit of the license all modifications are already available somewhere.
This takes an incredibly narrow, implausible, view of “interact over the network.” If I go to a website, click a button that says “Generate a PDF” and it says, great, I’ll email you when it’s done, the batch job that generates the PDF still seems obviously part of the same interaction over the network. If I have ebanking with a bank and I toggle a setting to email me monthly PDFs of my account statements, that’s still interacting over the network. A user receiving a spam email is still interacting over the network with the software that generated the spam, even if they neither sent a request for it nor respond to it.
See my reply to the other person talking about this, and asking whether an application backed by an old MongoDB AGPL’d data store is thus AGPL’d since you’re just “interacting” with the data store through the application.
Or consider what happens if the action is delayed. What if I’m scheduling a job or a reminder to run at a later time? How far into the future does the AGPL reach in that case? What if the software which will generate the result artifact changes during that time? Perhaps it wasn’t AGPL when I made the request, but is now – have I really “interacted” with it in that case?
Trying to expand the definition of “interact over the network” in this way just does not hold dup to even very very basic scrutiny.
I worked at a company where the lawyers read the license that way and were flat against upgrading MongoDB from the last version before it went AGPL. Mongo-the-company told us that they would not rule out that reading, by the way.
Trying to expand the definition of “interact over the network” in this way just does not hold dup to even very very basic scrutiny.
At what point do we cut it off? What’s the legal test for it no longer being part of the same interaction?
I think the key point is not the definition if interaction, but the definition of modification. At one extreme, no one thinks that running your software on Linux or as a service under systemd requires you to GPL your code. The only plausible model I can think of for a test is 1) did I alter what I received? and 2) could I replace what I received in its entirety with no substantive change to the interaction with the software? My uber-for-cats web app could swap MySQL for MongoDB and it if I did my job right it would be no substantive change. If I went and fixed some bugs in MongoDB in the process, those would be modifications and would need to be released. On the other hand, if I create a managed MongoDB service, changing the database involved would be a substantive change and all the management code around it can straightforwardly be interpreted as modifications. There’s a lot of messy gray area in between, but this is the same issue that never really got resolved with the GPL in the 1990’s and early 2000’s.
At what point do we cut it off? What’s the legal test for it no longer being part of the same interaction?
And this is why the AGPL is not a Free Software license. Free Software’s definition Freedom 0 requires that you are free to use the software for any purpose. The GPL is very clear that you do not have to accept the license to use the software, only to copy it. This means that, irrespective of what the GPL claims, the limit of GPL propagation is the limit of copyright: If you do not create derived works of the GPL’d component and you do not distribute the GPL’d component, you do not have to accept the license and so none of the terms are relevant to you.
Suppose Bob makes widgets, and Bob is also a Free Software fan who ensures everything on his personal computer is Free Software under the strongest copyleft available. So, AGPL by preference, GPLv3 as a second-best, etc.
Bob participates in various online marketplaces where he lists his widgets for sale. To do this, Bob has a web site which he uses to manage his inventory of widgets and expose information about them, via HTTP, to the various marketplace sites on which he sells. It is likely that the marketplaces all use a common API for doing this, and that various plug-and-play implementations of that API are available. Bob has chosen to use one that’s AGPL’d. And, crucially, the API used by the marketplaces is neither “defined by a recognized standards body” nor “one that is widely used by developers” working in a particular programming language, and thus fails the “standard interface” exemption to the GPL family of licenses.
Yesterday, Bob modified his copy of the AGPL’d inventory software. Today, Alice purchased a widget through one of the marketplace sites Bob sells on, and her purchase order was routed to Bob.
Has the marketplace site violated the AGPL? By your interpretation, they have! After all, you’ve decided that it doesn’t matter how many network hops are between the end user and the AGPL’d software, as long as there is ultimately some AGPL’d software at the other end.
At what point do we cut it off? What’s the legal test for it no longer being part of the same interaction?
We don’t know because there is no case law. If you talk to licensing lawyers you will likely that the answer that there is lime somewhere, but finding it is hard.
The AGPL says
The author suggests a workaround:
IMO the AGPL-3 still applies in this situation. The user interaction with the protected program, in this case, comprises the following steps:
Those three steps are an interaction between the user and the protected program over a computer network, using the plain English meaning of the word “interaction”.
There was a period of time during the 20ᵗʰ century when two competing ways of interacting with a computer were termed “batch processing” and “interactive computing”. The author is restricting the meaning of the word “interacting” in the AGPL-3 to a sense derived from this idea of “interactive computing”. I don’t think it is reasonable to interpret the AGPL-3 in such a restricted way. It would imply that the protected slicer code must already be running before it receives the input parameters from the user, and that the protected slicer code must still be running when the output is delivered to the user. This doesn’t make sense for a slicer engine, which is a generally a pure function from its inputs to its outputs. This narrow interpretation would imply that a pure function cannot be protected by the AGPL-3, due to the fact that the function isn’t running when the user’s input is collected or when the output of the function is delivered to the user.
Your interpretation would seem to imply that, for example, any networked application which uses an AGPL’d database is inherently AGPL, since the same logic could be applied to say that the network/process boundaries between the application and the database instance don’t count and the user is really “interacting” with the database instance through the medium of the application.
I don’t think that claim would hold up, and I don’t think it should hold up.
I don’t see where that implication comes from, will you quote the relevant excerpt?
The AGPL is meant to prevent someone wrapping a library’s API with network calls to neuter its protections — there’s nothing wrong with using an AGPL database in a proprietary product, unless your product is a database with a suspiciously similar API to the database you’re using.
Proprietary web todo list that uses an AGPL database? Fine.
Proprietary web database that wraps an AGPL database? Sketchy.
Proprietary “batch job” database that wraps an AGPL database with an extra layer of indirection? Also sketchy. Im not a lawyer, but this strikes me as a silly “one weird trick” that adds complexity without actually circumventing the AGPL protections.
But for the AGPLv3 to apply, you have to modify the program such that it displays an link to the source code. Even if it applies, if the program is way back in the backend somewhere, how would the user see it? Doesn’t make any sense.
A workaround I’ve seen suggested before (in a “I can’t believe this is the license everyone uses” sort of way) is to have the modified version of the AGPL program do exactly what it’s supposed to, serve up responses including an offer for the source code… and then have a closed source proxy server in front of it strip that offer. After all the license requires the modified version of the software to provide that offer, not the person that modified it or the operator of the software.
I’m sure I’d never want to be on either side of a court case about this.
My 2c:
I’m not sure how this would make a difference. Section 13 of the AGPL talks about a user interacting with the modified version. So if a user interacts with the modified program remotely, section 13 doesn’t specify how this interaction is done. It is clear that there will be other software components between the user and the program (router, maybe a CDN, load-balancer…). So adding a proxy server would be just another one.
This workaround concedes that the user is interacting with the modified AGPL program.
Rather it maintains that the modifications to the AGPL program comply with the requirement that “your modified version must prominently offer all users interacting with it remotely through a computer network”. The modified version of the AGPL program does that (is the claim). The license (supposedly) doesn’t require that the modified program is only then used in environments that forward on that offer.
I agree that seems sketchy, is the offer really being made if we know it’s going to be stripped? I can easily see a court finding not.
On the flip side… consider what happens if there are two parties:
One modifies the AGPL program and supplies it to the other, so that it provides a link to download it’s source at the top of every page.
The other studies the AGPL program, doesn’t modify it, and puts it behind the offer stripping proxy.
Who, if anyone, is committing copyright infringement? The first clearly complied with the license. The second didn’t modify the program, so section 13 of the license doesn’t apply to them at all. It seems like neither.
Does this change if one party does both? Section 13 doesn’t appear to put requirements on how the modified software is used, only what modifications are made. When was copyright infringed? When the software was modified (even though it includes an offer of source on every request)? When the software was deployed (even though the license doesn’t appear to restrict deployment behind proxies)?
Like I said, not a court case I would want to be a party to.
