Why we picked AGPL

The AGPL is absolutely a EULA.

The user of a program is the one who installs it somewhere and runs it.

Outside people interacting with the program are visitors. They don't have the source code because they don't have the program at all in any form. It has not been distributed to them.

The source code to the program doesn't even do them any good. They cannot use that to prevent harms perpetrated by the operators of that application.

which is also the case with GPLv2

No it isn't; under the GPLv2, the source code must be available to those to whom compiled code has been redistributed. Whether they are users doesn't matter.

The restrictions are that if you violate the license, your use of the program is infringing.

What can I not do with AGPL software?

You cannot change it and run it yourself, without hosting the source code.

You cannot combine an AGPL program with proprietary code and operate it, because you cannot release the proprietary code.

So when you compile a program and distribute over the network as a binary, you are also distributing the compiler that created the binary?

The admin uses the software, regardless of who else is regarded as a user.

Among the users, the admin is the one saddled with use restrictions by the license.

That analogy does not work because in all the cases you describe a copy of the movie ends up with the viewer.

When you connect to a remote server over a computer and upload data and receive back results produced by the server software you do not receive a copy of the program. You receive a copy of the output that the program produced.

> They're both redistributing

Well, yes. While perhaps some metadata is lost, the content that is worth fighting for is captured in both cases. Practically speaking, there is no difference between the original source, an ISO rip, and an MKV rip. At least to the untrained eye, they are in every way equivalent. They both are redistribution, indeed.

That is not the case for SaaS in question. What you download during use can in no way be reconstructed into its original form. You can't use the software for a while and then, from what you've collected, start running the software on your local machine. The artifacts of use are very different from the software itself. To stick with your analogy, watching a movie on Netflix does not give you a copy of their server software. Distribution has not occurred.

That's broadcasting. The recipient of a stream can capture the film to create their own .MKV they can further stream or pass on.

Equating the running of a program with broadcasting is the kind of sophistry we might expect from Apple or Adobe or Oracle or their ilk.

Certain portions of a service program may be broadcast, like for instance certain string literals carrying text that appears at the remote end point. The bulk of the software is not transmitted. It transmits and receives messages, which are mostly not that program. The remote end cannot recover a copy of the program from these messages. Some bits of literal data, but none of the code. (There are obvious exceptions, like programs transmitted to web browsers for local execution.)

The GPL is not simply about fixing bugs. It's about preventing the existence of versions of the program in which you cannot easily find or fix bugs, and the underlying ideology that they should be no such programs. And not only bugs but deliberate undesirable or malicious behavior. The problem with closed source proprietary software is that you don't know what's hiding in the binaries.

If software were uncopyrightable, they would still be binaries without source code, which you would have to reverse engineer to find out what harm they perpetrate actively or possibly through their security flaws.

Moreover, if you wrote a piece of free source code, anyone could do anything with it they wish, including removing your name, and not attributing you in any way in the documentation accompanying the compiled code.

Stallman was a control freak who insisted that people modifying his code give back the contributions to the project. In the world without copyrighted programs he would have had no leg to stand on, and he knew that. A world in which programs are not copyrighted would need laws which ban the distribution of binaries without buildable source code, and all the tools needed to build it and their source code.

A program is not distributed to you if someone else installed it on a machine you don't own and you're just borrowing that machine. It doesn't matter if you're physically at the console, we're at a remote dumb terminal or smart client. The program was distributed to your school, company or friend or whoever.

I don't think that even the people who drafted the AGPL believe the nonsense doctrine that the visitors to a server have been distributed the software. That's just something invented by the downstream AGPL apologists. (And of course vendors of proprietary software like the doctrine also. If you buy a program and let 10 people use it via remote access to your machine, they would like the legal system to believe that those people were distributed the program and that you should buy ten more licenses). The doctrine is not required for the AGPL to work. The software distributed to the individual or organization installing it and running it for visitors. The license is concerned with the behavior of that individual or organization, and uses the power of copyright to make their permission to have a copy of the program conditional on their usage behavior. The visitors to the running application are not parties to the license.

The GNU AGPL contains these definitions:

To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.

To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

You realize that would create a problem for some organization whose idiot employee combined proprietary code with the AGPLed program and the thing automatically redistributed the whole infringing mess to the world.

Even if there were safeguards against such a situation, someone would blow past them.

It's triggered on use of the modified software. Not just any use but use in such a way that network visitors interact with the software. If you don't use the software that way, the requirement doesn't apply even if you modified it.

If you've not modified the software, interested visitors can just get the source code from the same upstream, so why would it be required of you to host it.

However the following situation could arise and I don't see how the license addresses it. You visited a site running some AGPL service which was modified by those site operators. You decide to clone your own instance using their modified code. Since you're not modifying anything yourself you're not required to host that code. Now suppose that original site shuts down and disappears. The upstream for that modified code is no longer available. Are you on the hook for hosting it now? You've not modified anything yourself.

The GPL promotes the four essential freedoms posted on the GNU/FSF website. They are not incidental.

There is a lengthy article by RMS "Why programs must not limit the freedom to run them".

https://www.gnu.org/philosophy/programs-must-not-limit-freed...

Clause 13 could as well require the provider to offer the code to the network visitors even if the code is not modified.

That makes hardly any difference.

The main problem is the hypocrisy: the FSF promulgating a non-free license as a free license.

On their website, they have a list of nonfree licenses, for which they give reasons.

Several are identified as nonfree because redistributors may not sell the code. Guess what: GNU Affero says you must make the modified code available free of charge. Thus, it should be listed in the nonfree license section for that reasons.

Several are identified as nonfree because they restrict use, such as that the software may not be used for human rights abuses. Oops, GNU Affero has use restrictions.

For the purpose of running it on my server without giving out my changes" is not about running it, that's about something incurred as a result of running it.

"My changes" could mean making minor changes to integrate it with 500,000 lines of my company's existing proprietary code, as well as third party proprietary code. Oops, that all has to be AGPLed if the combined program has network users. Which is a nonstarter, so such an integration shall not be made.

A GPLed program can be so combined and run for network users; nothing needs to be put under the GPL unless it is redistributed. How on earth can that be wrong, if the GPL allows it?

This is in accordance with Freedom 0.

I have no problem with the GNU Affero license existing, and people deciding that it's the best choice for their project. The problem is it being promoted and encouraged as a free license. People believe it. How could it not be free? Everyone says so, and it's from GNU/FSF.

The FAQ is not at all clear about this question. #GPLInProprietarySystem says that you unconditionally cannot "incorporate GPL-covered software in a proprietary system", although it might be OK to ship a proprietary system that integrates with and depends on GPL software so long as "the two programs remain well separated". How do I know whether a particular API usage qualifies as well separated or not? The only standard described is "like the compiler and the kernel, or like an editor and a shell".

That's the GNU project's interpretation of the license. I don't see how a court couldn't reach a different agreement on what the often discussed "derivative works" section means.

The FAQ also has interesting takes, where depending on the jurisdiction you're in, I'm sure such views would differ:

    Q: In an object-oriented language such as Java, if I use a class that is GPLed without modifying, and subclass it, in what way does the GPL affect the larger program? (#OOPLang)

    A: Subclassing is creating a derivative work. Therefore, the terms of the GPL affect the whole program where you create a subclass of a GPLed class. 

That FAQ covers the GPL, not the AGPL.

AFAIK, the difference between AGPL is GPL is on what constitutes "distribution"; what constitutes a "derivative" is still the same.

https://drewdevault.com/2020/07/27/Anti-AGPL-propaganda.html

"In AGPLv3, what counts as 'interacting with [the software] remotely through a computer network?'"

"If the program is expressly designed to accept user requests and send responses over a network, then it meets these criteria. Common examples of programs that would fall into this category include web and mail servers, interactive web-based applications, and servers for games that are played online."

"If a program is not expressly designed to interact with a user through a network, but is being run in an environment where it happens to do so, then it does not fall into this category. For example, an application is not required to provide source merely because the user is running it over SSH, or a remote X session."

[0]: https://www.gnu.org/licenses/gpl-faq.html#AGPLv3InteractingR...

No, GitHub has it exactly right. Ultimately this sort of thing has to be settled in court.

Yeah I wouldn't rely on their editorializing. It's best to just refer to the FAQ [0], which covers these questions.

[0]: https://www.gnu.org/licenses/gpl-faq.html

That's GPL, not AGPL. The AGPL license implies that communicating with it over the network is sufficiently to count as a violation.

I'm not sure that interpretation is correct. I don't read the intention that way (but I'd have to reread the licenses on detail to refresh myself before speaking more definitively).

Having said that, the fact that minio's documentation answers the question with a shrug and says "lawyer up" (see https://github.com/minio/minio/blob/master/COMPLIANCE.md) seems quite telling.

The "or very definite answers to the question" is important there. Linus has explicitly answered the question, and if you use any of the Linux headers then yes you should release that software under the GPL. Under this circumstance your "which is definitely not the case" is incorrect.

[EDIT: after reading the information in the link provided by actionfromafar, I'm pull that back a bit: headers marked appropriately can be used and provided a shield similar to scales via glibc & similar (see below) - but check any headers you do use to make sure that they are in fact thusly marked (and note that this goes back to my "… or very definitely answers the question")]

It has also explicitly been said that making calls to the kernel indirectly by other means does not carry the same requirement, so if you use glibc (to give what is perhaps the most common example) and it causes the kernel to be called, you do not inherit GPL requirements from the kernel. What requirements you inherit depend on the license of the library, in this example LGPL which is glibc's license and that doesn't confer any such requirement from linking or other such coupling.

Whether this indirect call via another library that isn't itself GPL licensed acting as a shield holds generally, or just where explicitly stated as with Linux, I'm not sure off the top of my head. I'd have to reread the licence to refresh myself on the exact details and that isn't something I have the time to do right now, but in the case of Linux it doesn't matter if that is a general property or not because of specific things that have been officially stated.

There is a further exception that allows the making of binary blobs to act as drivers and such writing the kernel. I'm not sure if that is just a refinement of the same shield, or something more specific. Again I'd had to reread to be more sure (I've not gone over the "fine print" here in detail for some years).

> Using background service such as Minio as an unmodified black box for data storage as part of your app is unambiguously not derivative work.

That is certainly the case for LGPL, but by my understanding it isn't for GPL nor by extension AGPL. Minio's maintainers themselves shrug on the matter and suggest you either lawyer up or pay for commercial licensing if your work is not also AGPL and therefore directly compatible (see https://github.com/minio/minio/blob/master/COMPLIANCE.md).

The Linux GPL license has an explicit excemption for binaries running under Linux. So it's not a great example.

https://github.com/torvalds/linux/blob/master/LICENSES/excep...

Nice link. One of the key quotes:

Perhaps if random engineers stopped calling legal opinion FUD and falsehoods and took a moment to listen to the feedback from lawyers who didn’t write the license, we’d get somewhere with finding a palatable license for all parties. Instead, we get a holy war.

My corollary: an argument is not a document. When I need a strong resolution on an issue, I want in writing and in a single organized voice, not spread across a bunch of comments and commenters, whose goal is often to shout down doubts or to keep the peace between participants.

Besides the internet, I've seen "the-argument-is-the-document" occasionally inside companies and very strongly in a hype-driven programming language.

The FSF is in the unique position in that the FSF could change the GPL if they wanted to.

They can publish new versions of GPL if they want to. They can't retroactively change the terms that users of the software and contributors agreed to.

Just like any code owners who has the complete control of copyright can publish their code under a different license.

Firstly, you are wrong. The FSF does not require copyright assignment. It is up to the individual software projects to decide if they require them or not.

The FSF requires copyright assignment for many (possibly no longer all?) of their own projects, e.g. GnuTLS. Of course it's up to an individual project whether it requires it (how could the FSF possibly control what some unrelated project does?), but on those projects that the FSF themselves run (or at least many of them, and traditionally it was all of them), they require it.

The FSF is in the unique position in that the FSF could change the GPL if they wanted to. If you use the GPL/AGPL, the FSF is inherently trustworthy;

They cannot change the GPL. They can publish new version of it, and recommend that you license your project with a term that permits it to be used under those new versions, but this is not obligatory (and notably e.g. the Linux kernel does not).

Organisations that start by claiming to be open-source and rug-pulling are something to be wary of. But neither AGPL nor CLAs are a particular red flag for that. Plenty of well-behaved organisations use CLAs or copyright assignments, and plenty of badly-behaved organisations use licenses other than the AGPL (e.g. Redis had a 3-clause BSD-style license but still did the same thing).

DCO is something like "Signed-of-by: me myself <me@example.com>" you have to actively add to your contributions, which is usually a conscious and willful act that is far more complex than blindly ticking a box (or even leaving a pre-ticked box ticked). Since that bar is higher, I think the legal weight should be higher.

CLA-Assistant is also similarly simple to fill out, so that can't be the difference there...

The linux kernel relies upon one, so I can't imagine it wouldn't be.

It's not a good argument, smoking was once very common and still is common in many parts of the world.

https://drewdevault.com/2018/10/05/Dont-sign-a-CLA.html

You can use DCO legal text with CLA Assistant though!

Unless you define Open Source developer as Hobby only licenses matter. I’m an Open Source developer and I want to be able to use software no matter the situation.

Interesting. I think concerns about legality of contributions are completely understandable.

But doesn't this CLA in particular (and most CLAs out there generally) assign the company behind it a license to distribute all contributions under any license they wish? Specifically the part that I quoted where contributors give them an "irrevocable copyright license" to "sublicense" their contributions?

As far as I understand, this allows them to unilaterally re-license the project as a whole (to proprietary or non-free open source) without asking contributors for permission.

The only way I'd agree to a CLA is if it included explicit language that ensured that they couldn't do this, e.g. "You hereby grant [...] under the terms of the AGPL v3 license", but I'm not a lawyer.

But you aren’t assigning copyright, you’re getting a license to bundle the contribution with the rest of the package.

And they don’t feel safe including a patch without a license to use it. Not an unreasonable position to take.

The wording is explicit (italics mine):

You hereby grant to the Company and to recipients of software distributed by the Company a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to…

I can keep using a permissively licensed software or a fork of it at the moment they pull the rug and keep using it in the same manner; I just don't get future updates. I cannot fork AGPL and use it commercially in any reasonable manner.

You can fork it and use it in and as free software forever. This is only 'unreasonable' if you're a proprietary software vendor. The complaint of a proprietary software vendor strikes me as somewhat ironic here: what, the same deal that you give to your own customers for your own product is one you simply 'can't' take yourself because it's not 'reasonable'?

If you are a sufficiently large commercial entity, you are probably wise to act as if it is proprietary.

But right about this. In the scenario you describe, you're a customer under the proprietary license— the kind of dependency your proprietary software product has on the software is the same kind it might have on any other proprietary software. The AGPLv3 version is not a backup option for you.

And it's true that the dual-licensing game the original vendor has set up is one that only they will ever be allowed to play.

If my company were considering purchased dual-licensed AGPLv3 software, I'd give advice like the following:

It's great for the wider public that there is an open-source version of this exact same software our there. But what we're considering buying here is not that— what we're considering buying is proprietary software. For us, all that the availability of that open-source license means is that this is proprietary software whose source code would be easy for us to inspect, and that upstream might even accept our patches for issues that we encounter. I think both of those things are huge advantages! But if this vendor gets bought out or shuttered, we could potentially be left in the lurch much as we would if the software were exclusively proprietary. That's often an acceptable risk, in my opinion, and it's certainly one that our company has deemed acceptable with many past and present proprietary software purchases. But we should note that on the assessment: if we buy this, we're not buying or depending on open-source software; we're buying and depending on proprietary software.

All that assuming, of course, that the proposition is to use the AGPLv3 software in a user-facing, proprierary web service under the assumption that the copyleft component of the AGPL extends to that web service. If we were evaluating it for use in an internal service, where the end users are our own employees, or an external-facing service that we'd be comfortable releasing under the GPL, or we think that the way we want to use it would not require any license changes for us even if we take thw AGPLv3 version, I'd instead say something like

Ask the lawyers as always, but I don't foresee any problems. I think this is great and I'd love to use it. If our legal people aren't used to considering copyleft licenses, can we have them consult with the FSF or the SFC or the EFF or something before they make a decision about this? Is that a thing?

Anyway, I agree with you about how being the customer (under the proprietary license) of a company like this is different from being the customer (for support services only) of a company who publishes permissively-licensed free software. I don't agree, though, that the dual-licensing thing is a trick! I think it's totally possible for everyone to go into that kind of arrangement eyes open and be happy with it. I hope and expect that's the goal for companies like that of TFA.

I can keep using a permissively licensed software or a fork of it at the moment they pull the rug and keep using it in the same manner; I just don't get future updates.

That part is exactly the same under AGPL, no?

But there simply has to be control and restrictions over the use of software for it to be commercially viable (in almost every case).

True. But not all software has to be commercially viable, arguably the most useful/critical and yet valuable isn't - currently my list is Linux, git, Postgres, Python, dozens of Python libs (perhaps thousands, if I go down the dependency trees).

Declaring my biases: I'm partial to GPL licenses and believe providing value to users is more important than making life easier/profitable to developers. IMO, the difference between GPL-style and BSD-style licenses is not being "restrictive" or not, but who gets restrictions (end users and developers being on opposing ends).

If you want a closed source license, use a closed source license. Nothing wrong with that; many companies do that. This particular license combination just creates the illusion of openness without most of the benefits for would be contributors.

But there simply has to be control and restrictions over the use of software for it to be commercially viable (in almost every case).

That's the view of a single company that wants exclusive control, not the view of a company that wants to create a healthy OSS community. Healthy OSS communities tend to have more than one company involved and a diverse group of contributors. That's why OSS licenses exist that protect their mutual rights. It's a necessary compromise to prevent any contributor having that kind of power and allow them to collaborate and share code. This is the opposite; and it cannot create a healthy OSS community.

Which raises the question of what the point is of using this kind of licensing? I don't think it's about soliciting outside contributions as this kind of actively discourages that. And why else would you open source something?

There's no accidental modification.

Not true. There is no need to accept the license if you exercise only your statutory rights, which in many jurisdictions includes the right to run the program and to patch it if necessary (e.g., for compatibility with other programs).

BSD/MIT allows you to take code without any obligation to contribute back.

Contributions to a fork could be done under just the AGPL, without any CLAs (also to the original repo, but those won't be accepted). Then the entire fork is effectively AGPL only. I don't think any original CLAs would apply to the fork, unless the fork owner is the same legal entity/successor as defined in there. Same goes for the original authors, they'd need CLAs from all fork contributors.

So I guess what you are saying is that the business model is that cloud vendors will buy a license, but only if they they want to make changes to the code, but not release those changes.

So not just small changes, big changes that have a significant value-add, and not easily replicated. It assumes cloud vendors will want to start building a business on top of this critical dependency.

It doesn't sound like a great deal for the cloud vendor.

I assume we are really only talking about Amazon, Microsoft and Google, and the developer hopes to just get bought rather than messing around with licenses.

but the original project will have access to all of their changes so the cloud operator won't have any advantages when selling support or a license with different terms.

Those changes would be under some sort of AGPL and the original project cannot merge it back, while still maintaining their option of a commercial license.

So once the original project merge any of their competitor's changes/forks, their project becomes AGPL only, and lose the ability to charge for a commercial license as a monetization strategy.

The System Library exception isn't even needed. The key word in what you've quoted is "linking". If you aren't linking, then you aren't creating a combined derivative work at all.

Linking in this context refers to a very specific thing: https://en.wikipedia.org/wiki/Linker_(computing)

is there a place where I can read about what ParadeDB actually does? Surely you do more than just pre-install the extensions? Do you also develop the extensions yourself? Do you support RAG? The last question may not make sense as I am new to this space.

The LGPL is great for software libraries written in C, but doesn't really work for any other programming language. It uses concepts like object files and linking that assumes C. Even in C++ which is closely related you get issues with templates (users can't easily replace that code by their own since it is inlined in the binaries)

Many programming languages don't even have the concept of dynamic linking or object files that can be shared.