Re: AGPLv3 Compliance and Debian Users
* Howard Chu h...@symas.com [130712 03:51]: Indeed. If you're a dissident fighting your own government, then complying with a license that can only be enforced by a government agency is probably the least of your worries. Indeed. That's why every interpretation of the dissident test I've heard assumes you are a dissident that had to flee his country. If your new host country then has to forbid you earning money with the software you know best because you had to violate the license to not be caught back when you still were at home, then you are caught in the extreme situation constructed to make it easier to understand how ugly some harmless looking restriction can become. Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130713234247.ga5...@client.brlink.eu
Re: AGPLv3 Compliance and Debian Users
On 2013-07-11 13:41:47 +, Jeremy T. Bouse wrote: My understanding though that if Debian is the one making the modification then Debian is the one responsible for making the source available. If the end user is then modifying the source then they would subsequently need to make those modifications available. Is rebuilding the software seen as a way of modifying the source? Indeed autoconf things and even system .h files can have an influence on how to interpret the original source. Say, the original source has: foo(); and you are not satisfied with that. You would like to patch the source to have: bar(); But this means that you would have to provide the new source, via a URL or whatever. Instead, you could modify some system .h file by adding: #define foo bar In such a way, you wouldn't have touched the original source. But you have modified its behavior just by recompiling it against a modified system. In a similar way, instead of modifying a .h file, one could use a compiler wrapper... -- Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130712112635.gb16...@ioooi.vinc17.net
AGPLv3 Compliance and Debian Users
Hi, with the recent discussion about the AGPLv3 I am wondering what the implications for users of Debian packages are. Debian packages often contain modifications in the form of patches, since the Debian project is only a distributor it complies to the license by making available the sources of the package. However, as soon as I (as a Debian user) install such a package and that package consists of a network service with which others interact, I have to prominently offer my users a way to retrieve the source of the Debian package as well in order to comply with the terms of the AGPLv3. Now the problem is that Debian packages under the AGPLv3 do not do that by default and it is very easy for Debian users to accidentally violate the license terms, e.g. when installing a package of a AGPLv3 web application on a publicly accessible webserver. An example that recently came to my attention is Debian's owncloud package, there seems to be no configuration option to easily add a link to all pages, so in order to comply with the AGPLv3 I guess I would have to create my own theme that displays a link to the sources of the Debian package (probably hosting them on my own server) and to the sources of the theme itself. I think it might be surprising to most users that they cannot just install a distribution package but have to take such tedious extra steps in order to comply with the license and I do not think most are aware of that. Any thoughts on that? Lars -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1373532344.16902.yahoomail...@web163806.mail.gq1.yahoo.com
Re: AGPLv3 Compliance and Debian Users
Lars Meyser lars.mey...@yahoo.com writes: An example that recently came to my attention is Debian's owncloud package, there seems to be no configuration option to easily add a link to all pages, so in order to comply with the AGPLv3 I guess I would have to create my own theme that displays a link to the sources of the Debian package (probably hosting them on my own server) and to the sources of the theme itself. I think it might be surprising to most users that they cannot just install a distribution package but have to take such tedious extra steps in order to comply with the license and I do not think most are aware of that. By default installing into a state that isn't compliant with the license seems like an obvious bug. You should file it in the BTS. -- Arto Jantunen -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8738rllbal@kirika.int.wmdata.fi
Re: AGPLv3 Compliance and Debian Users
- Original Message - From: Arto Jantunen vi...@debian.org To: debian-devel@lists.debian.org debian-devel@lists.debian.org Cc: Sent: Thursday, July 11, 2013 11:02 AM Subject: Re: AGPLv3 Compliance and Debian Users ... By default installing into a state that isn't compliant with the license seems like an obvious bug. You should file it in the BTS. It is not that simple, Debian itself complies with the license and users installing the package comply with the license as long as the network-facing service is not accessible to other users. To stay with my example, I am in compliance with the AGPLv3 when I install and use the Debian owncloud package on my NAS but not when I install it on my publicly accessible webserver where other users interact with it. This is also my personal reading of the license, I would like to hear others opinions before I start filing bugs. Lars -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1373535676.42287.yahoomail...@web163804.mail.gq1.yahoo.com
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 5:41 PM, Lars Meyser wrote: It is not that simple, Debian itself complies with the license and users installing the package comply with the license as long as the network-facing service is not accessible to other users. To stay with my example, I am in compliance with the AGPLv3 when I install and use the Debian owncloud package on my NAS but not when I install it on my publicly accessible webserver where other users interact with it. In both situations you are still in compliance with the license. This is also my personal reading of the license, I would like to hear others opinions before I start filing bugs. Perhaps you missed if you modify the Program in item 13. Remote Network Interaction; of the AGPL? -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6EDJtRg3rsqNW6zsmS=VWM=VGBMyA_msbFQXB5V4=a=j...@mail.gmail.com
Re: AGPLv3 Compliance and Debian Users
Hi, Am Donnerstag, den 11.07.2013, 17:48 +0800 schrieb Paul Wise: On Thu, Jul 11, 2013 at 5:41 PM, Lars Meyser wrote: This is also my personal reading of the license, I would like to hear others opinions before I start filing bugs. Perhaps you missed if you modify the Program in item 13. Remote Network Interaction; of the AGPL? nevertheless it would be good if AGPL programs in general, and especially as packaged in Debian, would simply also install a tarball of the (patched) sources and have a download link in the program, so that the user has do not worry about this at all. Greetings, Joachim -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part
Re: AGPLv3 Compliance and Debian Users
- Original Message - From: Paul Wise p...@debian.org To: debian-devel@lists.debian.org Cc: Sent: Thursday, July 11, 2013 11:48 AM Subject: Re: AGPLv3 Compliance and Debian Users On Thu, Jul 11, 2013 at 5:41 PM, Lars Meyser wrote: It is not that simple, Debian itself complies with the license and users installing the package comply with the license as long as the network-facing service is not accessible to other users. To stay with my example, I am in compliance with the AGPLv3 when I install and use the Debian owncloud package on my NAS but not when I install it on my publicly accessible webserver where other users interact with it. In both situations you are still in compliance with the license. This is also my personal reading of the license, I would like to hear others opinions before I start filing bugs. Perhaps you missed if you modify the Program in item 13. Remote Network Interaction; of the AGPL? No I did not miss that, but I'm not entirely sure of the implications. So if I use a packaged version of a program which has been modified (e.g. by Debian patches) I am not obliged to make the source available? Lars -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1373538597.87225.yahoomail...@web163805.mail.gq1.yahoo.com
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 6:29 PM, Lars Meyser wrote: No I did not miss that, but I'm not entirely sure of the implications. So if I use a packaged version of a program which has been modified (e.g. by Debian patches) I am not obliged to make the source available? I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6EBzya+EVws=obbyxH8BU=2nfgro5wiqxx9htrup6c...@mail.gmail.com
Re: AGPLv3 Compliance and Debian Users
On 07/11/2013 14:15, Paul Wise wrote: On Thu, Jul 11, 2013 at 6:29 PM, Lars Meyser wrote: No I did not miss that, but I'm not entirely sure of the implications. So if I use a packaged version of a program which has been modified (e.g. by Debian patches) I am not obliged to make the source available? I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Section 13 (Remote Network Interaction) requires modified version to offer access to the source. If you modify the software, but do not provide this, you violate this license requirement and lose the right to modify and distribute the covered work under section 8 (Termination). And with open source software you often deal with modified versions, so claiming this is a special case ([...] was specifically based on modification, _not_ on public performance or other use) seems a bit odd to me. Anyway, this discussion seems more appropriate for -legal than -devel. CC'ed and set Reply-To accordingly. Ansgar -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51deaf47.4020...@debian.org
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 03:12:39PM +0200, Ansgar Burchardt wrote: I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Co-author of AGPLv3 here, including the section at issue. You do not have to make the source available in this case, in general. In unusual cases of circumvention, like what I believe you are suggesting, the answer might arguably be different, but in the context of ordinary Linux distributions, when a user gets AGPLv3-licensed software that the *distro* has modified, that software is *unmodified* from the standpoint of that user downstream from the distro and therefore the user needs to do something to trigger the section 13 requirement. Otherwise you have to explain why modification was made to be the trigger. If the modified/unmodified distinction was meant to be meaningless, section 13 would have been