Relicense project under AGPL3+ #437
Comments
|
@velitasali @Daksh777 Would you like to comment? Sorry for random tag. |
|
|
Notice: We couldn't send an email to Jiří Kašpar info@wpsupportplus.eu whose contributions will be removed. @gnuhead-chieb, @d4rkk3y and @Gitoffthelawn used users.noreply.github.com emails where the emails will never reach. So, they have to give their consent here and optionally, ask for amending their commits to include a new email address. (After the new license, all new commits will require signing off as we don't want any explicit certificate of origin.) |
|
I agree relicensing to agpl. |
This is a legal agreement, simply saying that “I agree” won't do it. Read the instructions and follow accordingly. I've sent an email to your Tutanota email address (your Weblate contributions are under that address), but it might not reach you due to an error on my end. Can you check, including the spam folder? |
|
I didn't received emails from you.Anyway,I'll provide concent here. @MuntashirAkon |
|
Hi @MuntashirAkon, This all sounds good, but before I issue consent (which I am currently planning on doing), can you explain a bit more what you mean by "The greatest loophole of GPL3+ is that the developers who modifies our code are not required to contribute to the original software"? The biggest concern that I think you have is that someone will improve the code and make it closed-source. I think that's a fair and reasonable concern, and I support your effort to close that loophole. If the license is changed, besides authors of derivative projects making the source code open, will they have other obligations to "contribute to the original software"? Also, the statement you are requesting includes that you are "the current owner" of the software. How does "ownership" work for projects with more than one contributor? My regards, |
You explained it yourself:
However, (A)GPL doesn't prevent one from making a project closed source when they don't distribute it. The primary difference between GPL and AGPL is that if you distribute the modified version of the software over network, AGPL forces you to publish the modifications. Personal/internal usage is never a problem though.
Contribution is not required, but as they have to provide their modifications, we can safely merge the changes if they seem important.
Not owner of the software but the owner of the project. I mean when you install a copy of App Manager, you become the owner of that copy (as opposed to license which doesn't make you the owner of the app). This is granted when the user clicks on “I agree” button of the disclaimer dialog. The project itself is owned by me simply because I created it, and the contributors own their contributions and respective licenses (which is currently GPL-3.0+) unless the contributor want to change is to something else. However, since we don't have a CLA, contributors were asked to sign-off their commits which acts as a developer certificate of origin (DCO). This isn't enforced as of today because I didn't think that it would reach so much audience. But this will be enforced after relicensing the project. |
|
Thanks for the mention @mubashir-rehman
What exactly do you mean by "software over network"? Is it some sort of platform to distribute your modification? |
|
Regarding what "over network" means in the license: https://www.gnu.org/licenses/gpl-faq.html#AGPLv3InteractingRemotely
Do you expect that somebody converts the App Manager application into a web server application and runs it as "Software as a Service" product? Distribution through e.g. Google Play is already covered by the term "to 'convey'" in the GPL:
When you convey a modified version in object code (all terms as defined by the GPL in section 0), section 6 applies, requiring that the author of the new project must "also convey the machine-readable Corresponding Source under the terms of this License". |
|
So if I understood this correctly, using GPL or AGPL won't make much of a difference. No one is going to convert the app to a web application so there is actually no need for AGPL. |
|
I agree @Daksh777; additionally, according to https://opensource.stackexchange.com/a/1726, everybody already has permission to relicense (a derivative work of) App Manager under AGPL per section 13 of the GPL:
(But not to add an OpenSSL exception, which the consent that @MuntashirAkon asks contributors to give doesn't actually mention.) |
|
@Daksh777 |
App Manager can be used as a SaaS product since it offers remote interaction (in which case you only have to disclose the source of the version of App Manager that the users use). The feature is disabled because users are only expected to run it locally. But it's possible to modify the source to enable it.
Yes. However, in (A)GPL, you are not required to supply the source code or links to the source code with the software, and you were only obliged to do so if the user requested them. Now, you can always write an EULA that states that asking for a source code terminates the agreement.
This is only applicable for a derived work.
This is a good point. Actually, I'm glad that this discussion is taking place. We actually have a lot of licensing issues right now, one of which is disputed, i.e. GPL-2.0-only with classpath exception. GPL-2.0-only licenses are incompatible with (A)GPL-3.0 or later. But I wonder what this exception stands for. This sort of licenses could be used with Apache 2.0 but I don't know if that's the case with GPL-3.0. I think we have to adopt a Linux-like COPYING where it would be specifically stated that depending on the library and code usage, newer exceptions might be added to the license, but in any case, it shall be ensured that the exceptions are applicable to the corresponding library or file only and not the full source. |
|
I am also thinking of separating translations from the original app (or move it to an orphan branch) since Weblate's libre plan doesn't offer any option control the contributors, and a few of the translators are actually trying to use it to their advantage by providing wrong/out-of-context translations. |
Which parts of the app does this apply to? Since the whole app is so close to the Android system, this is hard to imagine for me.
I think you may "combine any covered work [the previous version of the app] with a work licensed under version 3 of the GNU Affero General Public License [any latest contributions by you] into a single combined work [the next version of the app]". |
I'll try to add a demonstration in the next version.
Who's you here? Me or all contributors? |
|
I talked with a GNU-Richard Stallman fan and they told me that the technology being used here is actually Service as a Software Substitute (never heard that term before) rather than Service as a Software which, unfortunately, isn't covered by the AGPL licenses. The way the article puts it, the entire cloud infrastructure at present seems to be SaaSS unless you host them yourself. |
Here, I specifically meant you. Others have already granted you the permission to cover their changes under AGPL through the GPL that they put their code under. You have already created a "'modified version' of an earlier work" because you "adapt[ed] all […] of the work in a fashion requiring copyright permission, other than the making of an exact copy" by adding new work on top of the existing work by contributors, which in turn is "based on" your work.
I think the former is just a dysphemistic term for certain instances of the latter.
I don't think this is true (it would be for pure GPL though), since as a user, you are interacting with the software through a network. The problem here is that you don't have access to the binaries for tasks that you should be able to complete offline, like editing images in an online photo editor. |
According to https://www.gnu.org/licenses/why-affero-gpl.en.html:
|
|
Yes, because (according to them; same article, next paragraph):
So, according to the article, the problems are:
→ it's not possible to solve these problems through a license Still, the software if of course covered, no matter how you call it. |
Yeah, but even Invidious, Nitter, Peertube instances should fall under this definition if they're not self-hosted and/or audited. There could be some transparency requirement clause if you know what I mean. |
|
@MuntashirAkon wrote: *...a few of the translators are actually trying to use it to their advantage by providing wrong/out-of-context translations." That's not good. How are they trying to use it to their advantage? Can you illustrate with a couple examples? |
|
I am @yzqzss , i received that email but cann`t reply it .(riseup.net: No Mx Record Found ). I hereby grant Muntashir Al-Islam, -- My Email: |
Riseup is probably being blocked in your area. |
This happened in Russian translation and previously in Chinese (but I won't name anybody as I don't want to hurt anybody). There could be more but I wouldn't know unless I receive such reports (we only received these reports probably because we have a large number of Chinese and Russian users). Weblate should really allow open source projects to customise its users like Transifex or Crowdin. |
|
Wow! DCO is marked as spam on Weblate!
|
Thanks. My question was ambiguous. I'm sorry and I'll be more specific. I meant how were translations used for the advantage of others? Did they add inappropriate links (spam, essentially), references to unrelated personal agendas, something else?
I agree. Also, I've long held that every translation service should, for every translation into another language, also show a machine translation of those translations into a language known by whomever is requesting the translation. For example, if you wrote words in English, and someone translates your words into Latin, it should perform a machine translation of the Latin back into English to help ensure no "funny business" is going on. |
As you can see in the above screenshot, Weblate has spam protections. What I meant is that collaborating in an open source project itself is an advantage, and Weblate seems to be a nice tool to do so since it arbitrarily allows anyone to interact directly with an open source project. Remember the Hacktoberfest incidents of last year? Most OSS are maintained by 1-3 people who contribute in their free time, and these sort of contributions just discourage them from collaborating to OSS ever again. Fortunately, in our case, we have some patient and dedicated translators who keep reverting their mess, but they'll eventually get tired and give up. Weblate, at least, should've allowed an option to restrict some users. Currently we have no choice but to make such strings read-only. This situation will only get worse as more and more projects are using Weblate for translating their projects. @comradekingu: I gather that you are quite involved with Weblate, do you know any better way to handle the situation other than making such strings read-only? I've also decided to not keep Weblate as a collaborator to the project and do the pulls and pushes manually using |
|
GPLv3+ does indemnify shipping bad strings inadvertently, but that is no excuse to do so. @Gitoffthelawn Policing translations with managers and user roles is possibly the worst idea, other than the voting system defaults of Crowdin, and the UI of TX and Crowdin. @MuntashirAkon Weblate does allow restricting users, Hosted Weblate allows setting up reviewers specifically. As for the legality of uploading contributions, https://weblate.org/en/terms/ says
However, it does state contributions are to be made under the respective license chosen, IMO, the Developer's Certificate of Origin 1.1 for Linux (being GPLv2 only), is not needed for GPLv3+ It states `By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or`
Whereas the GPLv3+ states: (actual spaghetti unravelled at the bottom)
Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. Each time you convey a covered work, the recipient automatically A "contributor" is a copyright holder who authorizes use under this Each contributor grants you a non-exclusive, worldwide, royalty-free If conditions are imposed on you (whether by court order, agreement or If you cannot convey a |
Yes, I know that but it's not available under Libre plan.
How would you appoint a reviewer? And what capabilities do they have in particular? Anybody seems to translate directly anyway without enabling suggestion voting which is impossible for a project like this. Also, there is no per app language reviewer. The amount of sacrifice that we have to make to stick to Weblate seems to be very high. For instance, until new version came out, I had to create and run a string fixer script. Anyway, I appreciate that fact that at least they are trying.
