Licensing Issue

[kdani41]

Question

Currently Reactive Streams dependency has a license of CC0

Issue - Due to some reason the place where I work have some legal issue with the license.

Main concern regarding the license is that patent rights are expressly reserved. The license is only for copyright which eventually creates a risk of an IP claim.

Is there any way if reactive-streams can be offered under Apache-2.0 license??

[viktorklang]

@reactive-streams/contributors Would it make sense to dual license under Apache V2?

[akarnokd]

Related: #434.

How do you express in dependent libraries that you have chosen RS with the Apache v2 license?

[viktorklang]

@akarnokd Good question—and I have no idea. I don't even know if this [patent clauses] is an imaginary problem or not.

[ktoso]

I would not mind adding a 2nd license but would be good to get some confirmation legal wise how to pull that off and if we are solving a real issue etc.

[jroper]

I attended a keynote earlier this year by the head of the Open Source Initiative (Simon Phipps), and he talked about the importance of patent grants.

The specific problem that patent grants seek to address is when a contributor who works for big tech company that has a large patent portfolio, makes a contribution, and that contribution, whether it's known to the contributor or not, contains IP covered by their employers patents. A license that contains a patent grant protects the users of that software from that company coming after them with a patent suit.

Applied to Reactive Streams, a hypothetical situation might be one where Microsoft had some patents surrounding Reactive Extensions, and through RxJava and the adoption of those interfaces here, Reactive Streams may have inherited some code or approaches covered by those patents. Using a license with a patent grant would prevent Microsoft from suing any users of Reactive Streams.

I'm not sure that technically, we could retroactively apply any license containing a patent grant to a CC0 project, we would need to first get agreement from all the past contributors that their contributions be made available under a license with a patent grant.

[skylap]

To bring this topic to life again: I'm also working for a bigger company that consults lawyers regarding open source software licenses. Our opinion on this is that reactive-streams could keep CC0 license if you would add a statement like the following to the license declaration and have all authors / contributors sign it:

The author / contributor does not hold any patent or trademark rights connected to the source code of this project. Furthermore the author / contributor does not know of any patent or trademark rights that could be connected to the source code of this project.

This statement helps companies that want to use this project in their commercial software (directly or indirectly via transitive dependencies) to be more on the legally safe side. Please consider this solution.

[TobiX]

Chipping in from another company user. Our legal team sees another problem with the following part of CC0:

(4c in https://creativecommons.org/publicdomain/zero/1.0/legalcode)

Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.

Our legal department considers this a huge problem, since it basically says "may contain parts of other works not licensed under CC0"...

Dual- or multi-licensing is pretty simple technically, see jruby as an example. Unfortunately, you probably have to contact all current copyright holders (contributors to this package) if they are okay with such a relicensing (at least if there is no CLA in place which asked for relicensing permission beforehand)

[viktorklang]

@TobiX While I can sympathize with the concern for the license in itself, remember that we're talking about 4 interfaces where one of them is simple 2 of them joined at the hip. Which code are they concerned about more specifically?

[TobiX]

@viktorklang I didn't realize those are only 4 interfaces, I came here after a license review :D

Those are probably even exempt from copyright where I live (Germany)...

[viktorklang]

@TobiX :D

[viktorklang]

@TobiX Oh, and also, there's this which converts between those 4 interfaces, and the exact same 4 interfaces which was included in the JDK for Java9. :)

[viktorklang]

@reactive-streams/contributors @TobiX @skylap @kdani41

MANDATORY "I AM NOT A LAWYER AND THIS IS NOT LEGAL ADVICE" DISCLAIMER.

I'm raising this concern in order to settle this topic once and for all, hopefully. :)

Please read this for background on why CC0 is not OSI Approved:
http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2012-February/001565.html

Moving to something more widely accepted, yet still as permissive as absolutely possible, MIT-0 (a.k.a "MIT: No Attribution") looks promising, and is something which could become OSI approved: https://spdx.org/licenses/MIT-0.html

Is this something that everyone would be fine with? (If we make any modifications to licensing, I'd prefer to only do it once, and then let this rest.) One option is to keep CC0 for everything non-code, and MIT-0 for code, this change would be the least change, while still moving to a "code" rather than "text" license for code.

Thoughts? Opinions? Alternatives?

Cheers,
√

[sig-cpotts]

IMHO MIT would be an excellent choice.

Best Regards.

[DougLea]

Discussions of CC0 vs MIT-0 seem like angels on pinheads to me. If people would like to placate lawyers, MIT-0 is a fine way to do it.l

[Scottmitch]

No issue with MIT-0, thanks for checking @viktorklang!

@jroper and @TobiX bring up great points about complexities of retroactive re-licensing above. I would advise seeking legal council to confirm the original concerns are being addressed in a way that won't introduce new problems, and the process/impact to the community is well understood.

[sig-cpotts]

No issue with MIT-0, thanks for checking @viktorklang!

@jroper and @TobiX bring up great points about complexities of retroactive re-licensing above. I would advise seeking legal council to confirm the original concerns are being addressed in a way that won't introduce new problems, and the process/impact to the community is well understood.

Could a new minor revision be released with the MIT license applied in order to avoid retroactive licensing?
From a license compliance standpoint I can imagine that considering the licence applied to file header/package/library at time of download by the consumer would take legal precedence and what confusion retroactive license application may cause is difficult to judge. (In particular if all code-contributing parties at said download time were not in agreement with said re-licensing and not available to parlay. (I did in fact just re-watch the Pirates of the Caribbean series if anyone notes a peculiarity in this comment.) Savvy.) ... and perhaps a nap is in order. Take care all.

[jroper]

There is some contention as to whether the MIT license constitutes a patent grant, but most agree that it includes patent grant.

But here's the issue - and let's not forget, it's not just a question of what legally works, which to prove requires going to court, it's a question of what a companies lawyers, who when reviewing whether their developers can use this project, will accept. There are 31 contributors to Reactive Streams:

https://github.com/reactive-streams/reactive-streams-jvm/graphs/contributors

Of which I am one. Let's say, I was malicious, and I actually had a patent, and I contributed something that my patent covered to Reactive Streams. I signed the copyright waiver, where I agreed that I was making my contribution under the terms of CC-0. But CC-0 explicitly excludes patent grants, in the summary it says "in no way are the patent or trademark rights of any person affected by CC0". So, I kept my right to sue anyone that uses my Reactive Streams code when I made my contribution.

Now, you decide to re license it as MIT-0, but I never agreed to that. So I still maintain my right to sue anyone that uses my Reactive Streams code when I made my contribution.

Yes, Reactive Streams is only 4 interfaces, but will the lawyers care about that? We have the email address of every contributor, would it be that hard to contact them all and ask them to submit a new PR to a new document that adds their name saying they make their contribution under MIT-0?

[egetman]

MIT is perfectly OK for me =)

[viktorklang]

Everyone,

the process to relicense to MIT-0 has begun, once all contributors have accepted the relicensing proposal to MIT-0 by adding themselves to Relicensing.txt we can then go ahead and officially update the LICENSE to MIT-0

Thanks for all your input and thoughts on this!

[viktorklang]

@briantopping @JakeWharton @seratch @kiiadi @Scottmitch Please let me know whether you received the email(s) regarding steps required to re-license to MIT-0.

[briantopping]

Hi Victor, I’ll get on this shortly. Thanks, Brian

…

On Aug 18, 2020, at 6:51 AM, Viktor Klang (√) ***@***.***> wrote: @briantopping <https://github.com/briantopping> @JakeWharton <https://github.com/JakeWharton> @seratch <https://github.com/seratch> @kiiadi <https://github.com/kiiadi> @Scottmitch <https://github.com/Scottmitch> Please let me know whether you received the email(s) regarding steps required to re-license to MIT-0. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#438 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABGTIZUAY2X5DRZUTQFD23SBJ2OLANCNFSM4FUZRAJQ>.

[kiiadi]

@viktorklang I'll try to get to this today.

[viktorklang]

@kiiadi Awesome, that'd be perfect—you're the last signature :)

[kiiadi]

done : #524

[viktorklang]

Perfect, thanks @kiiadi!

[viktorklang]

License has now been changed to MIT-0

[tuxdna]

The latest build of ractive-streams is 1.0.3 which is still points to CC0 license in its .pom file.

https://search.maven.org/artifact/org.reactivestreams/reactive-streams

  <licenses>
    <license>
      <name>CC0</name>
      <url>http://creativecommons.org/publicdomain/zero/1.0/</url>
      <distribution>repo</distribution>
    </license>
  </licenses>

Please point here, if there is any build available that fixes the license from CC0 to MIT-0?

[viktorklang]

@tuxdna There's no published binary with the new license, but nothing prevents you from building your own artifact, or including the sources, until there's a new version published.

[tuxdna]

@viktorklang I think that is the way to go, until a new release is available. Thanks!