Bug#781566: COPYING2 contains some armchair licensing

Wed Apr 1 06:43:51 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

I forwarded the bug report to the upstream maintainer:
please find below his answer.

On 31/03/15 05:08, Paul Tagliamonte wrote:
> Package: apophenia Severity: serious User: paultag at debian.org 
> Usertags: ftp X-Debbugs-CC: ftpmaster at ftp-master.debian.org thanks
> 
> Right, hello, maintainers!
> 
> Thanks for all your work,
> 
> 
> This work is licensed under the GPLv2. At least, it tries to.
> COPYING2 contains a further restriction on distribution that results
> in a work that is *not* distributable, since the headers say v2 (not
> v2 or later) with these changes (the GPLv3 lets us remove further
> restrictions)
> 
> I question if a lawyer was behind these changes, and I also question
> the validity of this license, and as a result, I question the 
> distributablity.
> 
> Could you please ask upstream to either pick AGPL, LGPL or GPL? It
> seems like the author wants to use the GPL, but the first part of
> COPYING2 wants to be AGPL, and the second wants to be LGPL.

- --8><-------------------------------------------------------------------------------------------------------------------------

- -------

First, imagine a bug report entitled "file.c contains some armchair coding". Such a statement would imply there is a class of people allowed to write code, from which the author of file.c is excluded. I feel it against the ethos of free, open software that text would be accepted or rejected based on the qualifications of the person writing it.

But because much of the bug report is concerned with the qualifications of the author, here goes: no, I do not have a law degree. However, my work as a Free Software Foundation employee included writing white papers on intellectual property law and a legal brief filed in the US Federal Circuit. My recommendations and legal reasoning in the brief, a law review paper, and other writings from the mid to late `00s are not far from the ruling and reasoning in last year's Supreme Court ruling in Alice Corp. Over the course of my work with the FSF on intellectual property law, I spoke directly with the people involved in writing the AGPL, who expressed some disappointment with how the AGPL was worded, and said that they wished that they'd just stated directly that running code on a public server is distribution. I have also had extensive dealings with the authors of GPLv3, and know the license, its history, and many of the considerations that went into it very well. These interacti!
 ons went i
nto the considerations for the licensing of Apophenia.

There are three parts to the Apophenia license as written. I recommend keeping the first, changing the text of the second, and cutting third. 

1. The first part of the license is the GPLv2. There are other packages that are based on GPLv2, and not "GPLv2 or later". For example, I understand that Debian distributes the Linux kernel. Not only is the kernel licensed under GPLv2, the GPLv2 license as distributed with the kernel is prefaced with explicit sniping about GPLv3:

"Also note that the only valid version of the GPL as far as the kernel is concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x or whatever), unless explicitly otherwise stated."
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/COPYING

Based on this precedent, I believe that distributing a Debian package under the GPLv2 (not "and later") is valid.

2. The first paragraph of COPYING2 is an attempt to clarify what the AGPLv1 is saying.  The common summary of the AGPL is that it requires that software distributed over the network must make source available, but the way it expresses that is by requiring that certain HTTP links must not be removed. Here is the text for you to try to follow:

- ------
2d) If the Program as you received it is intended to interact with users through a computer network and if, in the version you received, any user interacting with the Program was given the opportunity to request transmission to that user of the Program's complete source code, you must not remove that facility from your modified version of the Program or work based on the Program, and must offer an equivalent opportunity for all users interacting with your Program through a computer network to request immediate transmission by HTTP of the complete source code of your modified version or other derivative work.
- ------

Why not just come out and say that making available over a network triggers the obligation to open the source code? In June of 2007, I wrote the paragraph in COPYING2 that attempts to state this directly.

- ------
- --An application hosted on a server and remotely operated by users, such as a web application or database server, is understood to be distribution of the software, and therefore all GPL v2 clauses regarding distribution apply. For example, a web application must include a link for downloading the application source code.
- ------

I'd probably word it differently now (we should distinguish public from private networks, for example), but fortunately I don't have to do the work. A few months later, in November 2007, the AGPLv3 came out, and revised the earlier AGPL in a similar manner.

My recommendation is that we replace my text with text from §13 of the 2007 Affero license. It expresses a similar sentiment, but being written by lawyers, it  addresses the ad hominem issues presented in the bug report.

Proposed text of COPYING2:
- -------
Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software.
- -------

3. A lot of people believe that you need some sort of explicit permission to link two libraries. I have run into this legal superstition many times, which is why I took pains in COPYING2 to attempt to clarify that linking code bases under different libraries is valid unless there is a specific reason in the code for why it isn't. That the person who filed the bug thought that my clarification in any way modified the base license reflects badly on my drafting.

The question of what happens when two libraries under different licenses are jointly distributed is simple under the law: the intersection of all restrictions apply. If the license on library A says you may only distribute the code on Monday, Tuesday, or Wednesday, and the license on library B says you may only distribute the code on Wednesday, Thursday, or Friday, there isn't any challenging legal puzzle: you have the right to distribute on Wednesday, and only on Wednesday.

Of course, if the licences have no intersection, you can't link A and B. This explains the single paragraph GPLv2 devotes to linking, which begins "This General Public License does not permit incorporating your program into proprietary programs." This sentence is not an additional restriction, but a clarification that if the license for A says 'you must distribute' and the license for B says 'you must not distribute', a product that uses A and B is basically a legal impossibility.

Are there features of AGPL that make it impossible to link AGPLed code with GPLv3ed code? The not-armchair lawyers at the FSF have this to say (be sure to read the entire
paragraph):

- -----
Please note that the GNU AGPL is not compatible with GPLv2. It is also technically not compatible with GPLv3 in a strict sense: you cannot take code released under the GNU AGPL and convey or modify it however you like under the terms of GPLv3, or vice versa. However, you are allowed to combine separate modules or source files released under both of those licenses in a single project, which will provide many programmers with all the permission they need to make the programs they want.
- -----
http://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses

To paraphrase the above: You are (explicitly, in this paragraph) granted permission to link AGPLed software to other code licensed under other licenses, such as GPL v3. Linking to a differently-licensed code base does not free the code (or the combination) of the stipulations of either code base.

The AGPL has a somewhat similar (but more extensive) clause in §13: "Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU General Public License..."

This clarification in COPYING2 is unnecessary, intended to explain a point that gets obfuscated and mixed in with other questions (e.g., cutting/pasting code from library A's code base into library B's code base is much more legally difficult). Therefore, the easiest option is to cut this paragraph entirely, rather than replace it with other basically redundant verbiage.

Summary:

* GPLv2 (not GPLv2 or later) is a valid license, used by other packages in Debian. I started writing Apophenia before GPLv3 existed, and see reason to not shift to the newer license.

* We can replace the Affero-ization text I wrote with text taken from the 2007 edition of the AGPL, as above.

* The second clause in COPYING2 is an explanation which neither grants nor revokes any privileges. As such, it can be cut.

I believe that this modification, using the GPLv2 + modern Affero clause, is a better option than using the AGPL version of GPLv2 itself. Although it is not standard in the sense of having a common acronym, it uses two standard parts that are commonly recognized and can be sensibly combined.

B

- --------

- ------------------------------------------------------------------------------------------------------------><8

Please let know if you have any comments to pass.

Thanks,
Jerome

> 
> 
> Thanks! Paul
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVG5OTAAoJEIC/w4IMSybjlTYH/36yghRBY4I4lo1zeGCWefZ/
Ec+32N7zkhYGqmShslgzI+/ElJMxx1sDYeXhGrWTzMNrtirDw+OcvtpPDXgnRwfV
EeWB1nn2LUSf4WhPv77Qt/Wcd/fjqWc5pKsqv+P/NdJqFWPr1eYYl5cHOp6Xnbea
PD9Eb+uNFlcroG+wXrjS9cwXYsAow1kDgTEpbgtPJJURQo8AKDOhR6v+lLey3kK9
kSAsk0SZW2DMv5TamQUlK6qYd+UuFERnaBEfw06LsPifmIxNy78067S0Su0hwvlf
D2sGi+i+/LU9ir6XgQXowGvCBdldaOGtniVru0vbTiePgp8AzBspzY90/mnglv0=
=jsLG
-----END PGP SIGNATURE-----