|
|
Subscribe / Log in / New account

Kuhn: Berkeley DB 6.0 license change and Debian

[Posted July 3, 2013 by ris]

From:  "Bradley M. Kuhn" <bkuhn-AT-ebb.org>
To:  debian developers <debian-devel-AT-lists.debian.org>, "debian-legal-AT-lists.debian.org" <debian-legal-AT-lists.debian.org>
Subject:  Re: Berkeley DB 6.0 license change to AGPLv3
Date:  Wed, 03 Jul 2013 11:34:38 -0400 (3 hours, 39 minutes, 42 seconds ago)

Many people off-list have been asking me to comment on this discussion,
because (like Richard Fontana) I'm a co-author of AGPLv3, and I also
(back in the early 2000's) invented the original licensing idea behind
the AGPLv1.

I thus care deeply about the license and believe it's an important
policy plan for the future of freedom in the age of network services.
(I gave a talk at SCALE 2013 about this specific issue, if folks are
curious about that: https://lwn.net/Articles/541981/ .)

Upon catching up on this thread, I believe most of what needs to be said
about the issue for Debian's perspective has been said.  Nevertheless, I
do want to point out that I think three separate issues have been
conflated in this thread:

  (a) Is the AGPLv3 a DFSG-free license and should it remain such?

  (b) Is it a bad policy decision for Debian generally to have a core
      library, used by many other packages under AGPLv3 -- thus causing
      a move of licensing of more packages toward an effective AGPLv3
      license, due to the combining those packages with an AGPLv3'd
      library.

  (c) Even if (a) and (b) are settled in as "Yes", and "No",
      respectively: is Oracle, given its history of abusive copyleft
      enforcement (by refusing to allow full compliance as an adequate
      remedy and demanding the purchase of proprietary licenses by
      license violators), too dangerous for Debian and its downstream?

On (a), I think Paul Tagliamonte has summarized the issue best:

Paul Tagliamonte wrote at 09:15 (EDT) on Tuesday:
> The AGPL is a DFSG free FSF approved and OSI approved free software
> license? We made a decision, it's *free software* and fit for main.

I too believe that issue is decided and should be left alone.


On (b), I think the discussion about apt needing to be (effectively)
AGPLv3-or-later to continue using BDB is salient.  I, for one, would
like to see such a thing, but I'm a biased party who co-authored AGPLv3
and believe in its policy goals; I'd like to see more software under
AGPLv3!  But, I also see it from the point of view of Debian developers
who might feel this sort of policy change is too drastic a move to the
strongest copyleft available.

I know that some have complained that compliance with AGPLv3 may require
more work by Debian redistributors.  That is a reasonable concern, but I
think the issue can be mitigated.  The argument is roughly analogous to
this one: complying with GPLv2 is more difficult than complying with the
Apache license.  But, unless Debian wants to take a wholesale position
opposed to copyleft, I don't think this issue is or should be considered
insurmountable.

Indeed, I think that issue is what's being considered in this exchange
between Ondřej and Fontana:

Ondřej Surý wrote at 12:20 (EDT) on Tuesday:
>> 2. AGPLv3 is incompatible with Apache 2.0 license (http://
>> www.apache.org/licenses/GPL-compatibility.html)
Richard Fontana wrote at 13:03 (EDT) on Tuesday:
>>> Only in the same sense that GPL or LGPL (any version) is
>>> incompatible with any noncopyleft license in the
>>> copyleft-to-permissive direction. The Apache License 2.0 is
>>> compatible with AGPLv3 in the other direction.

I wouldn't frame the debate as Fontana has, but I agree that there's an
issue that copyleft has a certain one-way magnetism to it (by design).
And, the stronger the copyleft, the stronger the magnet.  Once a package
has copylefted parts, the whole package must be considered to be
licensed under the strongest copyleft present.  That may be too big a
leap for apt, but again: that's a policy decision for Debian developers.

Finally, I suggest that the last issue, (c), should be decided
separately from those first two.  Even *if* programs like apt can
reasonably be placed under the AGPLv3, we know that Oracle, per its
MySQL aggression...

Ben Hutchings wrote at 09:48 (EDT) on Tuesday:
>>>> If the relicensing is real and not another misconfiguration of the
>>>> build/release system (like with MySQL docs), this sounds like a
>>>> shakedown for proprietary users of Berkeley DB.  GPLv2-licensed
>>>> users are collateral damage.

