Licensing Icon

Licensing

Every open source line of code needs a license or it's not really open source.
30 Stories
All Topics

Security openssl.org

OpenSSL 3.0: API and license changes

Following thanks to all contributors, the blog notes:

Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings.

And points out a couple of new features:

OpenSSL 3.0 introduces a number of new concepts that application developers and users of OpenSSL should be aware of. An overview of the key concepts in libcrypto is available in the libcrypto manual page.

A key feature of OpenSSL 3.0 is the new FIPS module. Our lab is testing the module and pulling together the paperwork for our FIPS 140-2 validation now. We expect that to be submitted later this month. The final certificate is not expected to be issued until next year.

And finally, LWN notes on the license change:

OpenSSL has also been relicensed to Apache 2.0, which should end the era of “special exceptions” needed to use OpenSSL in GPL-licensed applications.

Licensing fsf.org

Free Software Foundations declares GitHub Copilot "unacceptable and unjust"

The FSF is funding white papers on “philosophical and legal questions around Copilot”. In their post announcing the fund, Donald Robertson states:

The Free Software Foundation has received numerous inquiries about our position on these questions. We can see that Copilot’s use of freely licensed software has many implications for an incredibly large portion of the free software community. Developers want to know whether training a neural network on their software can really be considered fair use. Others who may be interested in using Copilot wonder if the code snippets and other elements copied from GitHub-hosted repositories could result in copyright infringement. And even if everything might be legally copacetic, activists wonder if there isn’t something fundamentally unfair about a proprietary software company building a service off their work.

One thing is for sure: there are many open questions that need answering. How we (as a community / industry) go about answering those questions is much less clear. But it’ll probably take place on blogs, forums, GitHub Issues, and even court rooms over the next decade.

Raj Dutt grafana.com

Grafana, Loki, and Tempo will be relicensed to AGPLv3

Raj Dutt, CEO and co-founder of Grafana Labs:

Our company has always tried to balance the “value creation” of open source and community with the “value capture” of our monetization strategy. The choice of license is a key pillar of this strategy, and is something that we’ve deliberated on extensively since the company began.

Over the last few years, we’ve watched closely as almost every at-scale open source company that we admire (such as Elastic, Redis Labs, MongoDB, Timescale, Cockroach Labs, and many others) has evolved their license regime. In almost all of these cases, the result has been a move to a non-OSI-approved source-available license.

We have spent the first months of 2021 having sometimes contentious but always healthy internal debates over this topic, and today we are announcing a change of our own.

They’re switching to AGPLv3, which is OSI-approved, but like Heather Meeker said on our SSPL/Elastic episode, is often on the DO NOT USE list at large tech firms. Raj continues:

Ensuring we maintain these freedoms for our community is a big priority for us. While AGPL doesn’t “protect” us to the same degree as other licenses (such as the SSPL), we feel that it strikes the right balance. Being open source will always be at the core of who we are, and we believe that adopting AGPLv3 allows our community and users to by and large have the same freedoms that they have enjoyed since our inception.

Read the entire post for more details on what is being re-licensed, what isn’t, and what it all means. They also have a Q&A on their blog answering other common questions and concerns.

Google supremecourt.gov

SCOTUS declares Google's copying of the Java SE API fair use

In a copyright decision that will undoubtedly have ripple effects on the software industry for years to come, the Supreme Court of the United States held that:

Google’s copying of the Java SE API, which included only those lines of code that were needed to allow programmers to put their accrued talents to work in a new and transformative program, was a fair use of that material as a matter of law.

This quote pulled from the linked opinion by a hacker news commenter drives right in to the heart of the matter:

“Google copied approximately 11,500 lines of declaring code from the API, which amounts to virtually all the declaring code needed to call up hundreds of different tasks. Those 11,500 lines, however, are only 0.4 percent of the entire API at issue, which consists of 2.86 million total lines. In considering “the amount and substantiality of the portion used” in this case, the 11,500 lines of code should be viewed as one small part of the considerably greater whole. As part of an interface, the copied lines of code are inextricably bound to other lines of code that are accessed by programmers. Google copied these lines not because of their creativity or beauty but because they would allow programmers to bring their skills to a new smartphone computing environment.”

Elasticsearch aws.amazon.com

AWS forks Elasticsearch and Kibana as license changes

Ever since AWS took Elasticsearch and decided to sell a managed version of it there has been controversy around AWS and Elasticsearch. Now that the software created by Elastic is being switched to the Server-Side Public License
(SSPL), which is not a very permissive license, AWS is going ahead and forking the projects.

The debate rages around this. Few people feel sympathy with the behemoth that is AWS, but they don’t seem to be in violation of any licenses. Elastic have definitely worked hard on Elasticsearch and arguably deserves an opportunity to profit from their work. This new license raises significant concern though.

I don’t think we’ll see this settle anytime soon, just like the issue of open source sustainability is neither easy nor straightforward.

VS Code github.com

VSCodium — VS Code sans Microsoft branding/telemetry/licensing

According to the “why does this exist” section of the readme:

Microsoft’s downloads of Visual Studio Code are licensed under this not-FLOSS license and contain telemetry/tracking. According to this comment from a Visual Studio Code maintainer:

When we [Microsoft] build Visual Studio Code, we do exactly this. We clone the vscode repository, we lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license.

When you clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a “clean” build, without the Microsoft customizations, which is by default licensed under the MIT license.

This repo exists so that you don’t have to download+build from source. The build scripts in this repo clone Microsoft’s vscode repo, run the build commands, and upload the resulting binaries to GitHub releases. These binaries are licensed under the MIT license. Telemetry is disabled.

The Visual Studio Code license referenced is a short read. You should read it if you use VS Code.

Licensing drat.apache.org

An unobstructive approach to large scale software license analysis

DRAT is a Map Reduce version of RAT using Apache Tika to automatically sort and classify the code base files

A well-named solution to an ever-expanding problem. But what is up with Apache projects and their obsession with trademarks?

A distributed parallelized ( Map Reduce) wrapper around APACHE RAT™️ (Release Audit Tool) that goes far beyond RAT™️ by leveraging Apache OODT™️ to dramatically speed up the process.

The New Stack Icon The New Stack

Why Bruce Perens is proposing "coherent open source"

This is a solid (text) interview with Bruce Perens, former member of the OSI:

… a recognized pioneer of the Open Source movement, 62-year-old Bruce Perens is still thinking about ways to protect the freedoms of software users. “Most people who develop open source don’t have access to lawyers” Perens told the Register last month. “One of the goals for open source was you could use it without having to hire a lawyer. You could put [open source software] on your computer and run it and if you don’t redistribute or modify it, you don’t really have to read the license.”

Bruce suggests we all limit ourselves to just three licenses: AGPL 3, LGPL 3, and Apache 2. He’s a fascinating guy with lots to say on the matter. It’s an exciting time in software licensing, which is a sentence I never expected to write in my life.

Luis Villa blog.tidelift.com

2019 year in review for open source licenses

2019 was a crazy year for licensing in open source. Luis Villa shared his take at what happened last year…

2019 was the most active year in open source licenses in a very, very long time, with news from China to Silicon Valley, from rawest capitalism to most thoughtful ethics. Given all that, I thought it would be worth summarizing the most interesting events, and sharing some reflections on them.

A stand out to me was on the subject of money…

Inevitably, as open source has “won,” money has become ever more central to how it functions. It turns out it is hard to sustain the entire software industry on a part time basis! Licensing has not played a central role in this discussion, but 2019 gave several examples of how licensing and money are entangled.

The Register Icon The Register

Bruce Perens quits Open Source Initiative (OSI)

Extending from topics around open source licensing in this recent conversation with Adam Jacob and this recent conversation with David Cramer, we’re now at a point where Bruce Perens (OSI co-founder) has quit the OSI saying “we’ve gone the wrong way with licensing” regarding the recently drafted Cryptographic Autonomy License (CAL).

The debate over whether or not to approve the license, now in its fourth draft, has proven contentious enough to prompt OSI co-founder Bruce Perens to resign from the organization, for a second time, based on concern that OSI members have already made up their minds.

“Well, it seems to me that the organization is rather enthusiastically headed toward accepting a license that isn’t freedom respecting,” Perens wrote in a missive to the OSI’s license review mailing list on Thursday. “Fine, do it without me, please.”

InfoQ Icon InfoQ

"Google v. Oracle" to be decided by Supreme Court

The copyright battle that’s been going on since 2010 between these two tech giants will finally reach its conclusion at the highest court in the land.

Google will have just 30 minutes to present its case; Oracle will have 30 minutes to respond… The two tech giants have agreed to the following filing schedule:

  • January 6, 2020 – Google will submit its brief (i.e. argument why they should prevail).
  • February 12, 2020 - Oracle will submit its response brief.
  • March 13, 2020 - Google will file a reply to Oracle’s brief addressing any opposing points raised.

If Google wins, the case is finally closed. If Oracle wins, the damages will be calculated by a California jury. Estimated damages in this case are in the $8-9 billion range.

Drew DeVault drewdevault.com

My personal journey from MIT to GPL

As I got started writing open source software, I generally preferred the MIT license. I actually made fun of the “copyleft” GPL licenses, on the grounds that they are less free. I still hold this opinion today: the GPL license is less free than the MIT license - but today, I believe this in a good way.

As someone who has spent tens of thousands of hours developing free software, Drew’s thoughts on these matters are well considered. After reading this, I had to ask myself why I still prefer MIT. Ultimately, I think him and I differ on motivation. He states:

I give people free software because I want them to reciprocate with the same.

I give people free software and I want them to reciprocate with the same. However, I don’t do it because I want them to do it. I do it because I want to give the world a gift. Full stop. What about you?

CockroachDB cockroachlabs.com

Why we're relicensing CockroachDB

The co-founders of CockroachDB — Peter Mattis (CTO), Ben Darnell (Chief Architect), and Spencer Kimball (CEO) — co-wrote a post explaining their move to MariaDB’s Business Source License (BSL) in order to thwart competitors, otherwise know as “highly-integrated providers,” from offering a version of CockroachDB “as-a-service” without purchasing a license to do so.

We’re witnessing the rise of highly-integrated providers take advantage of their unique position to offer “as-a-service” versions of OSS products, and offer a superior user experience as a consequence of their integrations.

Here’s the tl;dr of this license change:

Today, we’re adopting an extremely permissive version of the Business Source License (BSL). CockroachDB users can scale CockroachDB to any number of nodes. They can use CockroachDB or embed it in their applications (whether they ship those applications to customers or run them as a service). They can even run it as a service internally. The one and only thing that you cannot do is offer a commercial version of CockroachDB as a service without buying a license.

Nadia Eghbal nadiaeghbal.com

Making money with licenses

Nadia Eghbal, on the role of licenses in open source funding:

I’m skeptical that new licenses are the right approach on a systemic level, both in terms of feasibility, as well as where I think the world is going. I’ll tackle each of these concerns separately.

I tend to agree with her take on the Right Way™️ to be thinking about it:

I’m more interested in solutions that aim to capture value on the production, rather than consumption side. While everyone is focused on putting up tollbooths, opportunities to “price” maintainer attention, and access to maintainers, remain undervalued.

There are issues with this as well. For one, buying access to maintainers is a proxy for buying influence over the project’s direction. This isn’t a guarantee, but it’s definitely a concern and could negatively impact other users.

That being said, I think production-side monetization in the world of open source is a winning strategy over consumption-side monetization. What do you think?

Kyle E. Mitchell writing.kemitchell.com

It's time to deprecate MIT and BSD licenses

Kyle E. Mitchell, who is not your attorney, and Executive Director of the recently founded Blue Oak Council, writing on /dev/lawyer has this to say about these “thirty-year-old academic licenses.”

MIT and BSD open source licenses are well known, popular, and legally deprecated. They served long and well, but they’re older than many open source software developers, and haven’t been maintained.

With licenses like Blue Oak available, it’s time open source upgraded from academic forms of the ’80s. There are good social, practical, and especially legal reasons to do so.

Kyle goes on to enumerate all the reasons why the Blue Oak license is a better fit for open source.

Bryan Cantrill dtrace.org

Open source confronts its midlife crisis

This op-ed from Bryan Cantrill (CTO at Joyent) goes deep into the details around “service providers’ parasitic relationship with open source,” and the other concerns around open source makers shifting to use licenses like commons clause and others designed to restrict service providers from developing commercial products from their open source.

Lots of thoughts shared around the subject and many links as well, so — get to digging.

Licensing github.com

It is expected that all developers become a Patron to use Fody

Here’s an interesting twist on open source funding: require all users to back the project on Open Collective, but only enforce that rule via social pressure. In other words, use an honesty policy:

It is an honesty system with no code or legal enforcement. When raising an issue or a pull request, the user may be checked to ensure they are a patron, and that issue/PR may be closed without further examination. If a individual or organization has no interest in the long term sustainability of Fody, then they are legally free to ignore the honesty system.

The software is MIT-licensed, so all of those liberal rules apply, but don’t expect to get your PR merged or your issue taken seriously unless you’re a patron.

You must be a Patron to be a user of Fody. Contributing Pull Requests does not cancel this out. It may seem unfair to expect people both contribute PRs and also financially back this project. However it is important to remember the effort in reviewing and merging a PR is often similar to that of creating the PR. Also the project maintainers are committing to support that added code (feature or bug fix) for the life of the project.

The project currently has 4 organizations and 10 individuals supporting it. What do you think those numbers will look like in 6 months or a year?

Licensing github.com

Lerna license change, a follow up

Yesterday’s PR to restrict the MIT license on Lerna has been reverted by @evocateur

First, I apologize for making the rash decision to support the addition of an unenforceable clause to the project’s MIT license. I failed to accurately assess the impact of this change, which led me to (incorrectly) focus on the intent. Despite the most noble of intentions, it is clear to me now that the impact of this change was almost 100% negative, with no appreciable progress toward the ostensible goal aside from rancorous sniping and harmful drama.

I am reverting the license changes. In the future, such changes (if any) will go through a much more thorough, completely public, and fair-minded process.

Licensing github.com

Lerna alters license to ban ICE collaborators

Lerna, a tool for managing multiple packages from a single monorepo, is taking a hard stance against companies (and their subsidies) that collaborate with ICE, expressly forbidding those companies from using future versions of Lerna.

For the companies that are known supporters of ICE: Lerna will no longer be licensed as MIT for you. You will receive no licensing rights and any use of Lerna will be considered theft. You will not be able to pay for a license, the only way that it is going to change is by you publicly tearing your contracts with ICE.

@kittens later commented, discussing how companies subject to this new license could deal with this change:

If you’re employed by a subsidiary listed, direct any questions about the usage of Lerna to your company lawyer. This license only applies to future versions, you’re free to use old versions that do not contain this clause.

If you have concerns over the legality of relicensing. The MIT license allows sublicensing, which this falls under. Even still, all contributors implicitly agreed to the existing license, of which I am the original license holder, when they submitted code meaning we are within our rights to relicense.

Matt Klein Medium

The (broken) economics of OSS

In response to the post from Paul Dix on the misunderstandings going on around Redis and the Common Clause license — Matt Klein tweeted:

Won’t defend Redis Labs, this is a dead end move, but there needs to be more recognition that the economics of OSS are fundamentally broken.

In his post he starts by saying…

I want to provide a long form discussion of my two Twitter threads as this topic is nuanced and quite interesting. Note: this post is heavy on opinion and light on facts/references backing up those opinions. Thus, preface everything that follows with “IMO.”

Matt goes on to share some history of open source software and his opinions on modern expectations of software being free and open, startups and open source, and who pays…

Steven J. Vaughan-Nichols zdnet.com

Will Commons Clause destroy open source?

There is a big debate underway over Commons Clause and its recent application to certain Redis enterprise add-ons. The Commons Clause license is open source and was drafted by Heather Meeker — whom you might remember from Request for Commits #9.

This language from the license forbids the ability to sell the software (similar to the the Elastic License discussed on The Changelog #292).

…the grant of rights under the License will not include, and the License does not grant to you, the right to Sell the Software.

Steven J. Vaughan-Nichols writes for ZDNet:

Redis Labs has been unsuccessful in monetizing Redis, or at least not as successful as they’d like. Their executives were discovering, like the far more well-known Docker, that having a great open-source technology did not mean you’d be making millions. Redis’ solution was to embrace Commons Clause.

This license forbids you from selling the software. It also states you may not host or offer consulting or support services as “a product or service whose value derives, entirely or substantially, from the functionality of the software”.

I’m really curious to see how this tread plays out as more and more organizations see service providers (cloud hosting, SaaS, etc.) and consultants (support contracts, etc.) “getting rich” off of the projects they work so hard to maintain as open source, while they struggle to find a sustainable model for funding the efforts to keep the open source ship afloat.

Salvatore Sanfilippo antirez.com

Redis will remain BSD licensed

The rumors of Redis taking on a new Creative Common license ARE NOT true.

Antirez (Salvatore Sanfilippo) writes on his personal blog:

Redis is, and will remain, BSD licensed. However in the era of uncontrollable spreading of information, my attempts to provide the correct information failed, and I’m still seeing everywhere “Redis is no longer open source”. The reality is that Redis remains BSD, and actually Redis Labs did the right thing supporting my effort to keep Redis core open.

Here’s what IS happening…

What is happening instead is that certain Redis modules, developed inside Redis Labs, are now released under the Common Clause (using Apache license as a base license). This means that basically certain enterprise add-ons, instead of being completely closed source as they could be, will be available with a more permissive license.

Here’s how Redis is licensed.

0:00 / 0:00