Re: Berkeley DB 6.0 license change to AGPLv3

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Berkeley DB 6.0 license change to AGPLv3
From: Clint Byrum <spamaps@debian.org>
Date: Wed, 10 Jul 2013 09:20:37 -0700
Message-id: <[🔎] 1373472124-sup-4610@fewbar.com>
In-reply-to: <[🔎] 4241872.WOu7pss5Jc@scott-latitude-e6320>
References: <[🔎] CALjhHG8D_ZWDb2+fejK63o418Tq8cSwc8Y5eV5czgLDZGJ2_sA@mail.gmail.com> <[🔎] 20130710135003.GA5103@angband.pl> <[🔎] 20130710150320.GB8818@mail.waldi.eu.org> <[🔎] 4241872.WOu7pss5Jc@scott-latitude-e6320>

Excerpts from Scott Kitterman's message of 2013-07-10 08:28:54 -0700:
> On Wednesday, July 10, 2013 05:03:20 PM Bastian Blank wrote:
> > On Wed, Jul 10, 2013 at 03:50:03PM +0200, Adam Borowski wrote:
> > > There is just one caveat: you must make sure to never, ever, distribute
> > > that piece of software, because once you do, you permanently lose your
> > > right to use it without obnoxious and potentially crippling restrictions.
> > 
> > Not right. You have to allow _access_ to it via a computer network.
> > 
> > > That's section 9 of AGPL v3.
> > 
> > Please read section 9 of GPL v3, it is identical.
> > 
> > > Per section 13, any derived software that "supports remote interaction
> > > through a computer network" must present a prominent offer to every user,
> > > no matter if that's feasible or possible.
> > 
> > You miss a vital part of this sentence: "(if your version supports such
> > interaction)". Please quote complete sentences if you try to proof
> > something.
> > 
> > > The official FTPmaster response came in #495721, and it doesn't even
> > > mention this issue, only three minor points (cost of running a webserver
> > > with sources, private use, contaminating reverse dependencies).
> > 
> > GPL also contaminates its reverse dependencies. So what? Okay, in this
> > case you actually have to do something for it.
> 
> It's precisely the forced distribution of modifications that makes it 
> unsuitable for any use that is any way security sensitive.  If you take a 
> GPLv3 web server (as an example) and it is built by your distributor against 
> the AGPL libdb version, the combined work is effectively AGPL, which means if 
> you use a local security fix on your web server, you've violated the terms 
> under which you've received the code.  Totally unsuitable.  It doesn't matter 
> if libdb supports network interaction or not.
> 

Clause 13 again:

"Notwithstanding any other provision of this License, if you modify
the Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software."

First off, I think the AGPL is far too vague and fails at its goals of
assuring user freedom when interacting with software over the net. If the
goal was to make sure web apps like MediaGoblin and Wordpress weren't
turned into big commercial services without giving the code back to
the users, then specific clauses would have made a lot more sense. The
vagueness of the "interacting with it remotely through a computer network"
part is particulary frustrating and has led to the AGPL being a tool
for legal bludgeoning.

Given the scenario Scott brings up above, AGPL for a webserver would be
a disaster. Thus, any plumbing/libraries/etc. are really bad candidates
for AGPL. This rather subtle imbalance is why MongoDB being AGPL leads to
10gen being able to "shake down" commercial entities who use MongoDB. They
may have thought they were getting Free software, but suddenly they have
to start considering whether or not they have to provide the source for
whatever version of MongoDB they might be running. Legally one could make
an argument that their proprietary webapp is just acting as a proxy for
the users to interact with MongoDB.

I'm not saying that argument is right, and I am not a lawyer, but I do
know that lawyers hate vagueness for this exact reason.

I do think AGPL complies with all of the clauses of the DFSG. There is
very little difference in an AGPLv3 licensed library as a GPLv3 licensed
library. Before linking, one must always check the library license. If
we do let BDB 6.0 into Debian with its new AGPL license, it is on the
BDB maintainer(s) to file RC bugs in the reverse dependencies to help
maintainers avoid accidentally shipping AGPL licensed binaries that are
not in compliance with the AGPL.

Reply to:

Follow-Ups:
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Russ Allbery <rra@debian.org>

References:
- Berkeley DB 6.0 license change to AGPLv3
  - From: Ondřej Surý <ondrej@sury.org>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Bastian Blank <waldi@debian.org>
- Re: Berkeley DB 6.0 license change to AGPLv3
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Bug#715794: ITP: libclass-refresh-perl -- module for refreshing classes during runtime
Next by Date: Bug#715798: ITP: libreply-perl -- lightweight extensible Perl REPL
Previous by thread: Re: Berkeley DB 6.0 license change to AGPLv3
Next by thread: Re: Berkeley DB 6.0 license change to AGPLv3
Index(es):
- Date
- Thread