... is known to use copyleft licenses as aggressive weapons to force the
sale of proprietary licenses.  Note, however that Sleepycat had roughly
the same business model with its "copyleft license hidden behind
BSD-like" license drafting.  As such, the only *real* changes I see here
are: (0) an even stronger copyleft is being used and (1) Oracle has a
lot more resources for aggression than Sleepycat did before acquisition.

Admittedly, though, (c) is a very complex policy question, and it's
precisely why I have great trepidation when a codebase is
single-copyright-held by one for-profit company.

BTW, I'd suggest a rather unorthodox solution if developers are
interested: fork this AGPLv3'd version of BDB, and begin making
substantial improvements and changes under AGPLv3.  That way, Oracle
isn't the sole copyright holder, and if Oracle were to take action under
a clause of AGPLv3, other copyright holders could intervene and indicate
they disagreed with Oracle.  If the case went to litigation, Oracle
would have a tough time because the other copyright holders would be
expert witnesses (in the USA sense -- not sure what the equivalent is
elsewhere in the world) who were saying Oracle was acting unfairly and
over-reading the license terms.  (I'd certainly be willing to be an
expert witness as the license's co-author in such cases.)

This solution is better than forking under the old Sleepycat license,
since it will help establish estoppel against Oracle being the only
valid interpreter of AGPLv3 with regard to the BDB.  Other copyright
holders of the fork will have a big say, and perhaps a greater say than
Oracle, ultimately.  Doing that for the Sleepcat license seems somewhat
pointless, given it's not a one-off license used only (now) for old
versions of BDB.

I remain willing to assist Debian as it investigates these questions.
I'm subscribed to debian-legal and will see posts there, but please cc
me on debian-devel side, as I'm not a subscriber there.
-- 
   -- bkuhn

to post comments

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 3, 2013 21:48 UTC (Wed) by luto (guest, #39314) [Link] (2 responses)

Does this mean that anyone who runs something like the old BDB-backed Subversion as a web service will have to make source available?

If so, I wonder if this will be the end of BDB being used for anything new.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 6:22 UTC (Thu) by khim (subscriber, #9252) [Link]

Most users switched to SQLite long time ago. I don't like to use SQL for simple tasks (it just looks like huge overkill), but it's preferable to the BDB license mess. It was quite messy for years and most users avoided it for these (and other) reasons, thus I don't think switch to AGPLv3 will change anything suddenly.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 7:02 UTC (Thu) by ondrej (subscriber, #27872) [Link]

Only if the Subversion in question was recompiled with BDB 6.0+, then yes.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 3, 2013 21:50 UTC (Wed) by juliank (guest, #45896) [Link] (1 responses)

Some facts on the APT side:

(a) APT is licensed under the GPL-2+, so it can link to AGPL-3 code
(b) Only the apt-ftparchive program links to libdb

This means it is perfectly valid for APT (precisely: apt-ftparchive) to use the new Berkeley DB release, it will not affect any users of the libraries.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 6:58 UTC (Thu) by ondrej (subscriber, #27872) [Link]

APT is just a drop in the sea: http://lists.debian.org/debian-devel/2013/07/msg00140.html

I would be more concerned about f.e. libsasl2 with Berkeley DB plugin... and others.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 3, 2013 21:53 UTC (Wed) by josh (subscriber, #17465) [Link] (21 responses)

I think this email misses the point.

I don't see anything wrong with the AGPLv3 as a license; I like it quite a bit, and I think it will become increasingly important as more software moves to a service model.

However, taking a long-standing infrastructure library previously released under an all-permissive license and suddenly relicensing it under AGPLv3 seems highly problematic for all the software out there that currently uses that library.

Creating a new library under AGPLv3 doesn't raise the same concerns.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 3, 2013 22:27 UTC (Wed) by mjw (subscriber, #16740) [Link] (20 responses)

Was the previous license really all-permissive? Berkeley DB was distributed under the Sleepycat License, which according to the wikipedia page https://en.wikipedia.org/wiki/Sleepycat_License 'is a strong form of copyleft because it mandates that redistributions in any form not only include the source code of Berkeley DB, but also "any accompanying software that uses the DB software"'.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 3:08 UTC (Thu) by josh (subscriber, #17465) [Link] (19 responses)

Sorry, you're right; thanks for the correction. Previous versions of Berkeley DB had some code under all-permissive licenses, but the prevailing license was indeed the Sleepycat license, a GPLv2-compatible copyleft license. (Somewhat weaker copyleft than the GPLv2, but not as weak as the LGPL.)

However, the same arguments still apply: taking a library under a more permissive license (GPLv2-compatible) and relicensing it under a more restrictive license (GPLv2-incompatible, and compatible but more restrictive than the GPLv3) still seems highly problematic for all the software out there that currently uses that library.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 7:00 UTC (Thu) by ondrej (subscriber, #27872) [Link]

The SleepyCat license was also 4-clause BSD, Apache 2.0 (and bunch of others) compatible.

And thanks josh for pointing this out.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 12:11 UTC (Thu) by chithanh (guest, #52801) [Link] (4 responses)

> relicensing it under a more restrictive license (GPLv2-incompatible, and compatible but more restrictive than the GPLv3) still seems highly problematic

Do note that the FSF endorses the practice of libraries migrating to stronger copyleft. This forces the consumers of the library to switch to GPL-compatible free software licenses.

http://www.gnu.org/licenses/why-not-lgpl

Whether Berkeley DB offers the unique capabilities to make the license switch advantageous I don't know.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 14:45 UTC (Thu) by bjartur (guest, #67801) [Link]

The problem at hand is GPLv2-incompatibility. Switching to AGPLv3 may require tedious or impossible consent-gathering or dropping a whole lot of strongly copylefted code. This mess is a valid argument for publishing under GPLv2+ or more permissive licenses.

Although to be fair, anyone is allowed to fork the Sleepycat licensed version.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 17:45 UTC (Thu) by josh (subscriber, #17465) [Link] (2 responses)

That page endorses the practice of writing new useful libraries without equivalents elsewhere, and licensing them under the GPL rather than the LGPL. I agree with that practice entirely.

That page does *not* endorse the practice of changing the license on existing libraries, pulling the rug out from under their existing users.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 23:37 UTC (Thu) by chithanh (guest, #52801) [Link] (1 responses)

Quoting from the FSF page:

> So we are now seeking more libraries to release under the ordinary GPL.

This reads to me that they want to take existing libraries too and release them under GPL.

In the GPLv3 FAQ the FSF even suggests ("would be nice") to switch GPL libraries temporarily to LGPL and then under certain circumstances back to GPL, but admits that it is difficult or infeasible to do.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 5, 2013 7:32 UTC (Fri) by pbonzini (subscriber, #60935) [Link]

> This reads to me that they want to take existing libraries too and
> release them under GPL.

Has it ever happened? If not, the way it reads to you is wrong...

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 18:49 UTC (Thu) by bkuhn (subscriber, #58642) [Link] (5 responses)

I think the issue is more about who has done the change (my point (c) in the main post), rather than the change. Oracle isn't someone our community trusts, so there's a worry when they go to stronger copyleft, because they've got a history of using copyleft as an abusive weapon.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 19:57 UTC (Thu) by josh (subscriber, #17465) [Link] (4 responses)

That's certainly a concern, but no matter who the copyright holder is, it's still rude to take a very widely used library under a more-permissive license and abruptly change it to a less-permissive license.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 4, 2013 20:16 UTC (Thu) by mjw (subscriber, #16740) [Link] (3 responses)

If they didn't discuss and communicate this well with the community (and it seems they didn't) then it is certainly a pain and rude. But the upgrade doesn't seem entirely bad. It gets rid of a one-off license and replaces it with a more common standard one that provides better patent protection and makes sure users of the program and larger works based on it get more rights in general. Is the new license really incompatible with anything? The only thing that sticks out is GPLv2-only. Maybe someone could ask Oracle if they would consider dual licensing under GPLv2-only and AGPLv3?

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 6, 2013 17:08 UTC (Sat) by fw (subscriber, #26023) [Link]

There is no Berkeley DB community. Development is all in-house at Oracle, and it is extremely difficult as a downstream redistributor to report fixes and get patches. What comes closest to a community a the forums hosted by Oracle, and the AGPL has not been discussed there as far as I can tell.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 13:35 UTC (Mon) by ondrej (subscriber, #27872) [Link] (1 responses)

Gosh, the GPLv2-only dual licensing won't help the project with other non-GPL-compatible licenses, that depend on Berkeley DB. SleepyCat license was strong-copyleft, but apart from that it was compatible with almost any open source upstream license.

