Re: a quick review of the timescaledb license

2022-06-07 Thread Francesco Poli 
On Tue, 07 Jun 2022 12:11:11 -0400 Antoine Beaupré wrote:

[...]
> Okay, so what's in that `tsl/` folder? there you have *another* LICENSE
> file which is a custom license written specifically (presumably by
> lawyers) for timescaleDB:
> 
> https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/tsl/LICENSE-TIMESCALE
> 
> I haven't read the entirety of it,

Nor have I, but some parts of it look clearly non-free, as you yourself
point out.

> but it's pretty clear to me that this
> cannot be packaged in Debian at all, ever, under that license. Just
> clause 2.2 (prohibiting use in "software-as-a-service") breaks clause 6
> of the Debian free software guidelines.
[...]

Part of clause 2.2 states:

[...]
|  2.2 Prohibitions.  Notwithstanding any other provision in this TSL
|  Agreement, You are prohibited from (i) using any TSL Licensed Software to
|  provide time-sharing services or database-as-a-service services, or to
|  provide any form of software-as-a-service or service offering in which the
|  TSL Licensed Software is offered or made available to third parties to
|  provide time-series database functions or operations, other than as part of
|  Your Value Added Products or Services, or (ii) copying or distributing any
|  TSL Licensed Software for use in any of the foregoing ways.
[...]

This really seems to fail DFSG#6 .

There are other parts of this license which appear to be blatantly
non-free, but I haven't studied them in detail...



-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpp5K6SsIdtg.pgp
Description: PGP signature

Re: a quick review of the timescaledb license

2022-06-07 Thread Sebastian Crane 
Dear Antoine,

> It was pointed out to me that TimescaleDB has a "open core" model and
> it's actually possible to build an "apache-2.0-only" version of the
> program.

Yup, it looks like all files in the tsl/ directory are governed by the
proprietary license, and can be excluded from builds:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/tsl/src/init.c#L64

Clearly some checks to make sure this 'APACHE-ONLY' flag actually
works would be useful for Debian's purposes! :)

Thanks for taking a look at this, Antoine. They could have been a bit
clearer in describing their 'open core' model, since it must have
confused quite a few would-be distro packagers by now!

Best wishes,

Sebastian

Re: a quick review of the timescaledb license

2022-06-07 Thread Antoine Beaupré 
It was pointed out to me that TimescaleDB has a "open core" model and
it's actually possible to build an "apache-2.0-only" version of the
program. The differences between the two are here:

https://docs.timescale.com/timescaledb/latest/timescaledb-edition-comparison/

... and guix actually made a package that removes the proprietary bits
here:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/databases.scm#n1315

a.
-- 
Tu connaîtras la vérité de ton chemin à ce qui te rend heureux.
- Aristote

a quick review of the timescaledb license

2022-06-07 Thread Antoine Beaupré 
Hi,

For work, I was asked to deploy a TimescaleDB server and figured "bah,
that's C code, why isn't this in Debian!" I was about to file an RFP
when I tripped over the "unknown" license on their GitHub repository:

https://github.com/timescale/timescaledb/

I found that it's not actually licensed under an official, OSI-approved
free software license. A *part* of Timescale is licensed under
Apache-2.0, and that's fine, but a look at their LICENSE file:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/LICENSE

... which actually says:

> All source code should have information at the beginning of its respective 
> file
> which specifies its licensing information.
> 
> * Outside of the "tsl" directory, source code in a given file is licensed
>   under the Apache License Version 2.0, unless otherwise noted (e.g., an
>   Apache-compatible license).
> 
> * Within the "tsl" folder, source code in a given file is licensed under the
>   Timescale License, unless otherwise noted.
> 
> When built, separate shared object files are generated for the Apache-licensed
> source code and the Timescale-licensed source code. The shared object binaries
> that contain `-tsl` in their name are licensed under the Timescale License.

Okay, so what's in that `tsl/` folder? there you have *another* LICENSE
file which is a custom license written specifically (presumably by
lawyers) for timescaleDB:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/tsl/LICENSE-TIMESCALE

I haven't read the entirety of it, but it's pretty clear to me that this
cannot be packaged in Debian at all, ever, under that license. Just
clause 2.2 (prohibiting use in "software-as-a-service") breaks clause 6
of the Debian free software guidelines. There's also limitations on
modification and distribution, and (rather oddly I must say) a GPL-like
contamination clause.

The SaaS clause looks a bit like the MongoDB-tyle of license (SSPL and
friends), which the OSI hasn't actually made a formal decision on,
because MongoDB retracted their application:

https://opensource.org/LicenseReview032019

... but OSI actually made a *statement on that license explicitly saying
that it's not "open source":

https://opensource.org/sspl-not-open-source

No doubt the latter was previously discussed here, but I figured I would
mention it for completeness's sake.

I should also state, for the record, that I am not a lawyer and the
above cannot, therefore, serve as legal advice.

Anyways, lots of fun, I almost have a headache now, but I figured I'd
drop this here because I haven't found a mention of TimescaleDB on any
Debian mailing list before. I figured I would save the trouble of future
enthusiasts by sharing my research more broadly.

a.

PS: I don't think we'll use this at work, but you never know. Curious
folks can followup here:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/40770

There's more juicy stuff regarding the way we can use Timescale at all ,
even if we disregard the "DFSG-style" discussion...

-- 
You can't get to the moon by climbing successively taller trees.
- Akin's Laws of Spacecraft Design


signature.asc
Description: PGP signature