(Hopefully it goes without saying that I’m not a lawyer and this is not legal advice. Also that in practice I would hope that people comply with the spirit of the license regardless of whether or not it is binding)
I’m still not sure about the proxy. However, in this case no modification was done and this modified version is already out there and available. So in the spirit of the license all modifications are already available somewhere.
This takes an incredibly narrow, implausible, view of “interact over the network.” If I go to a website, click a button that says “Generate a PDF” and it says, great, I’ll email you when it’s done, the batch job that generates the PDF still seems obviously part of the same interaction over the network. If I have ebanking with a bank and I toggle a setting to email me monthly PDFs of my account statements, that’s still interacting over the network. A user receiving a spam email is still interacting over the network with the software that generated the spam, even if they neither sent a request for it nor respond to it.
See my reply to the other person talking about this, and asking whether an application backed by an old MongoDB AGPL’d data store is thus AGPL’d since you’re just “interacting” with the data store through the application.
Or consider what happens if the action is delayed. What if I’m scheduling a job or a reminder to run at a later time? How far into the future does the AGPL reach in that case? What if the software which will generate the result artifact changes during that time? Perhaps it wasn’t AGPL when I made the request, but is now – have I really “interacted” with it in that case?
Trying to expand the definition of “interact over the network” in this way just does not hold dup to even very very basic scrutiny.
I worked at a company where the lawyers read the license that way and were flat against upgrading MongoDB from the last version before it went AGPL. Mongo-the-company told us that they would not rule out that reading, by the way.
At what point do we cut it off? What’s the legal test for it no longer being part of the same interaction?
I think the key point is not the definition if interaction, but the definition of modification. At one extreme, no one thinks that running your software on Linux or as a service under systemd requires you to GPL your code. The only plausible model I can think of for a test is 1) did I alter what I received? and 2) could I replace what I received in its entirety with no substantive change to the interaction with the software? My uber-for-cats web app could swap MySQL for MongoDB and it if I did my job right it would be no substantive change. If I went and fixed some bugs in MongoDB in the process, those would be modifications and would need to be released. On the other hand, if I create a managed MongoDB service, changing the database involved would be a substantive change and all the management code around it can straightforwardly be interpreted as modifications. There’s a lot of messy gray area in between, but this is the same issue that never really got resolved with the GPL in the 1990’s and early 2000’s.
And this is why the AGPL is not a Free Software license. Free Software’s definition Freedom 0 requires that you are free to use the software for any purpose. The GPL is very clear that you do not have to accept the license to use the software, only to copy it. This means that, irrespective of what the GPL claims, the limit of GPL propagation is the limit of copyright: If you do not create derived works of the GPL’d component and you do not distribute the GPL’d component, you do not have to accept the license and so none of the terms are relevant to you.
Suppose Bob makes widgets, and Bob is also a Free Software fan who ensures everything on his personal computer is Free Software under the strongest copyleft available. So, AGPL by preference, GPLv3 as a second-best, etc.
Bob participates in various online marketplaces where he lists his widgets for sale. To do this, Bob has a web site which he uses to manage his inventory of widgets and expose information about them, via HTTP, to the various marketplace sites on which he sells. It is likely that the marketplaces all use a common API for doing this, and that various plug-and-play implementations of that API are available. Bob has chosen to use one that’s AGPL’d. And, crucially, the API used by the marketplaces is neither “defined by a recognized standards body” nor “one that is widely used by developers” working in a particular programming language, and thus fails the “standard interface” exemption to the GPL family of licenses.
Yesterday, Bob modified his copy of the AGPL’d inventory software. Today, Alice purchased a widget through one of the marketplace sites Bob sells on, and her purchase order was routed to Bob.
Has the marketplace site violated the AGPL? By your interpretation, they have! After all, you’ve decided that it doesn’t matter how many network hops are between the end user and the AGPL’d software, as long as there is ultimately some AGPL’d software at the other end.
We don’t know because there is no case law. If you talk to licensing lawyers you will likely that the answer that there is lime somewhere, but finding it is hard.