Clarification of redistribution/license terms for source code/binaries

[thoughtpolice]

Hi,

I'd like to package cloudflared for NixOS, which is a very unusual Linux distribution that tends to compile everything from source where possible (for a number of reasons, but not just because we enjoy it -- though proprietary binaries are sometimes workable). In particular, each package in NixOS, when built, is stored and served over a big HTTP cache[1]. This means we do the packaging on our servers and ship the binary artifacts (made by us) to users.

However, like most distributions, we keep track of licenses, and we do not (by default) allow usage of non-free software, which we mark as license = unfree. There are two "tiers" of unfree packages in NixOS: unfree, which prohibits usage by default, and does not build copies of the objects in the HTTP cache, and unfreeRedistributable, which is legally not free software, but can have the binary results redistributed.

The LICENSE file for cloudflared pretty clearly indicates the software isn't free software (under any libre/OSI approved terms), but I'm more wondering about the terms of redistribution:

1. Am I allowed to redistribute the binary downloads that you provide? i.e. can we download the binaries CloudFlare provides, and re-host them for our users? If so, what are the terms of distribution for that binary? e.g. it must be completely un-modified from the original, etc

2. Is it a violation of the terms to compile the (unmodified) code from source and use that to interact with CloudFlare? If it is not a violation, can we distribute the resulting binary?

3. If we must use the original binary, does the user of the binary have to accept any provided terms to download it? E.g. Oracle requires you to agree to terms before downloading OracleJDK. In practice cloudflared can just be downloaded by anyone and the documentation makes no indication that there are any restrictions on who downloads it, but this is also maybe worth clarifying.

I'm not a laywer, so these questions may be obvious to someone, but that someone isn't me.

The questions are a bit complicated; in particular, the ideal case would be "You can compile the source and redistribute the binary artifacts from that source code, under the same license as provided", re: question 2. This would mean NixOS could simply mark this package as unfreeRedistributable and still serve binaries for our users when they wanted it.

If source code isn't allowed, the binary case is a bit more complicated. Most licenses require "non-modification" of the binaries, but for proprietary binaries they often have to have their ELF headers modified on NixOS to work properly. This may not be the case with cloudflared (static Go binary), but it's still worth clarifying I think. (As an example, Nvidia distributes proprietary binary drivers that you can redistribute but only if they're unmodified. This is fine for some Linux distros, but not for us, because we have to modify the binary ELF headers. This means the Nvidia driver packages for NixOS are unfree, not unfreeRedistributable, because we would otherwise violate the terms).

The third case is an extension of case 2: if the original binary must be used, there's a question of whether any terms must be accepted to download it. This is also handled in NixOS separately; for example, some unfree packages do not require any explicit agreement to actually download the binary; the license simply doesn't allow you (a 3rd party) to redistribute the binary, so end-users have to download it themselves. An example of this is the Nvidia NCCL library. When a user installs it, they will 'build' the package themselves, and during that time, the binaries will be downloaded automatically. On the other hand, some package not only do not allow redistribution, they also require an explicit agreement with the user, like OracleJDK. In this case on NixOS, not only does the user have to 'build' the package themselves when they try to install it, they also have to manually download the binary first (through a web browser) and "add it" to their system so it can be built. (In other words, our tools can't "automatically" accept the license on their behalf, which is fairly standard).

---

At the end of the day, cloudflared in NixOS can be simply marked as unfree which is the most restrictive license in NixOS, and end-users would have to compile it themselves, removing us from the loop. The only relevant question then, is question 3 -- whether or not the binary can be downloaded without an agreement on behalf of the user. In this case, everything here seems to indicate that no agreement for download is necessary, which is nice, but that's not fully clear to me.

I don't expect there to be any good, easy answers to these questions without your legal team getting involved. Also, talking to your legal team is probably not your good idea of 'fun', so I understand if this clarification isn't the highest priority (though that's how life is sometimes).

This wouldn't be the end of the world, although it may be a bit unfortunate for the few people who need it. However, these terms may be worth clarifying for others too.

---

[1] Sadly we do not use CloudFlare for our cache -- but I imagine you probably don't want terabytes of ELF binaries clogging your CDN/cache layers. :)

[jwh]

bump, I'd be interested in what the deal is here also... (as a customer who uses Argo)

[ghost]

I'd like to redistribute a binary that I've compiled for mips64. Clarification please.

[TownLake]

Hello, we are in the process of closing out some old tickets and saw that we didn't get back to your inquiry. I escalated to our legal team and they advised that NixOS should mark the Cloudflare Daemon as unfree. The cloudfared license does not permit redistribution of the cloudflared daemon to third parties. Thanks.