License update #2032
Comments
|
I think AGPL3.0+ might be a good fit for your project. With that license the answers to your concerns are:
Any corporation who attempted this would be required to release their modified source code under the same license. Yes they can create a competing product, hyper-market it to gain more popularity than yours, but--and this is crucial--it is less likely that they could "capture the market" or shut you out, because they must release their changes. Their competitors (you) could easily absorb any features that would otherwise be their "competitive differentiation point" and lock-in mechanisms.
Any corporation who attempted this would be required to release their modified source code under the AGPL. (But not the GPL; the "SaaS loophole" permits it!) So the answer is "yes," but with the AGPL they lose the ability to exclude everyone else. You and any competitor of theirs can receive their modified code and "compete" with a similarly-hosted service, with feature parity. One side effect of these things is that big corporations who are looking to exploit open source for a quick buck, rather than contribute back to the community, treat GPL and especially AGPL-licensed software as "toxic" and untouchable. This further reduces the likelihood of the issues you mentioned. GPL opponents decry this as making a project "unpopular" but I think the protections that the licenses provide are worth that risk, and are very suited to projects with a self-hosted option like yours. Other projects which use the AGPL include tootsuite (mastodon), CiviCRM, and MongoDB. Some projects use a copyright-assignment trick to better capture the market while somewhat supporting the open-source community: If you use the AGPL3 license and also require with a CLA that all contributors assign copyright to you, you may very easily change the project license at a later date, or sell proprietary forks. I dislike that practice, but even that would be better in my opinion than a permissive license (like BSD, MIT, or Apache2) that lets corporations exploit and capture your work, or keeping your project unlicensed (and effectively proprietary.) |
|
If it helps, the AGPL also seems to be Google-resistant: http://joeyh.name/blog/entry/prove_you_are_not_an_Evil_corporate_person/ |
|
@datagrok thank you for your detailed thoughts. You make some compelling points. Although, I'm not totally put at ease by the fact that any party monetizing our code will also have to release their code. I think that would make sense in a perfectly-competitive environment where if one corporation adds a bunch of features that attracts more users, the other slighted party can just add those same features. In this case, SN is anti-feature minded. Users want SN to do a lot of things, and we say no constantly. No doubt if someone copied SN and gave it the Evernote-bloat treatment, people would rush to it like they rush to sugary sweets. In that case, we wouldn't want to compete with that feature set. We want to stay small. Code is code. Code is raw material, like wood in a lumber yard. It's really the packaging and marketing that make it commercialized and monetarily viable. I think the whole "closed-source" business model is needless paranoia. If I may speak freely, I don't personally fully understand the free software movement. Why should anything be free? How could anything be free? Free is always, always subsidized. The free software movement has trained users to expect that software should be as naturally available and free as leaves on a tree. Luckily, the kinds of people SN attracts understand that free is not sustainable, but you still get the occasional wanderer who is outraged that we are charging some sort of fee for advanced features. Speaking generally, free is most often a marketing strategy used by corporations to take advantage of customers. A sort of loss leader. And I think it's created a really unhealthy ecosystem of unchecked greed and growth, and a complete loss of privacy. This is why I'm skeptic of free. The lifecycle of software projects is another topic of its own, and is in my opinion also on an unhealthy trajectory. You either get bloatware, or abandonware. Very rarely do you just get a self-sustaining project that's very intentional about its longevity. So, I don't know. I have all these worries and ideas that I want to try to optimize for. And I don't want to keep doing what's been done before, in the sense of, you can't keep doing the same thing and expect different results. Standard Notes is open-source, but I'd like it to be a non-growing codebase. The open-source community today encourages contributions to your favorite projects, but personally, I'd be ok not receiving any PRs. PRs tend to add. I'd like to remove. I sort of want to be a hybrid between open and private. I want to be open, because it's important you see we have nothing to hide, and are doing things correctly. I want you to be able to look at the code, and see how everything works. But, I also want to protect our "intellectual property". I want to make sure that my life's work isn't copied overnight by some savvy businessman who figures something out that I haven't. (I'm definitely still open to convincing. You can kind of see that my thoughts on this are all jumbled up.) |
|
Licence changes interest me on many levels and the first thing this made me do was check the contributor graph. Did you have permission from all code contributors to remove the GPLv3 licence? If not, you are currently infringing on their rights by distributing their code under a non GPLv3 compatible licence. (Not a threat, I am not a contributor, but something to be aware off. Licence changes can be painful, ask the VLC people.) Reading this discussion it seems you are mostly worried about commercial use of your code, and that something of an CC BY-NC-SA equivalent for code is what you would want. You’ll have to do a fair bit of research though, as the usual copy-pasteable licences out there try to follow criteria set by either the FSF or in The Open Source Definition and both will explicitly allow reselling etc. Though there might be some interesting options.
The problem with being just source-available rather than open-source is that you also take the rights away from users to compile trusted binaries from source. Basically you are telling them to trust you that all the official applications match the source you have shared. At that point, any audit of the available source is moot. There recently was a bit of discussion about free software and its effect on privacy/security over in prism-break/prism-break#1915 that you might find interesting to read. There I argue that you do not need a full OSI/FSF compatible licence, but do need to guarantee some rights to the user for a tool to be helpful in the security/privacy debate:
Of course I am not a lawyer either and this software is yours to do with whatever you want. But might be some food for thought! Some other points:
|
|
@Zegnat thank you, that's helpful. Lots to take in here. Definitely a few things that I hadn't considered or been aware of.
Essentially, the ideal license I'd be looking for would say something like:
Is that possible? Or perhaps even:
Copies of the code must also include this license, and the Private License would always come from the parent-most entity (us). As a philosophy, I want to empower individuals and neutral entities to make use of this software in any way possible. When it comes to for-profit corporations, I'm not as sympathetic. Longevity is an important topic to us. Open-source seems at once great and hazardous for longevity. On the one hand, by allowing free distribution, you ensure a sort of "decentralized" access network not reliant on us. On the other hand, if you give away your software to profit-seeking entities that might have otherwise paid for it, you miss out on revenue that can secure a healthy lifecycle for the product. For the most part Standard Notes intends on remaining a fixed "small" business (especially no outside capital), so revenue streams like this can be crucial to ensuring longevity. (As for the server, Standard File is more abstract and general, and not tightly related to our business function, so it will remain GPLv3.) |
This sounds like what MongoDB does, with the copyright-assignment trick. You might like to take a closer look at their licensing scheme, since their software is popular, used by many large businesses, and seemingly very profitable. They license their main product and tools under AGPLv3. This does not forbid commercial use or distribution, but since enough profit-motivated companies have convinced themselves that strong copyleft is "dangerous" or that offering source is "difficult" or that the license will "infect" their entire portfolio, it has that effect regardless. For those (many) companies allergic to AGPL, MongoDB offers commercial (proprietary) licenses for a hefty fee. ($10,000 per year in 2014, according to one page I found.) To make this work, they must ensure that they are allowed to re-license any patches and contributions they receive from the community, which they do with this contributor license agreement that demands copyright assignment. This model might work for you, and it has the serious benefit of having been done before by multiple profitable companies. So many users will be already familiar with it. It would make your software both Free Software and Open Source; whereas if you employ any type of license that dictates "no commercial use," then FLOSS advocates will be dismissive of it. People like me might still be uncomfortable with the copyright assignment CLA, but I acknowledge that this scheme is better for the community than any of proprietary, permissive, or some weird non-free no-commercial-use license, while still in service to your goals. Nobody likes license proliferation either so even if you did come up with the perfect license to describe your wishes, that was enforceable under copyright law (see the comment on this weird license), in every country, it might be better for adoption to go with something more well-understood. |
|
Interesting. Although, it seems like Mongo's setup is catered to "vast" legal departments and businesses, which isn't exactly the audience I'm currently entertaining. I'm more looking to do this on a much smaller scale, say, businesses of 3 or more people. Given the extensible nature of Standard Notes, businesses like these might not even have any interest in modifying the source code—they might just build their own extensions if they wish to customize anything. With a license like AGPLv3, businesses might only hesitate if they wish to modify the code, but I imagine this would be a rare case. Is it an absolute given that stating "commercial use requires additional license" voids my ability to say open-source? Or are there some navigable exceptions to this? |
|
I've been reading over Stallman's essays on free software. And, I must say, there seems to be some new information in the space of software businesses. Namely, the rise of subsidization with free software, usually at a cost of user privacy, business fundamentals, and longevity. I get he means "free software" as in freedom and not price, but they appear essentially to be the same. I think free and open-source work really well with frameworks and libraries that require constant evolution, fixing, and interoperability. And I think the angle Stallman approaches it from regards large businesses, not indie businesses. He makes some strange points:
What about me, an independent developer—am I not your neighbor?
In other words, take a hit on behalf of the collective whole. This is merely a reincarnation of leftist vs. rightist ideals played out in the software realm. My stance on this isn't fully formed, but obviously, it's a complicated topic.
A police state is required to enforce a free market?
Yes, but this is precisely why programming is a distinctly enjoyable art form: you can actually expect to make money off it. Why reduce it to the same rare chances of making it as a drummer or a poet? Honestly, I don't know. I'm just now exposing myself to all the writing available on the topic, so risk making totally naive arguments which have already been made by the thousands. But in my impression, given what we know about software businesses today, it's not so easy as free. Stallman conveniently ignores the cost of free for the future benefits it may bring. Good on him for being future-minded. Me? I am that cost. I suffer by it every day. And if I am not a multi-billion dollar conglomerate feeding on and taking advantage of poorer souls—if I am just one person attempting to reduce my own suffering—am I not free to pursue that? I guess you could easily say, well, sure, no one is forcing you to be open-source. True. If I disagree with his principles, I could easily protest by simply not marking my software as free. I'm only torn on the commercial aspect. He makes compelling points regarding the importance of individual liberties to tweak and modify software, but when it comes to the freedom to commercialize copies of software, I grimace just a little bit. But, that's likely because I'm too involved in my own suffering, rather than optimizing for the potential decrease in future collective human suffering. |
The part I emphasised hits the nail on the head and sits at the centre of this debate. It is 100% up to you how you run the Standard Notes repository. You can stop accepting PRs. You can put big banners on the standardnotes.org about stability and feature-complete-ness. What open-source licences try to stop you from doing is telling other people how to manage their forks of Standard Notes. Instead something you can do is use a licence like MPL, or use GPL with additional permissions (per section 7), to make sure other people’s forks cannot then use the name Standard Notes. That way at least their “rapid evolution” fork does not get to piggy-back off of your (subjectively) more stable produced official distribution. Then again, non of those limitations actually stop “commercial endeavors” to be founded upon your code. So it doesn’t address your initial problem.
I have a lot of respect for this. And I also understand how hard it can be to just go completely open source (and/or FSF Free software) with the core product of your business. Most revenue streams from others along this road are often realised through selling separate support and/or consulting. In fact, this is how most of the WordPress ecosystem works. As all WordPress themes are GPL when you look at commercial themes the commerce part is based on something other than the theme code.
It is probably impossible to use a GPL licence with an added commercial restriction. Specifically, that restriction might even be void under GPLv3 section 10:
Meaning I can just ignore your telling me to get a separate licence. As soon as you have granted me rights under GPLv3, those are mine to use, and that includes reselling your work.
This restriction already applies to the Standard Notes code right this moment, which is why I asked if all contributors had given their OK on the relicensing of this repository 😉 If one central entity is to do the licensing of all the code, they must hold that right.
I didn’t know about using companies’ reluctance of AGPL code against them in that way. I asked around and it is seemingly something multiple projects have done.
All of these projects seem to be able to make AGPL work. So there might be something to this “trick”. (Huge thanks to @sknebel for pointing me at these projects!)
In general it wouldn’t be open-source per the definition by OSI because of point 6. Then again, the Non-Profit Open Software License 3.0 was accepted by the OSI so … mileage may vary? In reality, as soon as you are talking about deviating from an already well-understood licence, you should consult your IP lawyer.
You will find an equal amount of people who do not like Stallman’s or FSF’s stance on what constitutes free. So I wouldn’t sweat that too much. |
|
Is it possible the open-source definition is intended towards very particular sorts of programs? I'm getting the impression, given the dissonance I'm experiencing, that perhaps if commercial integrity is important to me, then the open-source definition is not targeted at me? I'm trying to imagine the environment in which the free software movement arose, and in the 70s and 80s, software wasn't what it is today. Back then, only large institutions could afford to house a computer setup, so naturally, power aggregated into the hands of the few. The free software movement seems a natural counter to this. Today, the definition by which one can freely modify their code in addition to commercializing copies of it seems to be befitting of libraries and frameworks, but seems not to make much sense on the application level, especially, say, web applications. Should one have the right to modify copies of their own software to improve their lives? Absolutely. This is fundamental. Should this same person also have the right to redistribute this software for a profit? This seems not so obvious. It's almost unprecedented. I'm not sure how this leap was made. I'm considering two options currently:
Given my goal is business sustainability, I think option two would be a more practical path. I'm still open to the first option, but, if it jeopardizes business longevity on behalf of some abstract potential for social good, I'm not sure it would be just to do that deal. |
|
After careful consideration, I think I'll most likely be going in the direction of: open-source applications, shared/private source extensions (depending on data access level; extensions that access unencrypted data will be shared source, extensions that don't access unencrypted data will likely be closed source). This seems like a nice balance. As for open-source license, I'm leaning towards the Microsoft Reciprocal License MS-RL strictly for this clause:
If I'm correct in assuming that this applies also to the UI level, then I like that I can write "Copyright Standard Notes" and that this notice cannot be removed. However, I'm not entirely sure if this is what is meant by it. My second option is AGPL. I'll keep this open for discussion for the next few days, and if no pressing objections are made, will likely proceed in this direction. |
|
I think (IANAL applies) that you can get the same clause from AGPL by applying 7b:
I am not familiar enough with the Microsoft licences to comment on them. AGPL definitely has more support in the open-source community, meaning people are more likely to know about it. One thing to note about MS-Rl is that it is not compatible with GPL. Make sure you never depend on any external GPL projects. It looks like you only depend on MIT and BSD licensed code, so that should be fine. |
|
Interesting. Although:
Does that mean if I apply 7b, someone forking it can just remove my restriction? Licensing is so much fun 😀🔫 |
No. The part of 7b I quoted is about an additional restriction, which isn’t an additional permission. Only permissions can be removed, restrictions can not. Welcome to legal-speak 😉 You may find GPLv3 / AGPLv3 – Section 7 (Additional Permissions) Explained and the therein linked Opinion on Additional Terms clarifying. |
|
Well, here it is: bdf9c3df80be63f62fa8e83b4505bd66d04086a8 Now, any idea how I would state that I would like this additional restriction applied? Just a note in the readme? |
|
Probably by stating the product is licensed under AGPL with the additional restriction to […] per section 7. Or something like that. I’d put that in both the README and at the top of the LICENSE. I think that should make it clear enough? Of course, as I have said before, if you’re really worried about your (or the company’s) IP rights, consult with a lawyer first. We’re all just developers here talking from what we experienced in other open-source projects. |
|
I'm pretty sure even lawyers would have a hard time understanding this stuff ;) |
|
Just as a tl;dr before closing this issue: we had a brief episode where it wasn't clear which license would best suit Standard Notes for the long run. In the end, we decided to stay with the APGLv3 license, and are sticking with it for the long run. |
In 76b37d7d53fc160dfb452f499f9feb32ed45bf10 the GPLv3 license was removed. The reason for this is, quite honestly, I'm just not sure of the long-term implications of having one particular license over the other. I am after all a developer, and not a lawyer. To be clear, the license was removed only on the clients. The server remains GPLv3. There were two primary worries I had that led me to removing any particular mentioning of a license:
The intention with Standard Notes being open-source was always from a security and audit perspective, and not a "use our software at no cost" perspective. However, the two worries above are directly related to a "business paranoia", and not at all regarding individual use.
Until I can more deeply understand the consequences of one model over the other, the client software is issued with no license at all. Personal usage is fine, but once you get into the territory of using our code for commercial endeavors, it's a much trickier subject, and I'd prefer not to set something in stone until I can get a better grasp for the long-term implications.
The text was updated successfully, but these errors were encountered: