Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
[2020-02-11 10:52:57-0500] Rich Freeman: > On Tue, Feb 11, 2020 at 10:05 AM Haelwenn (lanodan) Monnier > wrote: > > > > Maybe it could for now be a simple agreement on putting your code to > > the Gentoo Foundation under the GPL-2+ but it would be published under > > the GPL-{2,3,…}? > > > > Well, if we were going to get people to start signing things I suggest > just sticking to the FLA since it actually was written by lawyers. Absolutely, I misunderstood that the FLA wasn't ready at all, it's much better to have it instead. > I attached a copy, but along these lines the key section is: > We agree to (sub)license the Contribution or any Materials containing, > based on or derived from your Contribution under the terms of any > licenses the Free Software Foundation classifies as Free Software > License and which are approved by the Open Source Initiative as Open > Source licenses. > > That is, Gentoo would control the licenses, but they would have to be > FSF/OSI approved. That doesn't mean that anybody could choose any > FSF-approved license - Gentoo would still have to do the licensing. > This is just a limitation on the grant of power from the original > author to Gentoo on WHAT licenses GENTOO can choose. > > There is also a variant of the FLA that can further narrow down the > licenses that Gentoo gets to choose from, but IMO if you're going to > go down this path it makes sense to keep things flexible. We could of > course just limit Gentoo to GPL v2+, and initially Gentoo does v2/3 > and later Gentoo could revise to any later version of the GPL. But if > for whatever reason the GPL falls out of favor then we can't adapt > futher. > > Ultimately though anything like this involves giving up control. Which happens a lot when you have do to anything with others, and is quite how using the internet and free software sounds like to me. Anyway, this FLA document generator looks really good to me, much better than a weird "or later" on a license. FSF/OSI sounds a bit too much flexible but personally I think I can trust gentoo enough to pick a similar license and otherwise it seems to restricts flexibility a bit too much. At least the option of GPL-2+ but with the change control put to gentoo would be possible.
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
On Tue, Feb 11, 2020 at 10:05 AM Haelwenn (lanodan) Monnier wrote: > > Maybe it could for now be a simple agreement on putting your code to > the Gentoo Foundation under the GPL-2+ but it would be published under > the GPL-{2,3,…}? > Well, if we were going to get people to start signing things I suggest just sticking to the FLA since it actually was written by lawyers. I attached a copy, but along these lines the key section is: We agree to (sub)license the Contribution or any Materials containing, based on or derived from your Contribution under the terms of any licenses the Free Software Foundation classifies as Free Software License and which are approved by the Open Source Initiative as Open Source licenses. That is, Gentoo would control the licenses, but they would have to be FSF/OSI approved. That doesn't mean that anybody could choose any FSF-approved license - Gentoo would still have to do the licensing. This is just a limitation on the grant of power from the original author to Gentoo on WHAT licenses GENTOO can choose. There is also a variant of the FLA that can further narrow down the licenses that Gentoo gets to choose from, but IMO if you're going to go down this path it makes sense to keep things flexible. We could of course just limit Gentoo to GPL v2+, and initially Gentoo does v2/3 and later Gentoo could revise to any later version of the GPL. But if for whatever reason the GPL falls out of favor then we can't adapt futher. Ultimately though anything like this involves giving up control. For those interested in the FLA there is a license generator at: http://contributoragreements.org/ca-cla-chooser/ You pick the terms (I used the defaults - which IMO are most appropriate but not the only valid option). It spits out an agreement for you. -- Rich fiduciary-license-license-agreement-2.0-2020-02-11-15_47_12.pdf Description: Adobe PDF document
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
[2020-01-30 08:19:08-0500] Rich Freeman: > On Thu, Jan 30, 2020 at 6:20 AM Haelwenn (lanodan) Monnier > wrote: > > [2020-01-27 12:41:26+0100] Ulrich Mueller: > > > So, the question is, should we allow ebuilds > > > # Distributed under the terms of the GNU General Public License, v2 or > > > later > > > in the repository, or should we even encourage it for new ebuilds? > > > > > > I have somewhat mixed feelings about this. One the one hand, I think > > > that GPL-2+ should generally be preferred because it offers better > > > compatibility. For example, the compatibility clause in CC-BY-SA-4.0 > > > won't work with GPL-2. > > > > Is there another reason for GPL-2+ than just compatibility? > > Because I quite find the "or later" thing to be quite a scary one as > > whatever will come up next as a GPL will become applicable and it feels > > quite weird to me to have a license that can evolve to whatever > > license over time. > Really the main threat (IMO) is that the code could be de-copylefted. > They could make GPL v4 a copy of the BSD license, and now anything > that was v2+ is effectively BSD and can be used in non-FOSS software > without issue. I guess that isn't any worse than the previous case of > it instead being merged into some other v4 variant that you can access > the source for but prefer to avoid because of something else in the > license, except now you might not see the code at all. Yeah, I quite share this opinion/view, with also the scary wonder of who can author a GPL-4 license as there doesn't seems to be any restriction for this in the license, just a "or later". > Another solution to this problem is the FLA - which is something we've > talked about but shelved until we've sorted out some of our other > copyright issues which were thorny enough. Perhaps we could consider > taking that up again. Without getting into the details it is a bit > like a copyleft-style copyright assignment, which isn't actually an > assignment. We envisoned it being voluntary and would allow any > contributor to give the Foundation the authority to relicense their > contributions, with a number of restrictions, like the new license > being FOSS. I'd have to dig up the latest version and take a look at > it again. Basically instead of trusting the FSF you'd be trusting the > Foundation instead, but there are some limitations on what they'd be > allowed to do, and if they violate those limitations the agreement > would be canceled and the rights would revert back to whatever was on > the original contribution, which would probably be whatever the author > originally wanted. That said, I'm not sure it really provides a whole > lot more protection over what happens except for the fact that > Foundation members have more say in how the Foundation operations than > the FSF, if only because the number of people allowed to vote are > limited to a relatively small pool Gentoo contributors, at least > compared to the entire FOSS community. I guess the FLA would be really interesting to have to get the quite useful flexibility of relicensing but keeping it to Gentoo Foundation to avoid giving this flexibility to everyone. Maybe it could for now be a simple agreement on putting your code to the Gentoo Foundation under the GPL-2+ but it would be published under the GPL-{2,3,…}?
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
On Thu, 30 Jan 2020 08:19:08 -0500 Rich Freeman wrote: > Really the main threat (IMO) is that the code could be de-copylefted. > They could make GPL v4 a copy of the BSD license, and now anything > that was v2+ is effectively BSD and can be used in non-FOSS software > without issue. I guess that isn't any worse than the previous case of > it instead being merged into some other v4 variant that you can access > the source for but prefer to avoid because of something else in the > license, except now you might not see the code at all. Its like we need some sort of statement people can use that says something to the effect of: - GPL versions published after this release may be used, but contingent on the author of this release verifying that newer GPL versions continue the intended spirit of GPL2 The idea that my code might be later under some other terms of license that I've never read is about as bad as somebody updating EULA/TOS without informing anybody it changed. Its *probably* fine, but I'd want to have opportunity to read those before rubber stamping it. As they say: Trust, but Verify. GPL terms changing after an authors death should not really apply retroactively to the dead authors code. pgppHmDJ7BLMD.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
On Thu, Jan 30, 2020 at 8:39 AM Hanno Böck wrote: > > *If* Gentoo decides to go this relicensing way I'd recommend to only do > that if it's coordinated with organizations that have deep legal > knowledge of these issues (e.g. like software freedom conservancy) and > if some lawyers that know this stuff well approve the plan. > IMO no organization has "deep legal knowledge" of these issues, because as far as I'm aware something like this has never been done and tested in court. Really there are only a handful of legal cases at all that deal with copyleft and FOSS relicensing. There is no end of lawyers who will hand-wave on the issue. I think the bottom line is that doing something like this is legally risky, because until something like this has been done successfully many times it is novel. You're never going to find a lawyer who will sign off saying "this is safe and definitely legal." The only way you could make something like this risk-free would be to get governments around the world to pass laws setting up requirements for FOSS-relicensing without the consent of all contributors. The best we can do is mitigate risks, if we elect to do something like this. That can include being transparent, giving notice, having a way to opt out, and so on. Then when somebody sends us a cease and desist notice we just tell them no problem, their contributions will be treated as v2-only. That doesn't completely prevent them from suing us, but it would mitigate the impact, and probably make it unlikely that most would sue in the first place. Really, with something like this that is the best you're ever going to be able to hope for. If you don't want to do something unless a lawyer can guarantee that it can't be found to be a tort by a court, then you definitely don't want to pursue this change, unless we only make it forward-going for new contributions and carefully track existing code, and I doubt that will ever be very practical, so you might as well just give up and say we'll be v2 forever because that's how things were set up 20 years ago. -- Rich
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
I'm a bit worried if we should really go down that path. Not because I have issues with GPL2+ (I'm usually happy with everything that makes licensing more flexible), but because I'm worried we're creating a legal minefield. Think about this: You may ask me if you can relicense all the ebuilds I've ever written as GPL2+. I'll say yes. Though ask me if you can relicense all the ebuilds I've ever committed? Well... They came from bug reports, overlays, heavily edited by other people, and I have no way of tracking that. I added them under the implicit assumption that someone who has submitted such an ebuild to bugzilla or to an overlay with the gentoo/gpl2 copyright line in it would implicitly agree that they would be redistributed under those conditions. IANAL, but I think that's a fair assumption. But do all these people that created or contributed to the ebuilds I ever committed agree to a GPL2+-relicensing? No idea, probably not. Is their work relevant enough to have a license at all? IANAL. *If* Gentoo decides to go this relicensing way I'd recommend to only do that if it's coordinated with organizations that have deep legal knowledge of these issues (e.g. like software freedom conservancy) and if some lawyers that know this stuff well approve the plan. -- Hanno Böck https://hboeck.de/ pgpoBtmFxekQw.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
On Thu, Jan 30, 2020 at 6:20 AM Haelwenn (lanodan) Monnier wrote: > > [2020-01-27 12:41:26+0100] Ulrich Mueller: > > So, the question is, should we allow ebuilds > > # Distributed under the terms of the GNU General Public License, v2 or later > > in the repository, or should we even encourage it for new ebuilds? > > > > I have somewhat mixed feelings about this. One the one hand, I think > > that GPL-2+ should generally be preferred because it offers better > > compatibility. For example, the compatibility clause in CC-BY-SA-4.0 > > won't work with GPL-2. > > Is there another reason for GPL-2+ than just compatibility? > Because I quite find the "or later" thing to be quite a scary one as > whatever will come up next as a GPL will become applicable and it feels > quite weird to me to have a license that can evolve to whatever > license over time. Well, there are two sides to this particular issue. GPL 2+ means that anybody can choose to redistribute the code under the terms of any version of the GPL that is >=2. So, if they add terms to GPL v4 that you really don't like, you can still redistribute it under the terms of GPL v2-3 if you prefer. The other side to this is that you can't stop others from redistributing it under v4. They could also incorporate it into other code that is v4+ which you could only redistribute under v4 or greater. Of course, the original code can still be redistributed under v2 - it is just the parts that are comingled with other v4 code that is at issue. Really the main threat (IMO) is that the code could be de-copylefted. They could make GPL v4 a copy of the BSD license, and now anything that was v2+ is effectively BSD and can be used in non-FOSS software without issue. I guess that isn't any worse than the previous case of it instead being merged into some other v4 variant that you can access the source for but prefer to avoid because of something else in the license, except now you might not see the code at all. The advantage of 2+ is of course flexibility: For one it reduces license proliferation. Code that is v2-only is effectively orphaned with regard to v3, v4, v5, and so on projects in the future. GPLv2 is fairly restrictive by design around compatibility with other licenses and accepting future versions helps mitigate this insofar as you trust the FSF. And of course if at some point some fatal flaw is found in the GPL in a court case, it is possible that a future version could mitigate that flaw. Of course, if that flaw lets anybody ignore the copyleft bits you can't prevent people from using it under the old flawed v2, but at least you can still use the code in your own v4 or whatever. Of course, if the flaw effectively made the v2 code public domain you can do that anyway, but if the flaw were of a different nature it might cause problems having code being locked up as v2-only. > > I think I would personally slightly prefer to have it be properly > dual-licensed GPL-{2,3} or GPL-2 & CC-BY-SA-4.0 instead. > The problem like this is that this is basically just kicking the can down the road. It is of course equivalent for the moment, but when GPLv4 comes along we have to go through this again. Right now most of the Gentoo authors are alive and might be willing to explicitly sign off on a relicense (maybe). However, maybe in another 10 years when GPLv4 comes out it is going to be much harder to track everybody down. On the flip side the fact is that none of us know what the FSF will look like in 10 years, or 40 years. There are plenty of large non-profits today that bear little resemblance to what they looked like 100 years ago, for good or ill. The GPL v2 (or v3) are known quantities that we can debate on in a concrete manner, but unknown future versions can only be speculated on. Another solution to this problem is the FLA - which is something we've talked about but shelved until we've sorted out some of our other copyright issues which were thorny enough. Perhaps we could consider taking that up again. Without getting into the details it is a bit like a copyleft-style copyright assignment, which isn't actually an assignment. We envisoned it being voluntary and would allow any contributor to give the Foundation the authority to relicense their contributions, with a number of restrictions, like the new license being FOSS. I'd have to dig up the latest version and take a look at it again. Basically instead of trusting the FSF you'd be trusting the Foundation instead, but there are some limitations on what they'd be allowed to do, and if they violate those limitations the agreement would be canceled and the rights would revert back to whatever was on the original contribution, which would probably be whatever the author originally wanted. That said, I'm not sure it really provides a whole lot more protection over what happens except for the fact that Foundation members have more say in how the Foundation operations than the FSF, if only because
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
[2020-01-27 12:41:26+0100] Ulrich Mueller: > So, the question is, should we allow ebuilds > # Distributed under the terms of the GNU General Public License, v2 or later > in the repository, or should we even encourage it for new ebuilds? > > I have somewhat mixed feelings about this. One the one hand, I think > that GPL-2+ should generally be preferred because it offers better > compatibility. For example, the compatibility clause in CC-BY-SA-4.0 > won't work with GPL-2. Is there another reason for GPL-2+ than just compatibility? Because I quite find the "or later" thing to be quite a scary one as whatever will come up next as a GPL will become applicable and it feels quite weird to me to have a license that can evolve to whatever license over time. I think I would personally slightly prefer to have it be properly dual-licensed GPL-{2,3} or GPL-2 & CC-BY-SA-4.0 instead.