drafted not to make any reference to modification. Indeed, other Affero-like licenses typically are broader than AGPLv3 in the sense that they work by redefinition of 'distribution' and thus are not limited to cases where the user has modified the software. This approach was specifically rejected when AGPLv3 was being drafted. Section 13 (Remote Network Interaction) requires modified version to offer access to the source. If you modify the software, but do not provide this, you violate this license requirement and lose the right to modify and distribute the covered work under section 8 (Termination). And with open source software you often deal with modified versions, so claiming this is a special case ([...] was specifically based on modification, _not_ on public performance or other use) seems a bit odd to me. That's another issue, what does it take for the software to be 'modified' for purposes of that section, and you rightly call attention to it. But to say that the package *as received from the distro* triggers section 13 *inherently* is inconsistent with the language of section 13 and the intent of the drafters. - RF -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130711135511.ga19...@redhat.com
Re: AGPLv3 Compliance and Debian Users
On 11.07.2013 09:12, Ansgar Burchardt wrote: On 07/11/2013 14:15, Paul Wise wrote: On Thu, Jul 11, 2013 at 6:29 PM, Lars Meyser wrote: No I did not miss that, but I'm not entirely sure of the implications. So if I use a packaged version of a program which has been modified (e.g. by Debian patches) I am not obliged to make the source available? I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Section 13 (Remote Network Interaction) requires modified version to offer access to the source. If you modify the software, but do not provide this, you violate this license requirement and lose the right to modify and distribute the covered work under section 8 (Termination). And with open source software you often deal with modified versions, so claiming this is a special case ([...] was specifically based on modification, _not_ on public performance or other use) seems a bit odd to me. Anyway, this discussion seems more appropriate for -legal than -devel. CC'ed and set Reply-To accordingly. Ansgar My understanding though that if Debian is the one making the modification then Debian is the one responsible for making the source available. If the end user is then modifying the source then they would subsequently need to make those modifications available. I would find having the Debian package install a tarball that could be linked to and downloadable from the end user to be unnecessary duplication if all that would be needed would be a link then why not just have that link point to the source on the Debian mirror. If the end user then makes modification it's upon them, not Debian, to ensure they are compliant with the license agreement. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/013fcdf7594e-d6170b4e-37ad-4890-80ce-afc056bd909d-000...@email.amazonses.com
Re: AGPLv3 Compliance and Debian Users
Hi, On Donnerstag, 11. Juli 2013, Jeremy T. Bouse wrote: My understanding though that if Debian is the one making the modification then Debian is the one responsible for making the source available. I think this is done already, since roughly 20 years, have a look at ftp.debian.org cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: AGPLv3 Compliance and Debian Users
Hi, Am Donnerstag, den 11.07.2013, 13:41 + schrieb Jeremy T. Bouse: I would find having the Debian package install a tarball that could be linked to and downloadable from the end user to be unnecessary duplication if all that would be needed would be a link then why not just have that link point to the source on the Debian mirror. the question is: Does Debian guarantee (or at least promise) to provide the sources for a sufficient amount of time _in the required version_?I guess with http://snapshot.debian.org/ we do (and having AGPL software in Debian include a link to there would already be very nice), but having the source shipped with the package itself would solve a this problems more elegantly, and would also work in a lonely-island-setting. Greetings, Joachim -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part
Re: AGPLv3 Compliance and Debian Users
On Thursday, July 11, 2013 12:26:47 PM Joachim Breitner wrote: Hi, Am Donnerstag, den 11.07.2013, 17:48 +0800 schrieb Paul Wise: On Thu, Jul 11, 2013 at 5:41 PM, Lars Meyser wrote: This is also my personal reading of the license, I would like to hear others opinions before I start filing bugs. Perhaps you missed if you modify the Program in item 13. Remote Network Interaction; of the AGPL? nevertheless it would be good if AGPL programs in general, and especially as packaged in Debian, would simply also install a tarball of the (patched) sources and have a download link in the program, so that the user has do not worry about this at all. The trick here is it's not just packages explicitly licensed with the AGPL that are affected. It's also packages that have an AGPL compatible license that link against anything that's an AGPL library (the specific reason libdb is an issue), so if we end up with AGPL libraries, this could be widespread. Scott K signature.asc Description: This is a digitally signed message part.
Re: AGPLv3 Compliance and Debian Users
Excerpts from Richard Fontana's message of 2013-07-11 06:55:12 -0700: On Thu, Jul 11, 2013 at 03:12:39PM +0200, Ansgar Burchardt wrote: I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Co-author of AGPLv3 here, including the section at issue. You do not have to make the source available in this case, in general. In unusual cases of circumvention, like what I believe you are suggesting, the answer might arguably be different, but in the context of ordinary Linux distributions, when a user gets AGPLv3-licensed software that the *distro* has modified, that software is *unmodified* from the standpoint of that user downstream from the distro and therefore the user needs to do something to trigger the section 13 requirement. Otherwise you have to explain why modification was made to be the trigger. If the modified/unmodified distinction was meant to be meaningless, section 13 would have been drafted not to make any reference to modification. Indeed, other Affero-like licenses typically are broader than AGPLv3 in the sense that they work by redefinition of 'distribution' and thus are not limited to cases where the user has modified the software. This approach was specifically rejected when AGPLv3 was being drafted. So are you suggesting that the AGPL's protections against commercial takeover are basically moot? How would the AGPL be applied in this scenario: Company A starts a business based on unmodified MediaGoblin. They hire a firm, Consultants-R-Us, to manage their MediaGoblin code base and develop a new new video encoder. Their contract with Consultants-R-Us keeps ownership of all code in Consultants-R-Us name, and C-R-U simply gives a tarball to Company A which they then use to serve users. Can we honestly say that Company A modified the software? If not, then what is the point of the AGPL? To protect C-R-U? I am not suggesting that this is absolutely not modification by Company A. However, to a non-lawyer like me, it sure _looks_ like a big hole. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1373555743-sup-3...@fewbar.com
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 08:27:31AM -0700, Clint Byrum wrote: Excerpts from Richard Fontana's message of 2013-07-11 06:55:12 -0700: On Thu, Jul 11, 2013 at 03:12:39PM +0200, Ansgar Burchardt wrote: I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Co-author of AGPLv3 here, including the section at issue. You do not have to make the source available in this case, in general. In unusual cases of circumvention, like what I believe you are suggesting, the answer might arguably be different, but in the context of ordinary Linux distributions, when a user gets AGPLv3-licensed software that the *distro* has modified, that software is *unmodified* from the standpoint of that user downstream from the distro and therefore the user needs to do something to trigger the section 13 requirement. Otherwise you have to explain why modification was made to be the trigger. If the modified/unmodified distinction was meant to be meaningless, section 13 would have been drafted not to make any reference to modification. Indeed, other Affero-like licenses typically are broader than AGPLv3 in the sense that they work by redefinition of 'distribution' and thus are not limited to cases where the user has modified the software. This approach was specifically rejected when AGPLv3 was being drafted. So are you suggesting that the AGPL's protections against commercial takeover are basically moot? No. The main problem I have been seeing is in the opposite direction: overbroad interpretations of AGPLv3, one of the reasons I am chiming in here. It is the tendency to overbreadth that is tragic. How would the AGPL be applied in this scenario: Company A starts a business based on unmodified MediaGoblin. They hire a firm, Consultants-R-Us, to manage their MediaGoblin code base and develop a new new video encoder. Their contract with Consultants-R-Us keeps ownership of all code in Consultants-R-Us name, and C-R-U simply gives a tarball to Company A which they then use to serve users. Can we honestly say that Company A modified the software? Possibly, in that case -- but that's entirely different from the distro packaging scenario. If not, then what is the point of the AGPL? To protect C-R-U? I am not suggesting that this is absolutely not modification by Company A. However, to a non-lawyer like me, it sure _looks_ like a big hole. Just a general comment which I think is important to say: The GPL/AGPL licenses were not designed to be guaranteed to eliminate all possible creative loopholes. They *can't*. I don't recall anyone raising your hypothetical during the (relatively quiet) drafting of AGPLv3 but for GPLv3, although the specifics elude me at the moment, I recall many people, usually developers or technical users, having raised parade-of-horribles hypotheticals that belonged to this general category (essentially, a kind of conspiracy in a licensing chain to evade the requirements of the license, often by splitting 'you' into more than one licensee). The FSF's view was essentially that reasonable legal systems would likely treat such things as copyright infringement, without the license text having to spell it out. I think this was consistent with some of what the FSF had said in the past regarding interpretation of GPLv2. - RF -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130711174500.ga22...@redhat.com
Re: AGPLv3 Compliance and Debian Users
Excerpts from Richard Fontana's message of 2013-07-11 10:45:00 -0700: On Thu, Jul 11, 2013 at 08:27:31AM -0700, Clint Byrum wrote: Excerpts from Richard Fontana's message of 2013-07-11 06:55:12 -0700: On Thu, Jul 11, 2013 at 03:12:39PM +0200, Ansgar Burchardt wrote: I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Co-author of AGPLv3 here, including the section at issue. You do not have to make the source available in this case, in general. In unusual cases of circumvention, like what I believe you are suggesting, the answer might arguably be different, but in the context of ordinary Linux distributions, when a user gets AGPLv3-licensed software that the *distro* has modified, that software is *unmodified* from the standpoint of that user downstream from the distro and therefore the user needs to do something to trigger the section 13 requirement. Otherwise you have to explain why modification was made to be the trigger. If the modified/unmodified distinction was meant to be meaningless, section 13 would have been drafted not to make any reference to modification. Indeed, other Affero-like licenses typically are broader than AGPLv3 in the sense that they work by redefinition of 'distribution' and thus are not limited to cases where the user has modified the software. This approach was specifically rejected when AGPLv3 was being drafted. So are you suggesting that the AGPL's protections against commercial takeover are basically moot? No. The main problem I have been seeing is in the opposite direction: overbroad interpretations of AGPLv3, one of the reasons I am chiming in here. It is the tendency to overbreadth that is tragic. How would the AGPL be applied in this scenario: Company A starts a business based on unmodified MediaGoblin. They hire a firm, Consultants-R-Us, to manage their MediaGoblin code base and develop a new new video encoder. Their contract with Consultants-R-Us keeps ownership of all code in Consultants-R-Us name, and C-R-U simply gives a tarball to Company A which they then use to serve users. Can we honestly say that Company A modified the software? Possibly, in that case -- but that's entirely different from the distro packaging scenario. Right, I want to understand AGPL's motivations is all. If not, then what is the point of the AGPL? To protect C-R-U? I am not suggesting that this is absolutely not modification by Company A. However, to a non-lawyer like me, it sure _looks_ like a big hole. Just a general comment which I think is important to say: The GPL/AGPL licenses were not designed to be guaranteed to eliminate all possible creative loopholes. They *can't*. I don't recall anyone raising your hypothetical during the (relatively quiet) drafting of AGPLv3 but for GPLv3, although the specifics elude me at the moment, I recall many people, usually developers or technical users, having raised parade-of-horribles hypotheticals that belonged to this general category (essentially, a kind of conspiracy in a licensing chain to evade the requirements of the license, often by splitting 'you' into more than one licensee). The FSF's view was essentially that reasonable legal systems would likely treat such things as copyright infringement, without the license text having to spell it out. I think this was consistent with some of what the FSF had said in the past regarding interpretation of GPLv2. I don't think this is all that horrible. The sustainable model that the GPL supports is exactly this. Instead of bilking people for license fees you charge for your time in customizing, and provide them with a license that gives them and you total freedom with the code going forward. I think it is a likely reality that a company or individual will build a business on customizing AGPL code that nobody, including that code's users, will ever know about or see. It would not, in my mind, be copyright infringement as they'd be complying fully with the license terms. So my point isn't oh look the whole thing is invalid. My point is that this loophole seems rather large. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1373568129-sup-5...@fewbar.com
Re: AGPLv3 Compliance and Debian Users
Clint Byrum wrote: Excerpts from Richard Fontana's message of 2013-07-11 10:45:00 -0700: On Thu, Jul 11, 2013 at 08:27:31AM -0700, Clint Byrum wrote: Excerpts from Richard Fontana's message of 2013-07-11 06:55:12 -0700: On Thu, Jul 11, 2013 at 03:12:39PM +0200, Ansgar Burchardt wrote: I'm no expert but that would be my interpretation. Also when I asked about the basis of the network part of the AGPL during the GPLv3 talk at DebConf10 in NYC, Bradley said the AGPL was specifically based on modification, _not_ on public performance or other use. You have to make the source available in this case. Otherwise it would be a trivial way around the AGPL (just have a third party modify the program and give it to you). Co-author of AGPLv3 here, including the section at issue. You do not have to make the source available in this case, in general. In unusual cases of circumvention, like what I believe you are suggesting, the answer might arguably be different, but in the context of ordinary Linux distributions, when a user gets AGPLv3-licensed software that the *distro* has modified, that software is *unmodified* from the standpoint of that user downstream from the distro and therefore the user needs to do something to trigger the section 13 requirement. Otherwise you have to explain why modification was made to be the trigger. If the modified/unmodified distinction was meant to be meaningless, section 13 would have been drafted not to make any reference to modification. Indeed, other Affero-like licenses typically are broader than AGPLv3 in the sense that they work by redefinition of 'distribution' and thus are not limited to cases where the user has modified the software. This approach was specifically rejected when AGPLv3 was being drafted. So are you suggesting that the AGPL's protections against commercial takeover are basically moot? No. The main problem I have been seeing is in the opposite direction: overbroad interpretations of AGPLv3, one of the reasons I am chiming in here. It is the tendency to overbreadth that is tragic. How would the AGPL be applied in this scenario: Company A starts a business based on unmodified MediaGoblin. They hire a firm, Consultants-R-Us, to manage their MediaGoblin code base and develop a new new video encoder. Their contract with Consultants-R-Us keeps ownership of all code in Consultants-R-Us name, and C-R-U simply gives a tarball to Company A which they then use to serve users. Can we honestly say that Company A modified the software? Possibly, in that case -- but that's entirely different from the distro packaging scenario. Right, I want to understand AGPL's motivations is all. I used to put similar terms on my code, back before the GPL existed. Essentially: If you modify this code, you must send your modifications back to me (the original author). The motivation is that if you fixed a bug or improved the code, you should make your improvements available to me, and I subsequently make them available to the user base at large in my next release. I don't consider this a terrible restriction - if you're using my code that you got for free, and are deriving value from it, and find a way to make it better, I think you owe it to everyone to release your improvement freely as well. If not, then what is the point of the AGPL? To protect C-R-U? I am not suggesting that this is absolutely not modification by Company A. However, to a non-lawyer like me, it sure _looks_ like a big hole. I don't see any hole. If C-R-U did the modifications then they are obligated to publish the source code, by virtue of the fact that giving the modified code to Company A is distributing it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51df0553.8080...@symas.com
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 12:19:47PM -0700, Howard Chu wrote: Right, I want to understand AGPL's motivations is all. I used to put similar terms on my code, back before the GPL existed. Essentially: If you modify this code, you must send your modifications back to me (the original author). The motivation is that if you fixed a bug or improved the code, you should make your improvements available to me, and I subsequently make them available to the user base at large in my next release. I don't consider this a terrible restriction - if you're using my Sure, but that doesn't make it DFSG free (hint: it's likely not)[1][2] [1]: The Dissident test [2]: The Desert Island test -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Re: AGPLv3 Compliance and Debian Users
Paul Tagliamonte wrote: On Thu, Jul 11, 2013 at 12:19:47PM -0700, Howard Chu wrote: Right, I want to understand AGPL's motivations is all. I used to put similar terms on my code, back before the GPL existed. Essentially: If you modify this code, you must send your modifications back to me (the original author). The motivation is that if you fixed a bug or improved the code, you should make your improvements available to me, and I subsequently make them available to the user base at large in my next release. I don't consider this a terrible restriction - if you're using my Sure, but that doesn't make it DFSG free (hint: it's likely not)[1][2] [1]: The Dissident test [2]: The Desert Island test Sure, but #2 is stupid. We didn't say must send changes back immediately. Nor would we wish any such thing; if you're in the middle of making a long series of changes we obviously want to wait until the changes are completed and have settled down. Otherwise someone could make a case that the changes should be sent back the instant they are written, one keystroke at a time, which is ludicrous. Send changes back in a timely manner. You obtained the software somehow; therefore at some point in time a distribution channel was available to you. The next time such channel is available, send your changes back. If you're stuck on a desert island and die before such channel reopens, no one's going to sue you. I'd say #1 is borderline stupid. It is worded such that it only applies to hiding existence of a system from the government. Fair enough; I'm not the government. I've accepted many patches from anonymous senders for various code (see http://rtmpdump.mplayerhq.hu/ for example: RTMP Dump v2.4 (C) 2009 Andrej Stepanchuk (C) 2009-2011 Howard Chu (C) 2010 2a665470ced7adb7156fcef47f8199a6371c117b8a79e399a2771e0b36384090 (C) 2011 33ae1ce77301f4b4494faaa5f609f3c48b9dcf82 License: GPLv2 librtmp license: LGPLv2.1 http://rtmpdump.mplayerhq.hu/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51df0d1d@symas.com
Re: AGPLv3 Compliance and Debian Users
]] Howard Chu [...] If not, then what is the point of the AGPL? To protect C-R-U? I am not suggesting that this is absolutely not modification by Company A. However, to a non-lawyer like me, it sure _looks_ like a big hole. I don't see any hole. If C-R-U did the modifications then they are obligated to publish the source code, by virtue of the fact that giving the modified code to Company A is distributing it. They're only obliged to give the source to the people they distribute the binaries to, or who accesses the system over a network, as I understnad it? So Company A gets the source from C-R-U under those terms and uses what they got, unmodified, from «upstream» and as I understand this subthread, they're under no obligation to then publish the source? -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ppuolt19@xoog.err.no
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 12:53:01PM -0700, Howard Chu wrote: Sure, but that doesn't make it DFSG free (hint: it's likely not)[1][2] [1]: The Dissident test [2]: The Desert Island test Sure, but #2 is stupid. We didn't say must send changes back immediately. Nor would we wish any such thing; if you're in the middle of making a long series of changes we obviously want to wait until the changes are completed and have settled down. Otherwise someone could make a case that the changes should be sent back the instant they are written, one keystroke at a time, which is ludicrous. Send changes back in a timely manner. You obtained the software somehow; therefore at some point in time a distribution channel was available to you. The next time such channel is available, send your changes back. If you're stuck on a desert island and die before such channel reopens, no one's going to sue you. I'd say #1 is borderline stupid. It is worded such that it only applies to hiding existence of a system from the government. Fair enough; I'm not the government. That's not the point. The purpose of the Dissident Test is to demonstrate that distribution channels for software are not necessarily symmetric; it may be very easy for you to distribute the software, but very hard/expensive/dangerous for a recipient to distribute their modifications back to you. In the specific case of the Dissident Test, the unreasonable cost of returning the changes upstream - as opposed to distributing them to whoever you happen to be distributing binaries to (possibly no one) - is that sending those communications back may give hostile authorities information you don't want them to have, such as your location, details about the software you're modifying, or even simply the fact that you're doing something that you care about encrypting to keep them from prying. Even if you aren't otherwise doing anything the government disapproves of, the mere act of sending these changes upstream might get you labelled a spy. This is one example of why Debian says it's ok for a license to require modifications to be distributed to your downstreams, but not ok to require those changes be sent to a particular party. Users should not have to choose between complying with the license and being safe from their government; they should be *free* to exercise their rights on the code in Debian, even when they aren't free in other aspects of their lives that we don't have control over. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: AGPLv3 Compliance and Debian Users
Steve Langasek wrote: On Thu, Jul 11, 2013 at 12:53:01PM -0700, Howard Chu wrote: Sure, but that doesn't make it DFSG free (hint: it's likely not)[1][2] [1]: The Dissident test [2]: The Desert Island test Sure, but #2 is stupid. We didn't say must send changes back immediately. Nor would we wish any such thing; if you're in the middle of making a long series of changes we obviously want to wait until the changes are completed and have settled down. Otherwise someone could make a case that the changes should be sent back the instant they are written, one keystroke at a time, which is ludicrous. Send changes back in a timely manner. You obtained the software somehow; therefore at some point in time a distribution channel was available to you. The next time such channel is available, send your changes back. If you're stuck on a desert island and die before such channel reopens, no one's going to sue you. I'd say #1 is borderline stupid. It is worded such that it only applies to hiding existence of a system from the government. Fair enough; I'm not the government. That's not the point. The purpose of the Dissident Test is to demonstrate that distribution channels for software are not necessarily symmetric; it may be very easy for you to distribute the software, but very hard/expensive/dangerous for a recipient to distribute their modifications back to you. In the specific case of the Dissident Test, the unreasonable cost of returning the changes upstream - as opposed to distributing them to whoever you happen to be distributing binaries to (possibly no one) - is that sending those communications back may give hostile authorities information you don't want them to have, such as your location, details about the software you're modifying, or even simply the fact that you're doing something that you care about encrypting to keep them from prying. Even if you aren't otherwise doing anything the government disapproves of, the mere act of sending these changes upstream might get you labelled a spy. This is still an unreasonable test. Again, it ignores the element of time. Send your changes at your earliest convenience. If the NSA is breathing down your neck, convenience might be a long time away, but that's understandable. This is one example of why Debian says it's ok for a license to require modifications to be distributed to your downstreams, but not ok to require those changes be sent to a particular party. Users should not have to choose between complying with the license and being safe from their government; they should be *free* to exercise their rights on the code in Debian, even when they aren't free in other aspects of their lives that we don't have control over. Freedom always has a price. The price of benefiting from free software should be that you help others benefit from it too. Absolving recipients of all such responsibility merely encourages parasites. Progress happens faster when everyone pitches in, there shouldn't be just a few people creating and everyone else tagging along for the ride. Even here http://people.debian.org/~bap/dfsg-faq.html 12.A.k This freedom is one of the most important driving factors for progress in computing---and we like progress. That sentence is not talking about this particular point but the underlying concept remains - the goal for all of this is to encourage progress, not hinder it. Hoarding improvements to yourself hinders progress for society as a whole. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51df3f52.9030...@symas.com
Re: AGPLv3 Compliance and Debian Users
On Thu, Jul 11, 2013 at 04:27:14PM -0700, Howard Chu wrote: That's not the point. The purpose of the Dissident Test is to demonstrate that distribution channels for software are not necessarily symmetric; it may be very easy for you to distribute the software, but very hard/expensive/dangerous for a recipient to distribute their modifications back to you. In the specific case of the Dissident Test, the unreasonable cost of returning the changes upstream - as opposed to distributing them to whoever you happen to be distributing binaries to (possibly no one) - is that sending those communications back may give hostile authorities information you don't want them to have, such as your location, details about the software you're modifying, or even simply the fact that you're doing something that you care about encrypting to keep them from prying. Even if you aren't otherwise doing anything the government disapproves of, the mere act of sending these changes upstream might get you labelled a spy. This is still an unreasonable test. Again, it ignores the element of time. Send your changes at your earliest convenience. If the NSA is breathing down your neck, convenience might be a long time away, but that's understandable. It ignores the element of time because the licenses this test was constructed in response to don't *allow* the user to do so. There is no common sense at your convenience rule baked into the law; if the licensor means that this should be done at the modifier's convenience, they should be spelling that out in the license - with the understanding that the licensor and licensee may not agree on what is convenient, and that it may *never* be convenient from the licensee's POV. Let's not forget that Al Capone was convicted not for murder, racketeering, or bootlegging, but for tax evasion; and that the US tax code specifies where on your tax form you are required to report income from the sale of illegal drugs. It would be ironic for a dissident to evade capture and prosecution for years, only to finally be brought up on charges of criminal copyright infringement (with or without the consent of the copyright holder!) for failing to submit their changes upstream while operating clandestinely. This is one example of why Debian says it's ok for a license to require modifications to be distributed to your downstreams, but not ok to require those changes be sent to a particular party. Users should not have to choose between complying with the license and being safe from their government; they should be *free* to exercise their rights on the code in Debian, even when they aren't free in other aspects of their lives that we don't have control over. Freedom always has a price. The price of benefiting from free software should be that you help others benefit from it too. That's your position. That's not the Debian position. We *encourage* those who benefit from free software to give back; but we decided early on as a project that *requiring* people to give back was a higher price than we were willing to accept. Even here http://people.debian.org/~bap/dfsg-faq.html As that URL suggests, this is not an official statement of the Debian project, it's a document maintained by one individual Debian developer. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: AGPLv3 Compliance and Debian Users
Steve Langasek wrote: Let's not forget that Al Capone was convicted not for murder, racketeering, or bootlegging, but for tax evasion; and that the US tax code specifies where on your tax form you are required to report income from the sale of illegal drugs. It would be ironic for a dissident to evade capture and prosecution for years, only to finally be brought up on charges of criminal copyright infringement (with or without the consent of the copyright holder!) for failing to submit their changes upstream while operating clandestinely. Indeed. If you're a dissident fighting your own government, then complying with a license that can only be enforced by a government agency is probably the least of your worries. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51df60f3.10...@symas.com