I'm the author of an AGPLv3+ perl module to which I'm considering applying a licence exception (an `Additional Permission'). (I have consulted the other copyrightholder and have their go-ahead.)
I'd welcome opinions about whether this is a good idea, and any considerations I may have overlooked. (I'm *not* interested in opinions about whether the intent of the AGPL is a good idea, or whether the AGPLv3 is a good implementation.) Thanks, Ian. Background and my objective --------------------------- The module is CGI::Auth::Flexible. It provides login form handling for Perl CGI programs. It's not in Debian (yet). (I will call it CAF from now on.) With the current AGPLv3 licence, someone who deploys a modified CAF must make available their whole web application to all callers. This means that it is not possible to deploy a completely private web application using CAF. I don't think this is desirable. My intention in using the AGPLv3 is not to force everyone to publish their source code outside their user community. To put it another way: I want to flatten the power relationship between a website's users and its operators. But it is not my aim to undo the power imbalance between a website's authorised users and other people on the internet. Indeed such an objective would be bizarre for a module whose function is to enforce access control! I do want to try to make it possible for authorised users of a website, who don't like the decisions made by its operator, to set up an instance of their own, with modifications to their own taste. So what I think I want is this: * People who interact _only_ with the login form, ie only with CAF do not need to have access to the source code. * People who can log in, can get the complete source code for the whole system. (This includes parts which implement interfaces which they are not authorised to use. So for example, administrative interfaces which are available only to the operator of a particular instance.) * If a website has some kind of automatic signup process I don't care very much whether users engaging in the signup process are covered by the AGPLv3+. It is good if they are, but in practice any user who gets an account will be benefit from the AGPLv3+ at that point. Legal implementation -------------------- If CAF is the only AGPLv3 part of the system, then AGPLv3 s13 does not apply unless the operators modify CAF. (However, it would be foolish to deploy a website without the legal ability to modify the login form code!) Logging in is clearly "interaction" with CAF, so unless I grant an additional permission, s13 applies to non-users. If there are other AGPLv3 parts of the program, then interactions with them by logged-in users trigger s13. This is desirable. Is it possible for me to arrange that interaction with CAF itself does not count as interaction with "the Program" for the purposes of the AGPLv3 licence on those other parts ? If not then I would have to encourage other authors of AGPLv3'd programs to adopt my licence exception. Versioning and updates ---------------------- It seems to me that this licence exception is fiddly and may need to be updated. So I am considering something like: This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version, with the "CAF Login Exception" as published by Ian Jackson (version 1, or at your option any later version) as an Additional Permission. Is something like this a good idea ? I would prefer not to have to mention myself here. I would prefer to name an organisation (because of (a) bus factor and (b) credibility). I would probably consider Conservancy or SPI. My first attempt at wording --------------------------- CAF Login Exception (version 1) To avoid forcing users to make the source code of their whole application available to non-users, I (Ian Jackson) have granted this exception as part of the licence of CGI::Auth::Flexible. When considering AGPLv3 section 13 "Remote Network Interaction" (or similar wording in successor licences): If all interactions with the Program (other than interactions with the user authentication system) require user authentication, the provisions of that section apply only to interaction with the Program by authenticated users. This is an Additional Permission as contemplated by AGPLv3 section 7. - Ian Jackson As I say, comments welcome. Regards, Ian.

