Re: Re: Maxmind GeoIP/Geolite license change

[James Repsel]

I have change license and I P because  I'm the true Copyright and
intellectual property and patent holder

Re: Maxmind GeoIP/Geolite license change

[Michael Tremer]

Hello,

> On 16 Jun 2020, at 15:01, Tobias Frost  wrote:
> 
> On Tue, Jun 16, 2020 at 09:28:05AM +0100, Michael Tremer wrote:
> 
> (...)
> 
>> I consider myself a great advocate for free software. Almost everything I do,
>> and certain all I can, is free software - available for anyone to use.
> 
> Let me nitpick on that Free software also requires the ability to modify and
> distribute the modified work…
> 
>> 
>> We have spent a lot of time on this and we do not want another Maxmind. I am
>> not trying to make money with this project, but nobody else should be making
>> that money either.
> 
> Being "gratis" is stricly not a requirement for FLOSS*, but being "libre" is,
> and the 4 software freedoms encourage to allow usage for "any purpose", 
> including
> commercial use. So, IMHO, this two paragraphs are somehow conflating gratis
> with libre. (Additionally CC-BY-SA does not have a commercial-usage 
> restriction,
> as some said already in this thread)
> 
> * for example, there are some projects (in the Android App world) that sells
> the app in the offical store but have the sourcecode available to compile
> yourself on a public repository)

Yes, I am aware of that. As mentioned before, it would be nice to guard our own 
project from people that take advantage of us. I do not want to limit the use 
of the database for legitimate users.

>> Since this is only a license - and people seem to rather ignore than follow
>> these - there is no guarantee for us that someone does things that we do not
>> want them to do. But in the end I have to protect my project and the other
>> people working on this so that we can continue doing this.
>> 
>> I do not want this to be non-free, but I hope my point makes at least some
>> sense.
> 
> if you want it to be (DSFG)-free, please choose one of the approved licenses.
> But I fear that your expectations are different: A (DFSG-)free license must
> not limit commercial use in any way, for example…

I do not want to limit commercial use. I want to make sure that our project can 
continue to exist.

>> 
 * it would be nice to encourage users to give back to the project and help
 them to help us to improve the data wherever possible
>>> 
>>> Such encouragements should be part of, e.g., a README file, but not part of
>>> a license. *Forcing* users to contribute back would likewise make a license
>>> non-free for Debian usage (since that would fail the Desert Island test).
>> 
>> Sorry for my noob question, but doesn’t the GPL “force” people to give back?
> 
> No, it does not. We had some discussion about a different license that crossed
> this topic lately: https://lists.debian.org/debian-legal/2020/04/msg00016.html
> TL;DR: You only need to offer your modifications to _your_ recipients of the
> work, not to whom you received it from.
> 
>>> Fortunately, you said "encourage", so that would be optional and hence
>>> good. I'm just pointing out that even ideas with good intentions (naturally
>>> improving a database is a plus for any user) can lead to software or data
>>> becoming non-free.
>> 
>> A license is just letters on some paper. I had my own software copied too
>> often by too many people with bad intentions and I could not do anything
>> about it without throwing more money and time down the drain.
> 
> There is this famous "use if for good not evil"-Json-license … disaster? …
> A true free software must even allow usage for evil purposes, not even 
> touching
> the question who defines "evil"?
> 
>> So, I guess we can conclude that the CC BY-SA 4.0 option is definitely
>> something that we would drop. Simply for that reason that it is too
>> complicated.
> 
> Chooose any license you find suitable. Best from 
> https://wiki.debian.org/DFSGLicenses
> Some people will disagree on some license being listed here*, but this is 
> kind of
> official position of the project. (there are sometime more factors than a
> license to consider something free software) The only strong advice I would
> like to give is "Don't invent your own licence."
> 
> *For instance, I'm not in the CC-4.0-is-non-free camp, but I would love to
> learn about the objections…

I went through that list, and the CC licenses catch my eye. We are definitely 
out of the MIT and BSD license territory (if they are even applicable to data).

I have re-read this thread and must say that I understood the first comments as 
“under no circumstances use CC BY-SA 4.0”. Now I rather understand them as “I 
would prefer otherwise”.

I understand that licenses only limit use, and never grant anything more than 
what public domain would do, but that is exactly what we want to do here.

Unless someone has another suggestion that has any advantages, I would consider 
again to stay with CC BY-SA 4.0.

It first of all is DFSG-compliant, and is pretty much the default license for 
content like our database. The license is well-known and generally accepted. 
Debian’s policies are probably some of the more strict 

Re: Maxmind GeoIP/Geolite license change

[Michael Tremer]

Hello,

> On 17 Jun 2020, at 04:34, J.B. Nicholson  wrote:
> 
> Michael Tremer wrote:
>> This project however was a lot more work than we anticipated and there are 
>> some
>> more challenges to come. We generate no income from working on this at all, 
>> but of
>> course need to fill our own fridges with food every once in a while. I am not
>> telling you anything new here and I do not want to moan. But in the past, we 
>> have
>> fought legal battles (and were involuntarily dragged into them) where people 
>> took
>> IPFire, rebranded it slightly and sold it as their own. That fight consumed 
>> a lot
>> of resources on our side without any gain for the project. It brings down 
>> morale
>> and brings many other problems with it, too.
>> So the intention is to do better here.
> Do you have the means and motivation to pay court costs and lawyer fees to 
> sue a copyright infringer?
> 

That depends on the case. I cannot say much about this one because it is still 
ongoing.

But if I would generally say, that I would never try to enforce my license, 
what is the point of picking on in the first place? If licenses are not 
enforced, they are worthless.

Best,
-Michael

Re: Maxmind GeoIP/Geolite license change

[J.B. Nicholson]

Michael Tremer wrote:

This project however was a lot more work than we anticipated and there are some
more challenges to come. We generate no income from working on this at all, but 
of
course need to fill our own fridges with food every once in a while. I am not
telling you anything new here and I do not want to moan. But in the past, we 
have
fought legal battles (and were involuntarily dragged into them) where people 
took
IPFire, rebranded it slightly and sold it as their own. That fight consumed a 
lot
of resources on our side without any gain for the project. It brings down morale
and brings many other problems with it, too.

So the intention is to do better here.
Do you have the means and motivation to pay court costs and lawyer fees to sue a 
copyright infringer?

Re: Maxmind GeoIP/Geolite license change

[Tobias Frost]

On Tue, Jun 16, 2020 at 09:28:05AM +0100, Michael Tremer wrote:

(...)

> I consider myself a great advocate for free software. Almost everything I do,
> and certain all I can, is free software - available for anyone to use.

Let me nitpick on that Free software also requires the ability to modify and
distribute the modified work…

> 
> We have spent a lot of time on this and we do not want another Maxmind. I am
> not trying to make money with this project, but nobody else should be making
> that money either.

Being "gratis" is stricly not a requirement for FLOSS*, but being "libre" is,
and the 4 software freedoms encourage to allow usage for "any purpose", 
including
commercial use. So, IMHO, this two paragraphs are somehow conflating gratis
with libre. (Additionally CC-BY-SA does not have a commercial-usage restriction,
as some said already in this thread)

* for example, there are some projects (in the Android App world) that sells
the app in the offical store but have the sourcecode available to compile
yourself on a public repository)

> Since this is only a license - and people seem to rather ignore than follow
> these - there is no guarantee for us that someone does things that we do not
> want them to do. But in the end I have to protect my project and the other
> people working on this so that we can continue doing this.
> 
> I do not want this to be non-free, but I hope my point makes at least some
> sense.

if you want it to be (DSFG)-free, please choose one of the approved licenses.
But I fear that your expectations are different: A (DFSG-)free license must
not limit commercial use in any way, for example…

> 
> >> * it would be nice to encourage users to give back to the project and help
> >> them to help us to improve the data wherever possible
> > 
> > Such encouragements should be part of, e.g., a README file, but not part of
> > a license. *Forcing* users to contribute back would likewise make a license
> > non-free for Debian usage (since that would fail the Desert Island test).
> 
> Sorry for my noob question, but doesn’t the GPL “force” people to give back?

No, it does not. We had some discussion about a different license that crossed
this topic lately: https://lists.debian.org/debian-legal/2020/04/msg00016.html
TL;DR: You only need to offer your modifications to _your_ recipients of the
work, not to whom you received it from.

> > Fortunately, you said "encourage", so that would be optional and hence
> > good. I'm just pointing out that even ideas with good intentions (naturally
> > improving a database is a plus for any user) can lead to software or data
> > becoming non-free.
> 
> A license is just letters on some paper. I had my own software copied too
> often by too many people with bad intentions and I could not do anything
> about it without throwing more money and time down the drain.

There is this famous "use if for good not evil"-Json-license … disaster? …
A true free software must even allow usage for evil purposes, not even touching
the question who defines "evil"?

> So, I guess we can conclude that the CC BY-SA 4.0 option is definitely
> something that we would drop. Simply for that reason that it is too
> complicated.

Chooose any license you find suitable. Best from 
https://wiki.debian.org/DFSGLicenses
Some people will disagree on some license being listed here*, but this is kind 
of
official position of the project. (there are sometime more factors than a
license to consider something free software) The only strong advice I would
like to give is "Don't invent your own licence."

*For instance, I'm not in the CC-4.0-is-non-free camp, but I would love to
learn about the objections…


> I always assumed that any of the GPL licenses won’t be applicable to data
> (and only code). Can maybe brings some light into the dark for me?

Many people believe that can be applied to data as well, incl. the FSF [1].
/me has e.g released CAD models [2] using the GPL, but I explicitly
clarified that I consider this covered, no idea if that would be actual
needed, though. IANAL.

[1] https://www.gnu.org/licenses/gpl-faq.en.html#GPLOtherThanSoftware
[2] e.g 
https://github.com/coldtobi/tobis_cl260_modifications/blob/master/Z-Axis/README.md

-- 
tobi

Re: Maxmind GeoIP/Geolite license change

[John Scott]

On Tuesday, June 16, 2020 4:28:05 AM EDT Michael Tremer wrote:
> Sorry for my noob question, but doesn’t the GPL “force” people to give back?

The GPL requires that modifications are also under the terms of the GPL. It 
doesn't require sharing either publicly or with individuals.

If the upstream developer were to disappear or not be reachable, a clause 
requiring sharing of modifications would disallow modifications.

signature.asc
Description: This is a digitally signed message part.

Re: Maxmind GeoIP/Geolite license change

[Michael Tremer]

> On 16 Jun 2020, at 00:58, Mihai Moldovan  wrote:
> 
> * On 6/15/20 10:51 PM, Michael Tremer wrote:
>> As you will have noticed, I am not an expert on licenses and have picked CC 
>> BY-SA 4.0 because I believe Maxmind’s database was licensed under this 
>> before.
> 
> I'm assuming that your DB will not contain any content from Maxmind's DB? 
> Hence,
> you just strove to stay compatible with the original content?

No, we did not copy anything from Maxmind. Neither data, nor any of the 
software.

The intention of using the same license was to be compatible with what Maxmind 
used to be compatible to. Let’s say if Maxmind’s old terms and conditions were 
acceptable for Debian, so should be our database.

Clearly we missed that goal, but I am happy to have this conversation with you 
guys to help us find a better license.

>> We can of course change the license and I am happy to take your suggestions. 
>> What I would like the license to be is the following:
>> 
>> * it should be free for anyone to use but not possible to sell the database
> 
> That directly violates DFSG 6 ("No discrimination against fields of endeavor,
> like commercial use.")
> 
> I understand your general intention, but it's a misguided one. It would
> essentially make the database unredistributable if charging a fee for the
> (re-)distribution, i.e., it couldn't be part of Debian media (CD-ROMs and the
> like) for which a fee is charged (even if that fee only covers media and
> distribution costs).
> 
> In Debian context, such a license would be considered non-free.

I understand what you are saying. My email from yesterday was a short one sent 
from my sofa. So let me explain more…

I consider myself a great advocate for free software. Almost everything I do, 
and certain all I can, is free software - available for anyone to use.

This project however was a lot more work than we anticipated and there are some 
more challenges to come. We generate no income from working on this at all, but 
of course need to fill our own fridges with food every once in a while. I am 
not telling you anything new here and I do not want to moan. But in the past, 
we have fought legal battles (and were involuntarily dragged into them) where 
people took IPFire, rebranded it slightly and sold it as their own. That fight 
consumed a lot of resources on our side without any gain for the project. It 
brings down morale and brings many other problems with it, too.

So the intention is to do better here.

We have spent a lot of time on this and we do not want another Maxmind. I am 
not trying to make money with this project, but nobody else should be making 
that money either.

Since this is only a license - and people seem to rather ignore than follow 
these - there is no guarantee for us that someone does things that we do not 
want them to do. But in the end I have to protect my project and the other 
people working on this so that we can continue doing this.

I do not want this to be non-free, but I hope my point makes at least some 
sense.

>> * it would be nice to encourage users to give back to the project and help 
>> them to help us to improve the data wherever possible
> 
> Such encouragements should be part of, e.g., a README file, but not part of a
> license. *Forcing* users to contribute back would likewise make a license
> non-free for Debian usage (since that would fail the Desert Island test).

Sorry for my noob question, but doesn’t the GPL “force” people to give back?

> Fortunately, you said "encourage", so that would be optional and hence good. 
> I'm
> just pointing out that even ideas with good intentions (naturally improving a
> database is a plus for any user) can lead to software or data becoming 
> non-free.

A license is just letters on some paper. I had my own software copied too often 
by too many people with bad intentions and I could not do anything about it 
without throwing more money and time down the drain.

So, I guess we can conclude that the CC BY-SA 4.0 option is definitely 
something that we would drop. Simply for that reason that it is too complicated.

I always assumed that any of the GPL licenses won’t be applicable to data (and 
only code). Can maybe brings some light into the dark for me?

Thank you all very much already for your comments.

Best,
-Michael

> 
> 
> Licenses and their implications can easily become a double-edged sword. :)
> 
> 
> 
> Mihai
> 

Re: Maxmind GeoIP/Geolite license change

[Mihai Moldovan]

* On 6/15/20 10:51 PM, Michael Tremer wrote:
> As you will have noticed, I am not an expert on licenses and have picked CC 
> BY-SA 4.0 because I believe Maxmind’s database was licensed under this before.

I'm assuming that your DB will not contain any content from Maxmind's DB? Hence,
you just strove to stay compatible with the original content?


> We can of course change the license and I am happy to take your suggestions. 
> What I would like the license to be is the following:
> 
> * it should be free for anyone to use but not possible to sell the database

That directly violates DFSG 6 ("No discrimination against fields of endeavor,
like commercial use.")

I understand your general intention, but it's a misguided one. It would
essentially make the database unredistributable if charging a fee for the
(re-)distribution, i.e., it couldn't be part of Debian media (CD-ROMs and the
like) for which a fee is charged (even if that fee only covers media and
distribution costs).

In Debian context, such a license would be considered non-free.


> * it would be nice to encourage users to give back to the project and help 
> them to help us to improve the data wherever possible

Such encouragements should be part of, e.g., a README file, but not part of a
license. *Forcing* users to contribute back would likewise make a license
non-free for Debian usage (since that would fail the Desert Island test).

Fortunately, you said "encourage", so that would be optional and hence good. I'm
just pointing out that even ideas with good intentions (naturally improving a
database is a plus for any user) can lead to software or data becoming non-free.


Licenses and their implications can easily become a double-edged sword. :)



Mihai



signature.asc
Description: OpenPGP digital signature

Re: Maxmind GeoIP/Geolite license change

[Daniel Hakimi]

What do you mean by "it should  not be possible to sell the database?" The
CC-BY-SA and all other Free licenses allow commercial uses, including paid
licenses.

On Mon, Jun 15, 2020, 16:51 Michael Tremer 
wrote:

> Thank you for your feedback.
>
> As you will have noticed, I am not an expert on licenses and have picked
> CC BY-SA 4.0 because I believe Maxmind’s database was licensed under this
> before.
>
> We can of course change the license and I am happy to take your
> suggestions. What I would like the license to be is the following:
>
> * it should be free for anyone to use but not possible to sell the
> database
> * it would be nice to encourage users to give back to the project and help
> them to help us to improve the data wherever possible
>
> I cannot come up with anything else this license should or could cover.
>
> Best,
> -Michael
>
> > On 15 Jun 2020, at 21:14, Francesco Poli 
> wrote:
> >
> > On Mon, 15 Jun 2020 21:24:45 +0200 Roberto wrote:
> >
> >>> On Mon, Jun 15, 2020 at 08:04:47PM +0200, Francesco Poli wrote:
> >>> The reason is that the one-way compatibility mechanism of CC-by-sa v4.0
> >>> is not exceptionally clear, and, without that compatibility, the
> >>> CC-by-sa v4.0 license itself has a number of controversial clauses
> >>> (non-free, in my own personal opinion).
> >>
> >> CC-BY 4.0 (without SA) may be better than CC-BY-SA in that case,
> >> according to the FSF it's compatible and accepted as a free license (for
> >> content which is not a program).
> >
> > Actually, although the FSF [claims] that CC-by v4.0 is compatible with
> > the GNU GPL, it does not explain how the restrictions found in CC-by
> > v4.0 can be reconciled with the GNU GPL.
> >
> > [claims]: 
> >
> > I asked the FSF to publish a reasoned analysis on this.
> > I did so back in 2015, but nothing has been disclosed yet (as far as I
> > know).   :-(
> >
> > I am personally *not* convinced that CC-by v4.0 is GPL-compatible.
> > Please note that the CC-by v4.0 has no explicit compatibility clause
> > (contrary to CC-by-sa v4.0, which has a one-way compatibility
> > mechanism)...
> >
> >
> > --
> > http://www.inventati.org/frx/
> > There's not a second to spare! To the laboratory!
> > . Francesco Poli .
> > GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE
>
>

Re: Maxmind GeoIP/Geolite license change

[Michael Tremer]

Thank you for your feedback.

As you will have noticed, I am not an expert on licenses and have picked CC 
BY-SA 4.0 because I believe Maxmind’s database was licensed under this before.

We can of course change the license and I am happy to take your suggestions. 
What I would like the license to be is the following:

* it should be free for anyone to use but not possible to sell the database 
* it would be nice to encourage users to give back to the project and help them 
to help us to improve the data wherever possible

I cannot come up with anything else this license should or could cover.

Best,
-Michael

> On 15 Jun 2020, at 21:14, Francesco Poli  wrote:
> 
> On Mon, 15 Jun 2020 21:24:45 +0200 Roberto wrote:
> 
>>> On Mon, Jun 15, 2020 at 08:04:47PM +0200, Francesco Poli wrote:
>>> The reason is that the one-way compatibility mechanism of CC-by-sa v4.0
>>> is not exceptionally clear, and, without that compatibility, the
>>> CC-by-sa v4.0 license itself has a number of controversial clauses
>>> (non-free, in my own personal opinion).
>> 
>> CC-BY 4.0 (without SA) may be better than CC-BY-SA in that case,
>> according to the FSF it's compatible and accepted as a free license (for
>> content which is not a program).
> 
> Actually, although the FSF [claims] that CC-by v4.0 is compatible with
> the GNU GPL, it does not explain how the restrictions found in CC-by
> v4.0 can be reconciled with the GNU GPL.
> 
> [claims]: 
> 
> I asked the FSF to publish a reasoned analysis on this.
> I did so back in 2015, but nothing has been disclosed yet (as far as I
> know).   :-(
> 
> I am personally *not* convinced that CC-by v4.0 is GPL-compatible.
> Please note that the CC-by v4.0 has no explicit compatibility clause
> (contrary to CC-by-sa v4.0, which has a one-way compatibility
> mechanism)...
> 
> 
> -- 
> http://www.inventati.org/frx/
> There's not a second to spare! To the laboratory!
> . Francesco Poli .
> GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

Re: Maxmind GeoIP/Geolite license change

[Francesco Poli]

On Mon, 15 Jun 2020 21:24:45 +0200 Roberto wrote:

> On Mon, Jun 15, 2020 at 08:04:47PM +0200, Francesco Poli wrote:
> > The reason is that the one-way compatibility mechanism of CC-by-sa v4.0
> > is not exceptionally clear, and, without that compatibility, the
> > CC-by-sa v4.0 license itself has a number of controversial clauses
> > (non-free, in my own personal opinion).
> 
> CC-BY 4.0 (without SA) may be better than CC-BY-SA in that case,
> according to the FSF it's compatible and accepted as a free license (for
> content which is not a program).

Actually, although the FSF [claims] that CC-by v4.0 is compatible with
the GNU GPL, it does not explain how the restrictions found in CC-by
v4.0 can be reconciled with the GNU GPL.

[claims]: 

I asked the FSF to publish a reasoned analysis on this.
I did so back in 2015, but nothing has been disclosed yet (as far as I
know).   :-(

I am personally *not* convinced that CC-by v4.0 is GPL-compatible.
Please note that the CC-by v4.0 has no explicit compatibility clause
(contrary to CC-by-sa v4.0, which has a one-way compatibility
mechanism)...


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp5p5qo30MmG.pgp
Description: PGP signature

Re: Maxmind GeoIP/Geolite license change

[Roberto]

On Mon, Jun 15, 2020 at 08:04:47PM +0200, Francesco Poli wrote:
> The reason is that the one-way compatibility mechanism of CC-by-sa v4.0
> is not exceptionally clear, and, without that compatibility, the
> CC-by-sa v4.0 license itself has a number of controversial clauses
> (non-free, in my own personal opinion).

CC-BY 4.0 (without SA) may be better than CC-BY-SA in that case,
according to the FSF it's compatible and accepted as a free license (for
content which is not a program).

Re: Maxmind GeoIP/Geolite license change

[Francesco Poli]

On Mon, 15 Jun 2020 11:12:29 +0100 Michael Tremer wrote:

[...]
> The library is licensed under LGPL

GNU LGPL v2.1 it seems.
Good, thanks for releasing the library as Free Software.

> and the database is under the Creative Commons license.

CC-by-sa v4.0 it seems.
Less good, in my own personal opinion.

Although Debian FTP masters consider CC-by-sa v4.0 acceptable for the
main archive, and although CC-by-sa v4.0 is one-way compatible with the
GNU GPL v3 , I personally consider Creative Commons licenses
problematic.
The reason is that the one-way compatibility mechanism of CC-by-sa v4.0
is not exceptionally clear, and, without that compatibility, the
CC-by-sa v4.0 license itself has a number of controversial clauses
(non-free, in my own personal opinion).


I would recommend choosing a different license for the database.
The GNU [GPL v2], if you want a copyleft license, or the [Expat], if
you prefer a more permissive license.

[GPL v2]: 
[Expat]: 

That's my personal advice.
I hope it helps.

Bye and thanks for working on this project!


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpHRKR3OYQGp.pgp
Description: PGP signature

Re: Re: Maxmind GeoIP/Geolite license change

[Michael Tremer]

Hello Debian people,

I would like to pre-announce a little project that we from the IPFire Project 
have started and which might be of interest for you.

We have been equally frustrated with MaxMind’s license change and also some 
other things before that. For example has the database not always been accurate 
enough for our own purposes amongst some more minor problems.


libloc

We started our own sub-project which provides a location database for the 
Internet and comes with a small C library, and bindings in Python and Perl to 
be integrated into other projects.

The library is licensed under LGPL and the database is under the Creative 
Commons license. Since everything we are doing is true free software, this will 
of course stay as it is.

The data for the database, as well as all tools used to compose it are 
available, too.

  https://git.ipfire.org/?p=location/libloc.git;a=summary
  https://git.ipfire.org/?p=location/location-database.git;a=summary


Our motivation

In IPFire, we use this data to block connections from certain countries. That 
is why we needed good accuracy of the data, but resolution down to city-level 
is not required and therefore not implemented.

We added AS information which is more interesting that countries in my personal 
opinion.

root@location01:~# host www.debian.org
www.debian.org has address 130.89.148.77
www.debian.org has IPv6 address 2001:67c:2564:a119::77
www.debian.org has IPv6 address 2603:400a::bb8::801f:3e
www.debian.org has IPv6 address 2001:4f8:1:c::15

root@location01:~# location lookup 2001:67c:2564:a119::77
2001:67c:2564:a119::77:
  Network : 2001:67c:2564::/48
  Country : Netherlands
  Autonomous System   : AS1133 (SURFnet bv)

We also wanted to be able to securely update the database and have therefore 
added a cryptographic signature to it. That way, the database cannot be spoofed 
and can be downloaded from an untrusted server.

There are still some hoops to jump through, but we already have an 
implementation that we will release to our users in a few weeks. The 
implementation is already a lot faster the MaxMind’s which we hope will allow 
this library being used in some more applications.


Why am I writing to you?

Since Maxmind’s database is no longer an option for many of their users, we are 
providing a free alternative and hope that you will help us to find its users. 
We are an open source project that is developing free software and we of course 
hope that more people will contribute to our little project and make it even 
better, opening more possibilities for this being used.

If you have any concerns, I would like to hear them, too.

Best,
-Michael

Re: Maxmind GeoIP/Geolite license change

[Simon McVittie]

On Sat, 04 Jan 2020 at 03:08:29 +0100, Patrick Matthäi wrote:
> Am 04.01.2020 um 01:53 schrieb Faidon Liambotis:
> > the libraries are free-libre, the file format
> > is open and freely documented (CC-BY-SA 3.0), and there are both readers
> > and writers for those formats in the archive. There are even
> > free-as-in-beer databases available in the wild, although that wouldn't
> > even be a requirement IMO. There is nothing in the DFSG that says that
> > software is free-libre only if it operates on publicly available
> > free-libre data.
> 
> We have got many similar examples in another category: games
> Old games like Quake, Red Alert, Roaler Coaster Tycoon etc etc, the game
> code now itself is free: sometimes reverse engin., new code or open
> sourced by the publisher itself. But often the required game data
> (images, videos, etc) are not distributable and required from the
> original cd-rom.
> 
> So the game code itself is free, but we have to put it in contrib,
> because it is only useable with non-free data.

That's only the case for game engines that are particularly tightly
coupled to a particular game or games, like yquake2 for Quake II and
openjk for Jedi Knight II and Jedi Academy.

Many game engines are in main, not in contrib, because Free data in a
compatible format exists or would be feasible to provide. We don't require
that the game data is conveniently packaged in Debian, or even that it's
sufficiently complete to be a worthwhile game in its own right, only that
it's possible (and even that rule might be more conservative than it needs
to be). For example, quakespasm is mostly a Quake 1 engine, and we don't
have any Quake-1-compatible data in the archive; but it's in main anyway,
because it can also be used to play Quake-like games such as OpenQuartz
(analogous to OpenArena, but a lot less complete, and for Quake 1).

Similarly, darkplaces (another Quake 1 engine) and ioquake3 (a
Quake III Arena engine) would be OK for main even if nexuiz and
openarena were removed from Debian.

The .desktop file, etc. for Quake 1 *are* in contrib, because they're
for Quake 1 specifically, not just "a Quake-like game".

Packages in main also include viewers and editors for specific file
formats like aylet and cpmtools (without requiring examples of those
file formats to exist in Debian main), clients for specific websites
and web-APIs like lgogdownloader, youtube-dl and git-hub (the websites
are obviously outside the scope of Debian), emulators for specific
computers like aranym and cen64 (without requiring those computers'
operating systems to exist in Debian), and email clients that are used
to read non-Free emails like this one.

If in doubt about the boundaries of main vs. contrib, talk to the ftp
team, which is the team that makes the actual decisions about where the
line is drawn. If I remember correctly, the games team consulted the
ftp team before we uploaded quakespasm, to confirm that it would be
considered acceptable for main.

smcv

Re: Maxmind GeoIP/Geolite license change

[Patrick Matthäi]

Am 04.01.2020 um 01:53 schrieb Faidon Liambotis:
> On Sat, Jan 04, 2020 at 12:44:49AM +0100, Patrick Matthäi wrote:
>> So if we are not allowed to distribute it anymore we have got the
>> following options:
>>
>> 1) we keep the the current free database in our repository, which is
>> free and works. We dont care about the precision after X years (not our
>> fault)
> That would be (very) misleading and I'm not sure if it would be in the
> service of our users. The data gets stale really quick --I think it was
> something like 2-5% loss per month? My opinion is that shipping no data
> is better than shipping garbage data...

I support this opionion for 100%.


>> 2) we drop the database package. Also if it is something like contrib,
>> but if there is no free working alternative, shouldnt we (as in Debian
>> as open source community) then also remove all libraries and
>> implementations using GeoIP from Maxmind from our repositories? 
> I don't agree with that; the libraries are free-libre, the file format
> is open and freely documented (CC-BY-SA 3.0), and there are both readers
> and writers for those formats in the archive. There are even
> free-as-in-beer databases available in the wild, although that wouldn't
> even be a requirement IMO. There is nothing in the DFSG that says that
> software is free-libre only if it operates on publicly available
> free-libre data.

We have got many similar examples in another category: games
Old games like Quake, Red Alert, Roaler Coaster Tycoon etc etc, the game
code now itself is free: sometimes reverse engin., new code or open
sourced by the publisher itself. But often the required game data
(images, videos, etc) are not distributable and required from the
original cd-rom.

So the game code itself is free, but we have to put it in contrib,
because it is only useable with non-free data.
This is exactly the situation with geoip now: there is so much free
code, but it is only useable with a non-free additional.

That also means every software depending on that/compiling on that is
also contrib and so on not main/free anymore. A desaster


>
>> 3) We/others/I and others start a fork: I would welcome volunters to
>> start a fork to maintain the database, so that it is not useless in a
>> few years, but this is also one of my last options. I would like to have
>> a solution with Maxmind together.
> I wouldn't mind that option of course, but I have my doubts it'd be
> successful... That's essentially MaxMind's entire business that you'd be
> trying to replicate, after all :)

Correct ;)
But I also have to think about some other ways. And Debian is not the
only distribution with this problem now


>
> How about option (4):
> - We drop geoip-database, assuming that we determine we can't legally
>   distribute it anymore, or ship it in non-free if we determine we can.
>   [I haven't read the terms yet]

I would like to have an expert opinion about the options.. The license
itself sucks and says fcky. If understood the law correctly the it would
be enough to get a free version of the data without any california users
(if in/or country database.. who cares). But the ball is now on the side
of maxmind..


>
> - We let users generate and/or ship their own MMDBs. For example,
>   organizations may have internal data in their databases of sufficient
>   accuracy that they can use to generate MMDBs and use them locally.

This would move all packages linking again libgeoip then to contrib


>
> - Optionally, users can also use geoipupdate, which is already in Debian
>   (and in contrib). They can sign up on maxmind.com, for either a free
>   or paid account, configure geoiupdate with their username & license
>   key and get fresh and up-to-date databases. They can continue to use
>   all MMDB/GeoIP2 software as they previously did.
Again to contrib
>
> Definitely not as easy to set up or practical as the previous situation,
> but still better than options 1-3 I think :)
>
>> So @Maxmind:
>>
>> 
> My intepretation of the change is very different than yours, but I'll
> avoid speaking for MaxMind folks here :)
>
> Regards,
> Faidon

Re: Maxmind GeoIP/Geolite license change

[Faidon Liambotis]

On Sat, Jan 04, 2020 at 12:44:49AM +0100, Patrick Matthäi wrote:
> So if we are not allowed to distribute it anymore we have got the
> following options:
> 
> 1) we keep the the current free database in our repository, which is
> free and works. We dont care about the precision after X years (not our
> fault)

That would be (very) misleading and I'm not sure if it would be in the
service of our users. The data gets stale really quick --I think it was
something like 2-5% loss per month? My opinion is that shipping no data
is better than shipping garbage data...

> 2) we drop the database package. Also if it is something like contrib,
> but if there is no free working alternative, shouldnt we (as in Debian
> as open source community) then also remove all libraries and
> implementations using GeoIP from Maxmind from our repositories? 

I don't agree with that; the libraries are free-libre, the file format
is open and freely documented (CC-BY-SA 3.0), and there are both readers
and writers for those formats in the archive. There are even
free-as-in-beer databases available in the wild, although that wouldn't
even be a requirement IMO. There is nothing in the DFSG that says that
software is free-libre only if it operates on publicly available
free-libre data.

> 3) We/others/I and others start a fork: I would welcome volunters to
> start a fork to maintain the database, so that it is not useless in a
> few years, but this is also one of my last options. I would like to have
> a solution with Maxmind together.

I wouldn't mind that option of course, but I have my doubts it'd be
successful... That's essentially MaxMind's entire business that you'd be
trying to replicate, after all :)

How about option (4):
- We drop geoip-database, assuming that we determine we can't legally
  distribute it anymore, or ship it in non-free if we determine we can.
  [I haven't read the terms yet]

- We let users generate and/or ship their own MMDBs. For example,
  organizations may have internal data in their databases of sufficient
  accuracy that they can use to generate MMDBs and use them locally.

- Optionally, users can also use geoipupdate, which is already in Debian
  (and in contrib). They can sign up on maxmind.com, for either a free
  or paid account, configure geoiupdate with their username & license
  key and get fresh and up-to-date databases. They can continue to use
  all MMDB/GeoIP2 software as they previously did.

Definitely not as easy to set up or practical as the previous situation,
but still better than options 1-3 I think :)

> So @Maxmind:
> 
> 

My intepretation of the change is very different than yours, but I'll
avoid speaking for MaxMind folks here :)

Regards,
Faidon

Re: Maxmind GeoIP/Geolite license change

[Patrick Matthäi]

Hi,

I have added Greg from Maxmind: please forward it if you are not the
correct contact for it.

Am 03.01.2020 um 18:32 schrieb Florian Weimer:
> * Patrick Matthäi:
>
>> [1]: https://www.maxmind.com/en/geolite2/eula
> | 3. Destructions of GeoLite2 Database and GeoLite2 Data. From time to
> | time, MaxMind will release an updated version of the GeoLite2
> | Databases, and you agree to promptly use the updated version of the
> | GeoLite2 Databases. You shall cease use of and destroy (i) any old
> | versions of the Services within thirty (30) days following the
> | release of the updated GeoLite2 Databases; and (ii) all Services
> | immediately upon termination of the license under this
> | Agreement. Upon request, you shall provide MaxMind with written
> | confirmation of such destruction.
>
> That looks thoroughly non-free to me, and it is also highly
> impractical.  It appears to be the intent that this clause overrides
> the permissions normally afforded by the CC-BY-SA license.

And I think you mean non-free as in "not distributable at all", not like
a candidate for Debians unoffical non-free repository? Because of this
clause I also would say that we are not allowed to distribute it.

So if we are not allowed to distribute it anymore we have got the
following options:

1) we keep the the current free database in our repository, which is
free and works. We dont care about the precision after X years (not our
fault)
2) we drop the database package. Also if it is something like contrib,
but if there is no free working alternative, shouldnt we (as in Debian
as open source community) then also remove all libraries and
implementations using GeoIP from Maxmind from our repositories? That are
plenty of packages with quite high popcon, like bind9, apache, nginx,
nearly everthing.. The technical way would be something I would dicuss
on debian-devel@, but from the -legal view I would recommend removing
geoip support at all is a better legal choice as implementing APIs and
modules relying on realy non-free stuff, what do you think?
This would be definitly the death of geoip solutions at all in the
future in my opionion. (but it is not my choice)
3) We/others/I and others start a fork: I would welcome volunters to
start a fork to maintain the database, so that it is not useless in a
few years, but this is also one of my last options. I would like to have
a solution with Maxmind together.

So @Maxmind:

a) Correct me if I am wrong, but you care abot a california law which
states that you are not allowed to sell/provide california data: This
only applies on your city database, not on your country database

b) I am not bounded against any US or california law, but I - with my
geoip Debian hut on - wouldnt have any problem with providing an
open-source free geolite country database, where all US california IPs
are removed before. Did you considered that, providing this for your
paid services?

Re: Maxmind GeoIP/Geolite license change

[Florian Weimer]

* Patrick Matthäi:

> [1]: https://www.maxmind.com/en/geolite2/eula

| 3. Destructions of GeoLite2 Database and GeoLite2 Data. From time to
| time, MaxMind will release an updated version of the GeoLite2
| Databases, and you agree to promptly use the updated version of the
| GeoLite2 Databases. You shall cease use of and destroy (i) any old
| versions of the Services within thirty (30) days following the
| release of the updated GeoLite2 Databases; and (ii) all Services
| immediately upon termination of the license under this
| Agreement. Upon request, you shall provide MaxMind with written
| confirmation of such destruction.

That looks thoroughly non-free to me, and it is also highly
impractical.  It appears to be the intent that this clause overrides
the permissions normally afforded by the CC-BY-SA license.