Draft: Graphviz summary
The discussion of the new Graphviz license sort of petered out, but
I think there is a widespread interest into reaching a conclusion.
Therefore, I'm trying to ferret out dissent by the ancient and
venerable tactic of asserting that a consensus exists:
*D R A F T*
Debian licence summary of the Common Public License version 1.0
It has been brought to the attention of the debian-legal mailing list
that the pupular graph rendering software Graphviz has been relicensed
under the [1] Common Public License. The general interest in having
Graphviz as a part of Debian have lead us to conduct a review of the
new license, even though such reviews normally take place only at the
request of a software author or prospective packager.
[1] http://graphviz.org/License.php
Conclusion:
Though the discussion on debian-legal has not been completely
conclusive, none of the proposed objections against the freedom of
the CPL have received widespread support. It is thus likely that
the ftpmasters would accept a package of the current upstream
Graphviz version into 'main'. (There is currently a package of a
Graphviz version prior to the relicensing in 'non-free').
CAVEAT:
The Debian project's decisions about the freedom of a piece of
software are not final in the sense that they cannot be reversed
later as a deeper understanding of the license and/or the Debian
Free Software Guidelines develops. Reevaluations do not happen on a
set schedule, but can be opened anytime someone notices a point
that has not been observed in the initial discussion. We consider
this to be an integrated part in the project's continued effort to
stay true to the principles laid down in our Social Contract.
Historically, the trend in our application of the DFSG has been
toward less tolerance of license requirements that could be
construed burdensome for the licensee. Though the current consensus
is based on the sincerely expressed opinions of the participants
in the discussion, upstream authors of CPL-licensed software should
be aware that it is conceivable that a later consensus will deem
the license not free.
This is, of course, the case whenever we decide that a license is
free, but we feel it appropriate to warn about it explicitly in
this case, because of the relative weakness of the consensus, and
also because the features of the license that attracted doubt do
not appear to be deliberately designed into the license.
The discussion of the license uncovered two possible problems with
it. As mentioned in conclusion, there is not any consensus that either
of the problems makes the software non-free, but they could
nevertheless be considered "bugs" in the license. We stongly encourage
upstream authors as well as IBM (the license drafter) to fix these
points in a future version of the software and/or the license, even if
the fixes are not currently considered necessary for inclusion in
Debian.
Problem 1:
Section 4 of the license contains, among other things:
| Therefore, if a Contributor includes the Program in a commercial
| product offering, such Contributor ("Commercial Contributor")
| hereby agrees to defend and indemnify every other Contributor
| ("Indemnified Contributor") against any losses, damages and costs
| (collectively "Losses") arising from claims, lawsuits and other
| legal actions brought by a third party against the Indemnified
| Contributor to the extent caused by the acts or omissions of such
| Commercial Contributor in connection with its distribution of the
| Program in a commercial product offering.
There is a fear that the literal application of this clause will
cause a commercial distributor (note that the license defines
"Contributor" as any distributor, even one that does not change
the program itself) to incur a completely open-ended liability
whose size he can do nothing to to control or limit in advance,
save for refraining to distribute the software at all.
For example, consider a Debian user who, in agitation over not
being able to get Graphviz to do what he wants, manages to spill
hot coffee over his body, gets severe burns, and sues AT&T for
$2.7e6 in damages. This suit will (hopefully) be thrown out of
court as frivolous, but AT&T would probably incur some legal costs
in the process of *having* it thrown out of court. However, the
accident would not have happened unless somebody had sold the user
a DVD with Debian (and Graphviz) on it, and in this way the suit
can be said to be "caused by the act" of distributing Graphviz
commercially to the user. A literal application of the
indemnification clause might therefore make the DVD distributor
liable for AT&T's legal expenses.
We can consider this clause free only because we cannot imagine
that any court would allow it to be enforced at the draconian
level implied by its verbatim meaning. In fact, we cannot imagine
a court enforcing it at all beyond the cases where the commercial
contributor could be held liable based on negligence, irrespective
of any additional contractual or license obligations to that
effect.
In summary, this can only be free because we believe it is a legal
no-op. If, later, a court precedent turns out to prove our belief
wrong, by upholding this or a similar clause in a case where there
is no negligence on the part of the identifier, we shall have to
henceforth consider all such clauses non-free and remove, for
example, Graphviz and Postfix (whose license contains identical
language) from Debian's 'main' section.
Problem 2:
Section 3 of the license contains this language, which also applies
to distribution of modified sources:
| When the Program is made available in source code form:
| a) it must be made available under this Agreement;
| [...]
Similar requirements are commonly found in other "copyleft"
licenses such as the GNU GPL, and generally considered to be
compatible with the DFSG. However, it becomes potentially
problematic in combination with this language from section 7:
| The Agreement Steward reserves the right to publish new versions
| (including revisions) of this Agreement from time to time. No one
| other than the Agreement Steward has the right to modify this
| Agreement. IBM is the initial Agreement Steward. IBM may assign
| the responsibility to serve as the Agreement Steward to a
| suitable separate entity. Each new version of the Agreement will
| be given a distinguishing version number. The Program (including
| Contributions) may always be distributed subject to the version
| of the Agreement under which it was received. In addition, after
| a new version of the Agreement is published, Contributor may
| elect to distribute the Program (including its Contributions)
| under the new version.
The result of this is that a programmer who wants to distribute a
version of the program that contains modifications authored by
himself must allow IBM to later publish a new version of the
license that gives somebody (or anybody) more rights than the
programmer himself had in the first place. This later version will
automatically and retroactively apply to the modifications. (For
example, the new version of the license might state that the
restrictions in section 3 and 4 do not apply to people who pay IBM
to be exempted. In this way the programmer's work would be turned
into a cash cow for IBM exclusively, which he probably will not be
happy with).
It is instructive to compare this to the situation with the GNU
GPL, which contains a superficially similar upgrade mechanism. A
programmer who releases his work under the GPL, "version 2 or, at
your option, any later version" runs a simiar risk that the Free
Software Foundation will later issue a new GPL which is more
permissive than the programmer would have accepted. The difference
is that the GPL never _requires_ anybody to license their work
under the "any later version" scheme. Even if a programmer bases
his work on code he got under "version 2 or later" he is permitted
to license his own modifications to it under a strictly "version 2"
license if he distrusts the FSF.
There is no consensus on debian-legal that the implied requirement
to let IBM retroactively sublicense modifications to the work is or
is not burdensome enough to consider the license non-free. After
all, most free software contributors seem to find it unproblematic
to contribute code under, e.g., "GPL, version 2 or later" terms.
However, it is reasonable to expect that the Graphviz authors did
not intend the license to work that way. We would suggest that they
at least amend their licensing notice with an explicit exemption
that would allow contributors to escape the upgrade mechanism if
they sufficiently distrust IBM.
(We do not mean to suggest that there is any reason to distrust IBM
in particular. As far as we are aware, the individuals currently in
charge of IBM's free software activities are perfectly honest and
well-meaning people who would never dream of betraying the trust
placed in them by the Graphviz authors by using the license they
manage. However, the legal power to issue revised license terms
rests not with those particular people, but with the legal entity
IBM, a publically held corporation. As a general rule such entities
can be expected to uphold moral, non-legal, commitments only for as
long as it is considered commercially beneficial, or as long as the
shareholders don't notice).
--
Henning Makholm "We can hope that this serious deficiency will be
remedied in the final version of BibTeX, 1.0, which is
expected to appear when the LaTeX 3.0 development is completed."
Reply to: