[HN Gopher] Reading the AGPL
___________________________________________________________________
Reading the AGPL
Author : sealeck
Score : 80 points
Date : 2021-04-20 19:33 UTC (3 hours ago)
(HTM) web link (writing.kemitchell.com)
(TXT) w3m dump (writing.kemitchell.com)
| [deleted]
| howeyc wrote:
| The author is attempting to extract a loophole by having the
| "modifier" and "host" be two different entities. The license is
| clear:
|
| > Notwithstanding any other provision of this License, if you
| modify the Program, your modified version must prominently offer
| all users interacting with it remotely through a computer network
| (if your version supports such interaction) an opportunity to
| receive the Corresponding Source of your version
|
| So if someone modifies the program to remove access to source and
| provides the program to someone else, they have violated the
| license. Who hosts it doesn't matter, it's the person modifying
| the program that must make sure the modified version has some way
| of offering source.
| kemitchell wrote:
| My hypo assumes a license violation. Then what? The violator
| and the user of the modified aren't necessarily the same, or
| even related.
| tzs wrote:
| I don't think you are fully considering the part of the license
| you quote. The loophole is more subtle than you think. It
| depends on the fact that there are two conditions that have to
| be met: you modify the program _and_ you have users interacting
| with it remotely through a computer network.
|
| I download some AGPL code, modify it, including removing the
| part where it offers to make source available, and run it in
| some application where there are no users who interact with it
| remotely through a computer network.
|
| I don't trigger the AGPL source clause, because I don't have
| interactive remote users. This means that for me the license is
| essentially plain GPLv3, not AGPL.
|
| I choose to publish my modified source in some public place.
|
| Alice downloads that source, runs it on her own server, and she
| _do_ have users who interact with it remotely through a
| computer network.
|
| But she has not modified the program, so she doesn't trigger
| the AGPL source clause either.
|
| If I later choose to take down my modified source (which I can
| do because I was not obligated in the first place to publish
| is), and no one else happens to have made a copy avaiable, then
| we end up with Alice running a modified AGPL program with users
| interacting remotely over a network, and with no one obligated
| to provide source.
| avodonosov wrote:
| It is easier to read AGPL than this article
| enriquto wrote:
| Politics aside, is there any special reason to use the plain GPL
| anymore? I guess if you want a copyleft license then AGPL is the
| way to go (in terms of granting freedom to the users). Unless
| there's some shortcoming of the AGPL that I'm not aware of.
| bscphil wrote:
| Honestly, compatibility with the GPL is a very good reason to
| still use the GPL rather than AGPL. My preferred licensing
| arrangement (for server software) would be something like AGPL
| + non-profit, but I would never actually license something like
| that because it's too harmful to code reuse. When you're
| writing code for the free software community, one of your
| concerns has to be compatibility with the norms of the
| community.
|
| Kind of like web standards, actually: you may think RSS/ATOM
| are terrible standards and JSON Feed is the only way to go, but
| if you're writing blogging software, it should probably be able
| to generate an RSS feed.
| enriquto wrote:
| > Honestly, compatibility with the GPL is a very good reason
| to still use the GPL rather than AGPL.
|
| What do you mean by compatible? the GPL and the AGPL are
| explicitly compatible to each other.
| bscphil wrote:
| I'm referring to this, from the GNU.org license comments
| page:
|
| > It [the AGPL] is also technically not compatible with
| GPLv3 in a strict sense: you cannot take code released
| under the GNU AGPL and convey or modify it however you like
| under the terms of GPLv3, or vice versa.
|
| In my mind, this is a pretty bad limitation. If I'm writing
| software for the free software community, it seems bad to
| me if someone working on a GPL project cannot take my code
| and use it as part of their project without the whole
| project then being under a mixed license. The terms of the
| AGPL would apply to a derived work even if all the other
| code was GPL. While it might sometimes be possible for
| someone to do everything they want that way, the added
| complexity means that using part of an AGPL project may be
| a non-starter even in those cases.
|
| The AGPL is also not compatible at all with GPL 2, which
| many projects are still using.
| tyingq wrote:
| Imagine Linux relicensing under the AGPL. I don't think that's
| the setup Linus wants.
| bombcar wrote:
| GPLv2 -> compatible with the Linux Kernel, well understood,
| nobody is scared of it.
|
| GPLv3 -> prevents tivoization, some companies (see Apple) are
| scared/annoyed by it. Doesn't stop SaaS.
|
| AGPL -> all of the above, makes many companies deathly afraid.
| enriquto wrote:
| Sure, but these are "political" reasons. Is there any
| circumstance where a programmer may want to copyleft their
| software, allowing users to download the source code of the
| software that they use, _except when the software runs on a
| server_? Who cares, today, if the program that you use runs
| on a server or on your computer? The plain GPL introduces a
| somewhat artificial distinction between both cases. In the
| AGPL, all users are treated equally, and granted the right to
| obtain the source code of program they use, regardless of
| where the program runs.
| gumby wrote:
| Oh phooey, all this does is extend GPL rights to users who are
| running the code over a network rather than their own machine.
|
| If you don't like the GPL then you won't like this. OK, I
| generally disagree, but reasonable people can disagree.
|
| If you do like the GPL this merely fixes an important corner
| case.
|
| And if you are someone who pretends to like the GPL but hides
| their work behind a network connection: just grow up and admit
| you don't like the GPL. Don't lie for PR purposes.
| friend-monoid wrote:
| Did you read the OSL version of the same statement? It's kind
| of beautiful in comparison. I think its an amazingly
| insightsful article. Like "clean code", but it's a license.
| MaxBarraclough wrote:
| > If you do like the GPL this merely fixes an important corner
| case.
|
| Disagree. As the article states, it's importantly different
| from the GPL, even under the FSF's own philosophy. As others
| have already pointed out, it could be said to infringe on
| Freedom Zero, _The freedom to run the program as you wish, for
| any purpose_. [0]
|
| At the risk of just writing a far inferior rehash of the
| article: under the GPL, you can take code, modify it (Freedom
| 1), and run that code on your machine under whatever terms you
| want, e.g. as an Internet-enabled service. You are not
| obligated to publish the resulting source code, provided you
| also refrain from publishing the binaries corresponding to the
| modified source. With the AGPL, that's no longer the case.
|
| One could argue it's just a matter of degree, as the GPL
| imposes rules on linking against non-GPL code, but I think the
| difference is still an important one.
|
| Following copyleft, the FSF understanding of being _free_ to do
| something typically doesn 't preclude _free but with an
| obligation to release your source under a Free Software
| licence_. They do seem to have a limit though. The FSF consider
| the _Watcom 1.0_ licence to be non-Free because of its far-
| reaching source-publication requirements, which can apply even
| to private use. [1] The AGPL does something similar, except it
| only applies when your deployment is publicly accessible. (This
| is, of course, the whole point.)
|
| Quite apart from all that, this isn't the first time I've read
| of technical legal issues with the way the licence is written,
| far exceeding those of the GPLv3.
|
| [0] https://www.gnu.org/philosophy/free-sw.en.html
|
| [1] https://directory.fsf.org/wiki/License:Watcom-1.0
| sneak wrote:
| I really like the GPL and I really care about software freedom.
|
| I think the AGPL is nonfree. It attempts to redefine the
| provision of a service as the same as the provision of
| software. They are not the same thing at all.
|
| I believe that software freedom includes the right to keep my
| own local modifications private, if I'm not distributing the
| software (but only using that software locally to provide a
| network service).
| bombcar wrote:
| I think at the root of the issue is that "Freedom 0" and
| being against "SaaSS" as rms calls it, are incompatible. See
| https://www.gnu.org/philosophy/who-does-that-server-
| really-s...
|
| The AGPL (and I would argue that even the GPLv3) attempt to
| restrict Freedom 0 to prevent "evil companies" (or if you
| want to word it differently "dumb customers") from foot
| gunning themselves. The AGPL and the GPLv3 would not be
| NEEDED if customers refused to use those products - but since
| the vast majority of people don't care about software
| freedom, the AGPL and GPLv3 try to prevent it - by
| restricting Freedom 0. Perhaps slightly, perhaps it's a good
| trade-off, but it's still a restriction.
| sneak wrote:
| This is a very clear and succinct way of putting it, and I
| think you're absolutely correct in your analysis.
|
| I care a lot more about Freedom 0 than trying to "fix" the
| legitimate choices of customers and vendors.
| aflag wrote:
| What about the users of the software you provide via the
| network, don't they have the freedom to run, modify and study
| the software they are using? If you stop providing the
| service, don't they have the freedom to run it somewhere else
| and keep using it as they did? When it comes to remote use of
| software, the freedom to copy and run is even more critical.
| Microsoft can't prevent me from running windows 95, but
| google can sure prevent me from using gmail in future.
| sneak wrote:
| Assuming I'm an "evil ASP" in this model: I am _not_
| providing software via the network. I 'm providing JSON (or
| protobuf or whatever), in response to questions.
|
| Distributing software and providing a service via an API
| are not in any way the same thing. One is a noun and one is
| a verb!
| aflag wrote:
| Sure, they are not the same thing. I'm just pointing out
| that the freedom in free software is all about users
| having the freedom to do with the software they use as
| they please, not about the freedom of people hiding parts
| of how the software works. You are not evil, you're just
| restricting your user's freedom, which is neither wrong
| nor a crime.
| pritambaral wrote:
| > ... keep my own local modifications private, if I'm not
| distributing the software (but only using that software
| locally to provide a network service).
|
| Nuance: The AGPL allows you to keep your modifications
| private _if you're not distributing the software_. It simply
| considers over-the-network usage as "distribution". That is
| how it defines it, in the legal text. This makes sense in
| many cases, where software is written primarily or solely for
| the purposes of providing network services. Authors of such
| software need a way to define network access as
| "distribution", and they have the AGPL for such software.
|
| > I believe that software freedom includes the right to ...
|
| Similarly, the permissive-licenses camp also believes
| software freedom includes the right to some things that the
| copyleft camp does not provide. Fundamentally, it comes down
| to a tradeoff: between the rights of a developer and the
| rights of an end-user. The permissive-licenses spirit places
| the former over the latter, and the copyleft spirit does it
| the other way. But in both cases, software freedom is
| maintained, even if for at most one type of persons. Sadly,
| it is logically impossible to maintain software freedom for
| both developers and end-users.
| TimTheTinker wrote:
| There are software companies that make money on selling
| commercial licenses to libraries, but increase their visibility
| by offering AGPL-licensed versions on public package repos.
|
| For example, PM2 is a dual-licensed (AGPL/commercial) NodeJS
| process manager available on npm.
|
| I bet more than one SaaS company has had a significant problem to
| fix months or years after adding one of these libraries as a
| dependency in a project.
|
| More reading: https://news.ycombinator.com/item?id=21966864
| kemitchell wrote:
| The answer is "it depends". And mostly on the terms that AGPL
| shares with GPL.
| xtracto wrote:
| One interesting case I find is ScyllaDB: They took the work of
| Cassandra (which is in a Permissive Apache License) and
| converted it into the less-permissive AGPL/Commercial. One of
| those things that are not "illegal" but kind of questionable.
| kmeisthax wrote:
| It's less questionable than incorporating permissively-
| licensed code into a proprietary product.
| aflag wrote:
| What do they do about external contributors? Do they agree on
| giving the copyright of any patches they make to the PM2
| owners?
| bombcar wrote:
| >There's also leverage on an unwritten assumption. The one who
| modifies the program and the one who operates the modified
| service may not be the same. And there's no obligation on anyone
| to accept an offer of Corresponding Source required under section
| 13, or to police violations of section 13 for the maintainers.
|
| >If you modify an AGPL blog platform to add a feature I like, and
| share the source code with me, but don't offer it to anyone else,
| there's nothing in AGPL that requires me to send the change back
| to the maintainer. Nor, arguably, is there any obligation on me
| to offer source code when I run the program to host my own blog.
| If the maintainer finds out about it, and comes after me, my
| first argument is simple. I didn't violate section 13. I didn't
| modify the program. That's the way it's written.
|
| This is a very interesting loophole. It's highly unlikely any
| company would be willing to risk it (as if company A pays company
| B to modify AGPL code and provide it to them it'd be a relatively
| easy argument that for the purposes of the license they're
| operating "as one") but it does seem a loophole that's not easy
| to work around. Always requiring the modified code be available
| would make it a license violation to download an AGPL work,
| change one file, and then delete it because you're bored.
|
| Perhaps Google being terrified of AGPL is enough to do what it
| wants.
| im3w1l wrote:
| > Always requiring the modified code be available would make it
| a license violation to download an AGPL work, change one file,
| and then delete it because you're bored.
|
| Imho the reasonable way to make it work is this: Assume Alice
| writes an AGPL software, Bob makes a modification and sends it
| to Claire, and Claire then uses it to host a blog, and David
| then reads the blog. Then Claire should be required to tell
| David where the source can be found, either by referring him to
| Bob's repo, or to a repo she herself hosts.
| kelnos wrote:
| > _Always requiring the modified code be available would make
| it a license violation to download an AGPL work, change one
| file, and then delete it because you 're bored._
|
| Right, but you don't have to require that (you can close the
| "transitive distribution loophole" by explicitly calling it
| out), and a clause like this would not be enforceable anyway,
| because all of this relies on copyright law, which is
| fundamentally about _distribution_. If there is no
| distribution, then the license terms do not apply.
|
| IANAL, though, and this is where it gets dicey for me: can you
| really legally frame "putting software on a server that others
| can access through an API" as "distribution"? Or does that part
| not rely on distribution at all, making the AGPL sort of a
| combo copyright license and EULA?
| kemitchell wrote:
| Copyright law is not just distribution. Read 17 U.S.C. SS106.
| kelnos wrote:
| I'm well aware, and I've read it before.
|
| (1) is immaterial to the discussion; I can copy to my
| heart's content in private, and as long as I don't
| distribute it, no one will know, and no one will take any
| action against me. At any rate, fair use defenses #1 and
| #4[0] are pretty compelling to cover private, non-
| distributive copying.
|
| (2) is similar to (1) in that it has no teeth until you try
| to distribute your derivative work.
|
| (3) is explicitly about distribution.
|
| (4) & (5) & (6) are about public display/performance, which
| don't apply to software, and I would argue are also about
| distribution anyway.
|
| [0] https://www.copyright.gov/fair-use/
| kemitchell wrote:
| Courts enforce the rights independently. You can bring a
| claim under any of them. I'm not aware of any law that
| you must also claim distribution.
|
| Reproduction is inherent in execution, development, etc.
| on computers. See "licensed, not sold" and the analysis
| of the ways 117 differs from the CONTU rec.
| [deleted]
___________________________________________________________________
(page generated 2021-04-20 23:01 UTC)