The choice of words seem not very transparent and well defined (thus opening a wider range of possibilities of being getting kicked). Even our discussion here could end up being a “bad faith”. I didn't understand what's wrong with the point (b). If you modify a GPL'd work, it has to be GPL'd under the terms of the license. But if you modify an Apache-2.0 licensed work that you copied from another project, you can use either GPL or Apache-2.0, because the work is not yet under GPL. When you finally commit that work to a GPL'd project i.e. you've authorised the work to be used under GPL, any further modification would have to be under GPL. How does that break (b)? Or, do we need to replace under the same open source license (unless I am permitted to submit under a different license) with under the same open source license or GPL-3.0-or-later? Any contribution you make on Weblate automatically falls under GPL because the project is already under GPL which enforces that the modifications also have to be under GPL. |
|
My problem with b is the same as with a and c, that it is mentioned at all. Per user reviews don't exist. If they did you wouldn't have to handpick reviewers. Each translator could just keep a shorthand of reviewers they trust, and I would only use it to prioritize the order in which each and every string is reviewed by me. That would however help each good translator scale. Right now the only real way is to stay on top of all changes for a language as they happen. |
I think any contributor would agree on these terms because they are being enforced implicitly on any open source project. Having them as a document saves the maintainers from the liability which is not covered by GPL. Anyway, this is for testing purposes and has since been removed. However, I have to modify the CLA to include a fact that each contributor have to accept an OpenSSL exception clause (specifically BoringSSL library) so that when this is added, I don't have to explicitly ask for permissions for this from all contributors. BoringSSL is a requirement for our project as GNU TLS and OpenSSL do not provide SPAKE2. The OpenSSL exception clause is as follows: This is what I've came up with right now but it may or may not be perfect: |
|
Oops, wrong button. |
Ah, so no moderation is possible. The old way of sending patches via a mailing list used to be better. What's your experience with Transifex? Does it offer anything better? |
|
Transifex is just plain awful. Egregious terms, UI from the underworld. It is the home of the drive-by translator. Your problem is that adding a clause (big problem) to further translations, doesn't cover existing ones. However, GPLv3+ to AGPLv3+ is fine https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility without getting the consent of each and every contributor (unless I am mistaken). Further work would then effectively change license. What was the situation before the change? If OpenSSL was used and there was no exception in place, that seems like an oversight on part of the licensing department rather than something that actually changed. I get trying to make extra sure here, but what happens to be the actual problem to solve? Whether the language parts are in conflict with an OpenSSL exception, I don't know. https://www.openssl.org/source/license.html 3.0.0 is just Apache 2.0. Edit: This is the provision for licensing stuff as per the license in the repo My take is to not double up on something that is already there. It being acceptable because it is already there is a very thin definition of acceptable, that also encompasses unacceptable. |
|
The question is not with the current version of OpenSSL because BoringSSL was forked from an old version of OpenSSL that was still under the OpenSSL license. As I've described earlier, SPAKE2 is only available in BoringSSL, and NOT in any place else. So, there's no alternative that we can look for. I've attempted to port it to Java but the dependencies with the old version of OpenSSL seems too high, and I don't have time and energy to reimplement the entire OpenSSL (I already have to maintain far too many libraries as part of this project). You'd find OpenSSL exception in all projects that uses network connection and/or interact with low level system. It's one of the most used exceptions with GPL licenses (due to incompatibilities). The alternative solution would be to use something called wrapping i.e. supply BoringSSL in a separate APK file and then use a permissive-licensed API to interact with it. While it's not difficult to do that, it would be annoying for the ADB users as they have to install the extension in order to interact with App Manager (see #281). |
|
CLAs are essential for a safe future of an open source app. Consider we have to add an exception in future but some of the contributors (since we allow anonymous contributions) aren't responding. In such situation, there's no choice but to remove all contributions made by the user which could be very bad. At the same time, we have to careful not to follow the footsteps of ElasticSearch. |
|
This is the LICENSE file of BoringSSL, known to be one of the most complicated license statements. SPAKE2 and related code from Google are actually licensed under MIT instead of OpenSSL. For our purpose, we only need contents from the curve25519 (the tests can be skipped as we don't require any test) folder which has dependencies with a few OpenSSL library files, which shouldn't be too hard to extract if you're an experienced c programmer. The trouble is to replace them with alternatives that do not use OpenSSL license. |
|
My contributions are under GPL-2.0-or-later, and so do not require my consent to be used in a GPL-3.0-or-later project. |
|
It looks like Weblate added an option to block users. |
|
If I can get Signal's curve25519 library to work, we may not need to add an exception at all. |
|
It appears that we no longer need to add an exception! I was finally able to implement the Spake25519 protocol in pure Java which will be available shortly at https://github.com/MuntashirAkon/spake2-java. I will also add native c library without OpenSSL's proprietary code. |
We want people to use code from App Manager (it's increasing becoming the biggest source of technologies hardly found any other OSS) and I've received emails from various authors for permission to use the GPL3+ licensed code. The greatest loophole of GPL3+ is that the developers who modifies our code are not required to contribute to the original software — which is bad for the future of App Manager as a free (as in libre) software. So, I like to nip these loopholes in the bud by relicensing the project under AGPL3+ license.
But before doing so, I would like to take comments from the contributors and the community.
The text was updated successfully, but these errors were encountered: