-
-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider Reverting To ISC License #7
Comments
Normally I wouldn't relicense a project that already exists, but this is a full rewrite, and there aren't any other contributors anyway.
Having re-read the license again, the only way I could envision complying with the Notices section would be to convert our projects to closed-source:
As an open-source maintainer, I don't have the power to stop people from downloading individual files from our repositories on GitHub and can't reasonably ensure that they also download or view the license of a vendored dependency. Additionally, we follow GitHub's official guidance in using |
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Necessary disclaimers, IANAL, and also I'm not a lawyer, and even if I was, I wouldn't be your lawyer unless you were paying me, so this is in no way legal advice.
If you are shipping this software, you must ship it with the license. If someone downloads an individual file from your repository, and the license was available in that same repository, then you have made it available to them along with the software. If you are vendoring this (or pretty much any OSS) library, and not vendoring the license along with it, in the same place, then yes, you are in violation of the license. MIT and BSD have similar provisions. MIT:
BSD-3-Clause:
When in doubt, put the text of the license in the file itself as a comment, but I personally think that's a bit excessive. Everyone knows what the Is that a bug or a feature? I'm not sure. I find software patents, on balance, morally objectionable. What little social good that they do (which is not zero, to be clear) is vastly outweighed by the harm they do. I am in favor of the disarmament of the intellectual property weapons wielded by megacorps in open source communities. If the use of Blue Oak dissuades patent holders from using my code, or makes them tread much more carefully in how they interact, I see that as a benefit.
I don't care that it isn't OSI approved. It has undergone quite a bit of public discussion, by people who I trust to make legal decisions, including lawyers I've retained in the past and whose integrity and insight I trust implicitly, and their position is that it's good, so that's enough for me.
True, it's not as simple as ISC. But it is still plainer english than most licenses, and addresses many of the points where ISC is a bit vague. I like it. I understand that we might not all see eye to eye on these things, and reasonable people can disagree in good faith. As always, if BlueOak (or any license I choose) is a blocker for you, I am willing to offer a proprietary license with extremely flexible terms for a license fee equal to $50 per month per full time employee (or equivalent full time contractor/contributor). If this is of interest to you, let me know. |
Yes, of course; IANAL either.
Personally, I agree with your sensible interpretation of the notice requirements of Blue Oak, and we meet all those standards already, so compliance with this interpretation would not be an issue. I would even hazard a guess that you had already spoken specifically with the license authors about this topic, and that they also agree with our interpretation. My problem is that if I were to use any software with such a license, I would have to trust that an arbitrary court of law in an arbitrary country with limited software engineering expertise will also agree with our interpretation. I find the wording of the MIT and BSD-3-Clause licenses on this topic less subjective, because they are worded in terms of what I must do and what is in my control. I have greater confidence those licenses will be interpreted in the manner I expect because they each have large bodies of case law at this point. Obviously different organizations have different levels of appetite for legal risk, but as an open-source developer contributing software for free, mine is very low.
Putting the text of the license itself in the file as a comment would address the case where someone downloads individual files, but not the case where they use our GitHub Action and receive only the minified output of ncc. Regardless, if I were to take that approach, I would be maintaining a fork of any Blue Oak licensed software we use or looking for some tool that automatically copies license texts into files. In any case, such an approach would significantly raise the cost of adoption.
Here again, personally, I agree with your values 100%. I am not aware of a reason why patent holders specifically would be deterred from using Blue Oak code however, merely from contributing anything back to it. The concern as I understand it is the potential for the loss of one contributor's patent rights on the basis of another contributor's contribution. The license states:
Contrast Apache 2.0, which clarifies that each contributor can only grant rights to their own patent:
I feel reasonably confident that courts would be unlikely to hold the view that one contributor could grant another contributor's patent rights away by infringing on a patent they don't hold. (After all, one might say that would be patently absurd.) I am slightly less certain however that an arbitrary court wouldn't interpret the license itself to be purporting such a claim (e.g., in the event that some licensor(s) and/or licensee(s) had advocated such an interpretation). At that point, I would have to delve a lot deeper to understand what might happen. To hazard a guess though, depending on the jurisdiction, the judge might then be obligated to strike the patent clause entirely, have greater leeway to interpret it as they see fit, or have either the power or obligation to strike down the license entirely and deem it unenforceable in that jurisdiction. This is simply something I came across while researching the license and did not factor significantly into my decision not to adopt Blue Oak software.
That's good to hear that Blue Oak has been publicly reviewed. Do you happen to know where such a discussion took place? That might be a more appropriate venue for my feedback.
I appreciate the offer, but as I make no money from software development, I cannot afford such an arrangement. We do not and have never used any Blue Oak software, so ScribeMD/docker-cache is currently sitting on a ticking time bomb until a security vulnerability affects cacache v17.0.4, the last version of cacache that does not include a Blue Oak license in its dependency tree. At that point, if the security vulnerability were a credible concern, I would be forced to deprecate docker-cache if we could not find an alternative dependency tree to satisfy our needs. |
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source. Run `yarn set resolution fast-check@npm:^3.0.0 3.12.1` to temporarily work around a type incompatibility between fast-check 3.12.1 and 3.13.0.
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source. Run `yarn set resolution fast-check@npm:^3.0.0 3.12.1` to temporarily work around a type incompatibility between fast-check 3.12.1 and 3.13.0.
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution cacache@npm:^17.0.0 17.0.4` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest 9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest 9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
| datasource | package | from | to | | ---------- | ------------- | ----- | ----- | | npm | @yarnpkg/sdks | 2.7.1 | 3.1.0 | | npm | @yarnpkg/cli | 3.6.4 | 4.0.2 | Bump Yarn licenses plugin from v0.12.0 to v0.13.1 for Yarn v4 support. Remove all other plugins as they are built in to Yarn v4. Accept Yarn's suggestion of disabling the global cache so dependencies are available locally, allowing MegaLinter to run ESLint via Yarn. Reject Yarn's suggestion of using the mixed compression level since experiments have shown that installs are significantly faster with the new default compression level of 0. Consequently, decompress all Yarn dependencies. Ignore deprecation of uuid package now that `yarn npm audit` reports deprecations. @actions/cache depends on uuid v3, and does not plan to upgrade the dependency. Ignore deprecation of @npmcli/move-file since it's a transitive dependency of node-gyp@9.4.1. We can't upgrade node-gyp without taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
| datasource | package | from | to | | ---------- | ------------- | ----- | ----- | | npm | @yarnpkg/sdks | 2.7.1 | 3.1.0 | | npm | @yarnpkg/cli | 3.6.4 | 4.0.2 | Bump Yarn licenses plugin from v0.12.0 to v0.13.1 for Yarn v4 support. Remove all other plugins as they are built in to Yarn v4. Accept Yarn's suggestion of disabling the global cache so dependencies are available locally, allowing MegaLinter to run ESLint via Yarn. Reject Yarn's suggestion of using the mixed compression level since experiments have shown that installs are significantly faster with the new default compression level of 0. Consequently, decompress all Yarn dependencies. Ignore deprecation of uuid package now that `yarn npm audit` reports deprecations. @actions/cache depends on uuid v3, and does not plan to upgrade the dependency. Ignore deprecation of @npmcli/move-file since it's a transitive dependency of node-gyp@9.4.1. We can't upgrade node-gyp without taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest npm:9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest npm:9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest npm:9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest npm:9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest npm:9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
Run `yarn set resolution node-gyp@npm:latest npm:9.4.1` to avoid taking dependencies on jackspeak or path-scurry, which use Blue Oak Model License 1.0.0. As detailed in isaacs/jackspeak#7, we are unable to comply with the license's notice requirements while remaining open-source.
The Blue Oak Model License 1.0.0 has a few drawbacks that I am aware of:
I don't have strong feelings about this; I just came across these discussions because LicenseFinder spotted the license change, and I was evaluating whether we should approve use of Blue Oak 1.0.0 dependencies in our projects.
The text was updated successfully, but these errors were encountered: