Re: Berkeley DB 6.0 license change to AGPLv3

To: debian-devel@lists.debian.org
Subject: Re: Berkeley DB 6.0 license change to AGPLv3
From: Adam Borowski <kilobyte@angband.pl>
Date: Wed, 10 Jul 2013 15:50:03 +0200
Message-id: <[🔎] 20130710135003.GA5103@angband.pl>
In-reply-to: <[🔎] 3579482.vLFedv3hB4@scott-latitude-e6320>
References: <[🔎] CALjhHG8D_ZWDb2+fejK63o418Tq8cSwc8Y5eV5czgLDZGJ2_sA@mail.gmail.com> <[🔎] 20130706154116.GA3818@client.brlink.eu> <[🔎] 20130710110647.GB3486@upsilon.cc> <[🔎] 3579482.vLFedv3hB4@scott-latitude-e6320>

On Wed, Jul 10, 2013 at 08:18:12AM -0400, Scott Kitterman wrote:
> Sorry, I can't quite let this pass.  I just went and looked at the AGPL v3 
> again and one implication of the license is that you can't locally fix a 
> security issue without immediate disclosure.  This doesn't fit my personal 
> ethics at all and at least IMO makes it pretty unsuitable as a license for any 
> network facing service.

You can!

There is just one caveat: you must make sure to never, ever, distribute that
piece of software, because once you do, you permanently lose your right to
use it without obnoxious and potentially crippling restrictions.

That's section 9 of AGPL v3.

So we have non-redistributable software in the main archive.  The
alternative you are allowed to ("accepting the license") can't be
considered free, as it outright violates FSF's freedom 0 (The freedom
to run the program, for any purpose) and DFSG 6 (No discrimination
against fields of endeavor).  AGPLed code can't be used for pretty
much anything that's neither a web service nor restricted solely to
a single computer.

As already mentioned in so many places, interesting banned uses include
reusing any part of the code in:
* a POP3/IMAP server
* an IRC bot that doesn't spam every user with legal messages
* a SMS/etc service
* a kiosk
* a wifi-connected lift control (don't laugh, I've seen one at Google)

Per section 13, any derived software that "supports remote interaction
through a computer network" must present a prominent offer to every user,
no matter if that's feasible or possible.  And this applies even if you
lift just several lines of code, even ancillary.  For example, two of my
personal projects include autoconfage that detects the way of spawning
ptys, copied from GNU screen, without using any part of screen proper.
Even such a minor code reuse is effectively banned by the AGPL -- both
of those projects include networking, and only one can reasonably present
an URL to its users.

The official FTPmaster response came in #495721, and it doesn't even
mention this issue, only three minor points (cost of running a webserver
with sources, private use, contaminating reverse dependencies).
Thus, could someone please explain, are there any arguments that
forbidding reuse with any protocols that don't support sending bulk
ancillary text would be free?  What I can see are debian-legal threads
considering AGPL to be non-free, and, in other places like the FTPmasters
response, avoiding this issue.

That it's uncomfortable doesn't make it any less valid.  The archive
carries a non-free section just for cases like this.

-- 
ᛊᚨᚾᛁᛏᚣ᛫ᛁᛊ᛫ᚠᛟᚱ᛫ᚦᛖ᛫ᚹᛖᚨᚲ

Reply to:

Follow-Ups:
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Bastian Blank <waldi@debian.org>

References:
- Berkeley DB 6.0 license change to AGPLv3
  - From: Ondřej Surý <ondrej@sury.org>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: "Bernhard R. Link" <brlink@debian.org>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Stefano Zacchiroli <zack@debian.org>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: Berkeley DB 6.0 license change to AGPLv3
Next by Date: Debian policy for web apps still references /doc as accessible
Previous by thread: Re: Berkeley DB 6.0 license change to AGPLv3
Next by thread: Re: Berkeley DB 6.0 license change to AGPLv3
Index(es):
- Date
- Thread