Apache disallows the Facebook BSD+patent license
Patent grants
Facebook has open-sourced a large number of projects that it uses
internally; the company's preferred license is the permissive three-clause BSD
license. This license says nothing about patents, but it has often
been argued that any entity releasing software under the BSD license is
making an implicit grant for any patents required to use that software.
Otherwise, the permission for "redistribution and use in source and
binary forms
" would lack meaning. Other licenses, including GPLv2,
are also generally assumed to contain an implicit patent grant, but this is
an idea that lacks testing in court.
The problem with untested legal hypotheses is that they are about as reliable as untested software. While the implicit grant remains unproven, one cannot discount the prospect of an evil entity releasing software under a free copyright license with the intent of attacking the users of that software for patent infringement. Companies that worry about such things are thus much happier with an explicit patent grant. The implicit patent grant idea also can rub patent holders the wrong way; they would prefer to retain more control and, if they must grant patent-use rights when they release software, they would like to do so in a way that is revocable should (from their point of view) the need arise.
That is the reasoning that leads to Facebook's "additional grant of patent rights" that it attaches to its software releases. It explicitly grants a right to any Facebook patents that might otherwise be infringed by the software. But it also contains a patent retaliation term, in that anybody who asserts a patent against Facebook (for any reason) or against other users of the software (for patents allegedly infringed by the software itself) can have their patent license terminated. "Assertion" is the word used in the grant; things do not have to get to a point where a lawsuit is filed before the termination can happen.
The Apache Software License 2.0 (ASL) contains similar patent-grant language, but termination only happens when actual litigation is initiated. It is also, crucially, more focused: the retaliation clause is restricted to patents (alleged to be) infringed by the licensed software itself. The Facebook grant, instead, terminates on any patent assertion against Facebook, even if it has nothing to do with the software covered by the grant. This language feeds fears that, if a company uses Facebook code in its products, it must grant Facebook access to all of its patents or risk license termination. That, too, is an untested legal hypothesis and there does not appear to be any evidence that Facebook wants to use the grant in that manner, but it still raises eyebrows.
Category-X
In April, Jeff Jirsa raised an issue with the Apache legal community. The Apache Cassandra project was considering adding Facebook's RocksDB key-value database as a storage engine, but was wondering about the patent grant. In June, the community started discussing the issue and didn't much like what it saw. The asymmetric nature of the patent grant, in particular, was deemed to be incompatible with the ASL.
On July 15, ASF director and vice president of legal affairs Chris Mattmann issued a decree stating that the Facebook BSD+patents license had been placed into the dreaded Category X and that, as a result, Apache projects could not incorporate or depend on software that uses that license. For any projects that had already released code with such a dependency (and there were a few in the case of RocksDB), a temporary reprieve — until August 31 — was granted. In the meantime, such projects need to add a notice to their repositories that the Facebook patent grant is present there.
That would seem to be the end of the line for the use of RocksDB in Apache projects — except that RocksDB changed its license in response to the Category-X designation. It is now dual-licensed under the ASL and GPLv2. Once an official release has been made under that license, RocksDB will once again be usable by Apache projects.
The story doesn't quite end there, though: perhaps a bigger issue is React, which is also under the Facebook license regime. React is used by Apache projects like CouchDB; moving away from it will not be an easy thing for the CouchDB developers to do in the next month. It is thus unsurprising that the CouchDB developers have asked the React project to consider a license change similar to what RocksDB has done. That change is under discussion as of this writing; it's not clear that the odds of it happening are particularly high, though, so the CouchDB developers are looking at alternatives.
This sort of licensing disagreement is unfortunate; it divides our
community into separate groups that are unable to share their software.
Since sharing the software is one of the major points behind this whole
exercise, that could be seen as a significant bug in how we operate.
Perhaps it is unsurprising that an increasingly large part of the community
seems to want to just toss the software out there and do away with
licensing altogether. Outside of copyleft concerns, though, most of these
disagreements are really artifacts of the legal regime in which the
community operates. That regime changes slowly at best, so we can expect
to be dealing with issues like this one for some time yet.
Posted Jul 19, 2017 4:47 UTC (Wed)
by JdGordy (subscriber, #70103)
[Link] (2 responses)
Except that's not what seems to be happening? if RocksDB changed their license and CouchDB are in discussions too it would look like this dispute ends up for the better.
Posted Jul 19, 2017 5:07 UTC (Wed)
by ssmith32 (subscriber, #72404)
[Link] (1 responses)
Posted Jul 22, 2017 20:48 UTC (Sat)
by debacle (subscriber, #7114)
[Link]
Posted Jul 19, 2017 4:54 UTC (Wed)
by Otus (subscriber, #67685)
[Link] (17 responses)
Posted Jul 19, 2017 6:56 UTC (Wed)
by lkundrak (subscriber, #43452)
[Link]
Perhaps they believe that an existence of an explicit patent grant voids their assumption of an implicit patent grant?
Posted Jul 19, 2017 7:58 UTC (Wed)
by k8to (guest, #15413)
[Link] (11 responses)
Thus, while in absence of this clause, it might be plausible that you have legitimate reason to use some of the facebook patented inventions, even in circumstances where Facebook is legitimately violating your rights, with this clause you may lose access.
It creates a new and different category of uncertainty, and more importantly, it creates different restrictions from the ASLv2 license.
Thus, it is in some respects more restrictive than the BSD 3 clause license alone.
Posted Jul 19, 2017 9:33 UTC (Wed)
by lkundrak (subscriber, #43452)
[Link] (9 responses)
Posted Jul 19, 2017 10:02 UTC (Wed)
by juliank (guest, #45896)
[Link] (8 responses)
Posted Jul 19, 2017 14:52 UTC (Wed)
by jejb (subscriber, #6654)
[Link] (7 responses)
Just on this, a licence must contain some phrasing that implies the patent grant and gives it some scope and consequences, like GPLv2 clause 7. Absent that, it's highly unlikely a court will find that any of the BSD family of licences contains an implied patent grant.
However, if a court did find BSD to contain such a grant, no additional permission of Facebook could remove it because you'd get the rights twice: once via the implicit grant and once via the Facebook explicit grant. The recipient doing something that terminated the explicit grant wouldn't affect the implicit one and thus you'd still possess the BSD patent grant.
Posted Jul 19, 2017 15:12 UTC (Wed)
by juliank (guest, #45896)
[Link] (4 responses)
But if you now state "Hey, we add a patent grant, as the license does not have one", this effectively also changes how the license should be interpreted in the context, effectively stating that the license does not grant patents. If you state that, and the court comes back saying: "Hey, the patent grant is not needed, the license already grants patents", that would be an odd situation.
Posted Jul 19, 2017 15:15 UTC (Wed)
by juliank (guest, #45896)
[Link] (2 responses)
Posted Jul 19, 2017 17:41 UTC (Wed)
by jejb (subscriber, #6654)
[Link] (1 responses)
I believe he thinks the reason to apply contract interpretations is the Artifex v Hancom decision. However, just because you can enforce contractual remedies under certain circumstances does not mean that a licence is interpreted exactly like a contract. The terms of a licence have universality, meaning they have to be interpreted in the same way for everyone. The only way to change this is to alter the terms. The Facebook patent grant, being an additional permission, does not alter the terms so any court decision that the BSD licence gives an implied patent grant would be binding on Facebook regardless of any evidence (or even an explicit statement) that Facebook's intention was not to grant patents except via the additional permission when they released code under the BSD licence.
The key question that governs whether the additional permission alters the terms of the licence is severability: if you receive code under BSD+FB may you re-release it as BSD only? Facebook already stated that you may.
Posted Jul 20, 2017 5:55 UTC (Thu)
by bernat (subscriber, #51658)
[Link]
You may, but you don't own any of the associated patent. So, the implicit grant people get from you through the BSD license is weaker that the implicit grant people may have got from Facebook if they kept only the BSD license.
Posted Jul 19, 2017 15:48 UTC (Wed)
by jejb (subscriber, #6654)
[Link]
That same arguments were made in the Rambus cases, plus an estoppel one that Rambus deceptively influenced the standard intending to assert its pending patents after adoption. Neither were found persuasive by the courts, which is why absent any language about patents in a licence or agreement, the legal assumption is there is no patent grant.
Posted Jul 21, 2017 13:17 UTC (Fri)
by mirabilos (subscriber, #84359)
[Link] (1 responses)
Although I’d prefer to find courts ruling that software cannot be patented…
Posted Jul 21, 2017 18:38 UTC (Fri)
by jejb (subscriber, #6654)
[Link]
Well the current patent implied licences are judicial constructs meaning they're not supported by an explicit statute but instead come about in court by consideration of nearby laws plus common law expectations, yes. However, almost all of the constructs require some sort of promise about patents. It is thought (but not tested in court) that the patent non retaliation clause present in most open source licences constitutes such a promise. The problem for BSD is it doesn't have one.
The implied licence doctrine that doesn't require a promise is legal estoppel, which is currently constructed in terms of a sale of a patented item. The two requirements to invoke it are consideration and no non-infringing use (the estoppel theory is if I sell you an item which you cannot use in any way except by infringing a patent I hold, I can't then sue you for infringing that patent because my sale to you of the item is only effective if you can use it, thus the consideration I received from the sale must have implied a licence to my patent). No non infringing use is commonly considered to be satisfied if you make a contribution to an open source project which cannot be used unless one of the patents you hold is infringed, which works for BSD, but consideration is much harder to come by. Fenwick and West did an analysis of GPL in 2006 which suggested you could get to consideration in terms of the promise by the downstream recipients to distribute modifications under the same terms (GPLv2 clause 2), so it is possible legal estoppel works for some open source licences.
The problem is BSD imposes very few constraints on downstream recipients, so really has nothing in it that can be construed as consideration; thus Legal Estoppel doesn't apply in its current form. BSD, therefore, requires the creation of a new judicial construct of implied licence, which isn't impossible, but which would be risky to rely on because courts are wary of creating new judicial constructs.
Posted Jul 19, 2017 15:20 UTC (Wed)
by cry_regarder (subscriber, #50545)
[Link]
Posted Jul 19, 2017 11:08 UTC (Wed)
by cladisch (✭ supporter ✭, #50193)
[Link] (2 responses)
That's how contracts are to be interpreted. For example, MBIA Ins. Corp. v. Patriarch Partners VIII, LLC says: Well-settled rules of contract construction require that a contract be
construed as a whole, giving effect to the parties' intentions. Specific
language in a contract controls over general language, and where
specific and general provisions conflict, the specific provision ordinarily
qualifies the meaning of the general one. So it is clear that Facebook intends that the additional patent grant applies to any patents, and that the implied patent grant in the plain BSD license (if it exists) does not.
Posted Jul 19, 2017 11:22 UTC (Wed)
by karkhaz (subscriber, #99844)
[Link] (1 responses)
Does this mean that the vanilla 3-clause BSD license may or may not have an implicit patent grant, depending on whether the licensor additionally offered an explicit patent grant?
For example, suppose that a court actually finds that Facebook's software does not have an implicit patent grant for the very reason that you specified: Facebook intends that you only have a patent grant if you accept their additional terms of patent retaliation. Does that mean that a different court could later find that the BSD license _does_ contain an implicit patent grant if the licensor didn't offer an explicit one, despite the Facebook precedent?
Posted Jul 19, 2017 11:32 UTC (Wed)
by niner (subscriber, #26151)
[Link]
Posted Jul 21, 2017 13:15 UTC (Fri)
by mirabilos (subscriber, #84359)
[Link]
Posted Jul 19, 2017 7:36 UTC (Wed)
by epa (subscriber, #39769)
[Link] (4 responses)
Posted Jul 19, 2017 11:35 UTC (Wed)
by ballombe (subscriber, #9523)
[Link] (3 responses)
Posted Jul 19, 2017 19:13 UTC (Wed)
by webmink (guest, #47180)
[Link] (2 responses)
Posted Jul 20, 2017 9:11 UTC (Thu)
by ballombe (subscriber, #9523)
[Link] (1 responses)
The context is 'Perhaps if Facebook's terms restricted retaliation to software patents and business method patents, not all patents, it would be acceptable?'
Facebook does not promise not to enforce software patents and business method patents against the licensee in general. So requiring the licensee to do so is not symmetrical.
Posted Jul 21, 2017 10:09 UTC (Fri)
by epa (subscriber, #39769)
[Link]
Posted Jul 19, 2017 14:54 UTC (Wed)
by jejb (subscriber, #6654)
[Link]
https://meshedinsights.com/2017/07/16/apache-bans-faceboo...
He's using this as a living document, so he updates it as the situation evolves.
Posted Jul 20, 2017 5:58 UTC (Thu)
by bernat (subscriber, #51658)
[Link]
Posted Jul 20, 2017 7:10 UTC (Thu)
by mjthayer (guest, #39183)
[Link] (1 responses)
Posted Jul 21, 2017 4:50 UTC (Fri)
by Otus (subscriber, #67685)
[Link]
https://github.com/facebook/react/issues/10191#issuecomme...
Posted Jul 20, 2017 9:31 UTC (Thu)
by paulj (subscriber, #341)
[Link]
I know of some concerns, including from legal people, that such patent grants may not technically be compatible with the GPL, as they may be revoked. On the other hand, there are also convincing arguments to not worry about it, unless needs be (esp. when the patent grant and GPL software are unrelated).
Never managed to get a completely satisfying answer to those concerns though.
Posted Jul 21, 2017 13:21 UTC (Fri)
by mirabilos (subscriber, #84359)
[Link]
Whom do you trust?
I trust in a friend to do the right thing wrt. licencing his Free Software, even if it may be a bit lacking initially.
I certainly do not trust Facebook to DTRT. For one, it’s a company. Companies are required by (at least local, no idea about USA) law to have the intent to make/win money. For another, well, it’s Facebook, ’nuff said.
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
The 3-clause BSD license alone still grants you rights use and distribute the software.
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
modification, are permitted provided that [...]" - if the software is patented, that must be seen as including a patent license to the extent necessary to perform these activities, otherwise the license is useless.
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
Apache disallows the Facebook BSD+patent license
https://github.com/facebook/react/issues/10191#issuecomme...
Kind of similar issues with IETF FRAND and free software licences?
Whom do you trust?