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
On Mon, Jan 27, 2020 at 6:41 AM Ulrich Mueller wrote: > > Historically, all ebuilds in the Gentoo repository were licensed under > GPL-2+. At a later point they were relicensed [1] to GPL-2. See [2] for > a rationale (or absence of it, YMMV). I think the historical policy made sense in its context, which was a world where all copyrights were to be assigned. In that case you can already relicense at will, so you still have flexibility, but by keeping it pinned at one version you don't get pulled into something by somebody else that you didn't intend. Now, over time the whole assignment thing became fuzzier and I don't really want to get into a largely-moot debate at this point over how effective those assignments were at various points in time. Today we are in a world where our intent isn't for the default to involve assignment, and so the v2-only licenses create (IMO) more problems than they prevent. > On the other hand, we would presumably never achieve a complete > transition to GPL-2+, so we would have ebuilds with either GPL variant > in the tree. Not sure how big an issue that would be. Updating ebuilds > wouldn't be a problem (as the old header would stay), but devs would > have to spend attention to the header when copying code from one ebuild > to another. Devs already have to be careful about copying code into ebuilds that go into our repo. Somebody could attach an ebuild to a bug and stick "Copyright Joe Smith all rights reserved" at the top of it. I think it would make sense to have a call for Devs to voluntarily report in and give permission for their contributions to be licensed v2+ with no change in copyright ownership and see what happens. I wouldn't be surprised if we could relicense 80-90% of the tree quickly. If that happens then we could just require it for new contributions (if we wanted to), and then over time the problem would just go away, just like an old EAPI. We could also stick warnings in ebuild comments like "# Warning v2-only ebuild - do not copy !" and maybe copy it every 20 lines if we wanted to be super-paranoid. I do agree with the general argument that much of this code isn't really subject to copyright. We could just do both an opt-in and opt-out approach to this. Have the opt-in so that we get as much explicit approval as we can. Also do an opt-out with a prominent announcement like, "hey, we're about to adopt GPL v2+ for all our ebuilds so if you think you have contributions that are non-trivial and want to object to those contributions being relicensed please let us know." It isn't an airtight defense, but it isn't entirely unreasonable either. Or we could just see how many fish we catch with a very conservative opt-in approach and go from there. We might not need to even consider the risk of an opt-out approach. -- Rich
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
> Note that we could easily revert from GPL-2+ to GPL-2 if it would turn > out to be too much trouble. > > Thoughts? I would prefer a single license for all ebuilds. GPL-2+ or GPL-2 or GPL-... does not matter to me, I am willing to sign, that all my contributions may be licensed also as GPL-... IANAL, but I would expect that the license does not change anything for trivial ebuilds. The level of creativity ("Schöpfungshöhe") is not high enough for most ebuilds. Most ebuild contain only an obvious recipe to install the software. -- Best, Jonas signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Should we allow "GPL, v2 or later" for ebuilds?
On Mon, 2020-01-27 at 12:41 +0100, Ulrich Mueller wrote: > The following came up in #gentoo-qa yesterday, in a discussion between > mgorny, soap and myself. Hey, I was waiting for the Council agenda mail to discuss this ;-). > So, the question is, should we allow ebuilds > # Distributed under the terms of the GNU General Public License, v2 or later > in the repository, or should we even encourage it for new ebuilds? > > I have somewhat mixed feelings about this. One the one hand, I think > that GPL-2+ should generally be preferred because it offers better > compatibility. For example, the compatibility clause in CC-BY-SA-4.0 > won't work with GPL-2. It will also enable us to switch to GPL-3+ (or GPL-n+, in general) in the future, if we ever have a reason to. > On the other hand, we would presumably never achieve a complete > transition to GPL-2+, so we would have ebuilds with either GPL variant > in the tree. Not sure how big an issue that would be. Updating ebuilds > wouldn't be a problem (as the old header would stay), but devs would > have to spend attention to the header when copying code from one ebuild > to another. We should work on getting approval from as many devs as possible, then the risk of inaccurate relicensing will be safely low. Then, there's the general problem of how much of ebuilds is actually copyrightable, and I don't think there will be any reason to object to it if ebuild doesn't have some really original code. > Thoughts? > I'm (obviously) all for it. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part