AGPL is just extra burden, but any GPL family license would be equally as bad for depending projects.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 21:58 UTC (Mon) by mjw (subscriber, #16740) [Link]

But are there any such projects in practice that are both incompatible with AGPLv3 and GPLv2? If so maybe something like the mysql exception might be more helpful? https://www.mysql.com/about/legal/licensing/foss-exception/

Has someone contacted Oracle to discuss existing larger works that are currently distributed under terms compatible with the old sleepy cat license, but cannot be redistributed under any terms that are compatible with the new AGPL license? Are they willing to consider a GPLv2 exception or something like the mysql foss-exception?

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 3:33 UTC (Mon) by foom (subscriber, #14868) [Link] (6 responses)

I'm not sure why everyone's up-in-arms about this, yet nobody seemed terribly concerned when lots of GNU libraries were relicensed from GPLv2/LGPLv2 to GPLv3/LGPLv3.

E.g. libreadline changing from GPLv2 to GPLv3, or libgmp changing from LGPLv2 to LGPLv3.

In both cases it seems rather rude, and likely to cause inadvertent license-violations by consumers, but oh well.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 20:35 UTC (Mon) by jimparis (guest, #38647) [Link] (4 responses)

I'm not sure why everyone's up-in-arms about this, yet nobody seemed terribly concerned when lots of GNU libraries were relicensed from GPLv2/LGPLv2 to GPLv3/LGPLv3.

It's the A.

The AGPLv3 is a big change from just about any other type of license, because it attaches provisions to use, rather than just distribution.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 21:45 UTC (Mon) by foom (subscriber, #14868) [Link] (3 responses)

That's not true at all: AGPLv3 attaches provisions to copying, distribution, and modification, *not* use, just like other licenses.

Yes, there are more terms attached to modification than in the GPLv3, but it still covers the same activities.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 22:22 UTC (Mon) by jimparis (guest, #38647) [Link] (2 responses)

> That's not true at all: AGPLv3 attaches provisions to copying, distribution, and modification, *not* use, just like other licenses.
>
> Yes, there are more terms attached to modification than in the GPLv3, but it still covers the same activities.

Are you just lawyering me on the definition of the term "use", or am I really just misunderstanding the AGPLv3? If I incorporate AGPLv3 Berkeley DB into my own private software and use it to publicly serve up GIFs of bouncing cows, doesn't the AGPLv3 require that I provide a download link for the source code?

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 9, 2013 2:27 UTC (Tue) by foom (subscriber, #14868) [Link] (1 responses)

I wasn't actually intentionally lawyering you -- I thought you had actually meant use in the sense of installing and running an unmodified copy on your machine. But, I now understand that you meant "modify" by "use", because of course, as developers, modification is a primary way we "use" software libraries. Basically, "use" is just a bad word to use, it's too ambiguous. :)

But, yes, I guess I was just actually just "lawyering" you on the definition of the term "use", and I think what you say is the case -- you are probably required to provide a download link for both BDB's source code and your dancing cow code.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 9, 2013 8:23 UTC (Tue) by mpr22 (subscriber, #60784) [Link]

I looked at the AGPL's use restriction and arrived at a question: If I use an AGPL'd library in my network-facing application that serves images but not text, do I have to deface all the images with a download link?

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 22:07 UTC (Mon) by mjw (subscriber, #16740) [Link]

Probably because there was a very long discussion period before *GPLv3 was introduced. And it was clear from the start that using GPLv2-only would cause you trouble if you depended on any GPLv2+ work that could potentially upgrade in the future.

The issue here seems to be that there was no discussion period in which any potential issues with larger works could have been pointed out by the community in advance. So there was no transition period in which a project could arrange to upgrade the license of their work based on DBD.

It isn't clear to me though if any of the affected projects have contacted BDB/Oracle and tried discussing any issues they are facing now. Maybe some people have and those discussions just hasn't become public yet?

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 8, 2013 18:15 UTC (Mon) by lxoliva (guest, #40702) [Link] (1 responses)

I'm a bit surprised Bradley didn't mention that *GPLv3 licenses aren't as good licenses for business models based on revoking licenses so as to force a purchase because of the provisions to reinstate the license automatically after coming to compliance, under certain contraints. (see the full license for the details)

These provisions mean that, unlike a *GPLv2 licensee that loses the license right away upon infringement and depends on the licensor's sympathy to get a license back, *GPLv3 licenses enable the licensee to earn the license back by coming into compliance. Exploiters of automatic termination lose a lot of leverage in selling proprietary licenses with this provision.

Kuhn: Berkeley DB 6.0 license change and Debian

Posted Jul 19, 2013 5:28 UTC (Fri) by yuhong (guest, #57183) [Link]

I think it was mentioned later in this thread.


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds