AGPLv3+ exception ("Additional Permission")
I'm the author of an AGPLv3+ perl module to which I'm considering
applying a licence exception (an `Additional Permission'). (I have
consulted the other copyrightholder and have their go-ahead.)
I'd welcome opinions about whether this is a good idea, and any
considerations I may have overlooked.
(I'm *not* interested in opinions about whether the intent of the AGPL
is a good idea, or whether the AGPLv3 is a good implementation.)
Background and my objective
The module is CGI::Auth::Flexible. It provides login form handling
for Perl CGI programs. It's not in Debian (yet). (I will call it CAF
from now on.)
With the current AGPLv3 licence, someone who deploys a modified CAF
must make available their whole web application to all callers. This
means that it is not possible to deploy a completely private web
application using CAF.
I don't think this is desirable. My intention in using the AGPLv3 is
not to force everyone to publish their source code outside their user
community. To put it another way: I want to flatten the power
relationship between a website's users and its operators.
But it is not my aim to undo the power imbalance between a website's
authorised users and other people on the internet. Indeed such an
objective would be bizarre for a module whose function is to enforce
I do want to try to make it possible for authorised users of a
website, who don't like the decisions made by its operator, to set up
an instance of their own, with modifications to their own taste.
So what I think I want is this:
* People who interact _only_ with the login form, ie only with CAF do
not need to have access to the source code.
* People who can log in, can get the complete source code for the
whole system. (This includes parts which implement interfaces which
they are not authorised to use. So for example, administrative
interfaces which are available only to the operator of a particular
* If a website has some kind of automatic signup process I don't care
very much whether users engaging in the signup process are covered
by the AGPLv3+. It is good if they are, but in practice any user
who gets an account will be benefit from the AGPLv3+ at that point.
If CAF is the only AGPLv3 part of the system, then AGPLv3 s13 does not
apply unless the operators modify CAF. (However, it would be foolish
to deploy a website without the legal ability to modify the login form
Logging in is clearly "interaction" with CAF, so unless I grant an
additional permission, s13 applies to non-users.
If there are other AGPLv3 parts of the program, then interactions with
them by logged-in users trigger s13. This is desirable.
Is it possible for me to arrange that interaction with CAF itself does
not count as interaction with "the Program" for the purposes of the
AGPLv3 licence on those other parts ?
If not then I would have to encourage other authors of AGPLv3'd
programs to adopt my licence exception.
Versioning and updates
It seems to me that this licence exception is fiddly and may need to
be updated. So I am considering something like:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version, with the "CAF Login
Exception" as published by Ian Jackson (version 1, or at your option
any later version) as an Additional Permission.
Is something like this a good idea ?
I would prefer not to have to mention myself here. I would prefer to
name an organisation (because of (a) bus factor and (b) credibility).
I would probably consider Conservancy or SPI.
My first attempt at wording
CAF Login Exception (version 1)
To avoid forcing users to make the source code of their whole
application available to non-users, I (Ian Jackson) have granted this
exception as part of the licence of CGI::Auth::Flexible.
When considering AGPLv3 section 13 "Remote Network Interaction" (or
similar wording in successor licences):
If all interactions with the Program (other than interactions with the
user authentication system) require user authentication, the
provisions of that section apply only to interaction with the Program
by authenticated users.
This is an Additional Permission as contemplated by AGPLv3 section 7.
- Ian Jackson
As I say, comments welcome.