Hacker News new | ask | show | jobs
by misterbowfinger 2839 days ago
I'm still confused about the paranoia around AGPL.

If MongoDB is AGPL, why does everyone else throw a shit fit? Despite its faults, MongoDB is still massively popular, so I assume it's used at many enterprises.

Also, side note: can anyone point a blog post (preferably from a lawyer) that explains why AGPL is so problematic?
2 comments
jmillikin 2839 days ago
Most open-source licenses are anchored in copyright law, which is "default deny": you don't have the right to copy other people's works unless they grant you permission. This is good because copyright law is well understood, but means the license itself can only be used to restrict behavior that require copyright permission.

The AGPL attempts to restrict behavior that does _not_ require copyright permission. If I have MongoDB running on my server and it serves as a datastore to my website, then no part of MongoDB is copied off my machine. Copyright doesn't apply. So the only way the AGPL can exist is if it's _not_ a copyright license.

But if the AGPL isn't a copyright license, what _is_ it? Is it a contract with no consideration? Is it a copyright license _combined with_ a contract? Is it like a EULA, and if so, how does it apply when the apparent end-user (the person visiting my site) hasn't accepted the terms?

Lawyers don't like these sort of pseudo-contract legal constructs, they're the law equivalent of a flaky hour-long integration test.

link
mikekchar 2839 days ago
It's an interesting point, but I think you are looking at it from the wrong point of view. As far as I understand, the AGPL kicks in on "propagation" -- which in the important case means "making available to the public". The license is with the operator of the service, not with the end user of the software.

The consideration is the software itself. In exchange, you are granted a license. The license requires (in part) that you offer the source code to any user that uses the software. As the service provider, it is copyright infringement to make available the AGPL licensed software unless you agree to the license.

The problem with MongoDB is that they are using the AGPL in a way in which it wasn't intended to be used. This confuses the issue about what you are and are not allowed to do.

link
jmillikin 2839 days ago 

  > As far as I understand, the AGPL kicks in on "propagation"
  > -- which in the important case means "making available to
  > the public".
That's the GPL, and more broadly, all copyright-based licenses. The AGPL was invented to handle software that didn't need to be downloaded to be interacted with. Think of an HTTP server -- the end user interacts with it, but doesn't download the server binary itself. The AGPL is designed to let the end user have access to the server's source code in that situation.
link
mikekchar 2839 days ago
You're confusing propagation with conveyance (which is admittedly very easy to do). From the license:

- To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.

- To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

They make the distinction in the AGPL (which I think they don't in the GPL) for exactly the reason you state.

It's exactly the same with any proprietary server software. You can have a copy of the software, but without a license to allow others to run it, then you can't make it available on a network. These days most server software explicitly allows unlimited use in their license, but in the old days it was always per seat licencing.

If the AGPL is invalid, then so are all extant proprietary server licenses.

link
jmillikin 2839 days ago 

  > If the AGPL is invalid, then so are all extant proprietary server licenses.
I didn't say the AGPL is invalid, I only said it's not a copyright license. Proprietary software sold by the seat uses a contract -- I pay money for permission to have X concurrent sessions or Y unique users.

The GPLv3 does distinguish propagation and conveyance. This allows the license to put fewer restrictions on certain types of copying that are relevant to large organizations.

link
mikekchar 2839 days ago
OK. I see where you are coming from now. I disagree with you that the AGPL and prorietary software licenses are not copyright licenses. You only need a license because otherwise you are not allowed to use the software in that way -- because of copyright.

If I'm a server software producer and I sell you a copy of a piece of software, you can't actually use it unless I also give you a license to use it. This is unlike any other kind of machine that I might make and sell to you. If I sell you my fancy coffee roaster, I literally can not force you to use it in a specific way. This is actually why printer manufacturers put software in the ink cartridges -- so that they can force you to agree to a usage license.

The reasoning behind being able to extend copyright to running programs (which I think is BS, personally, but I don't make up the laws) is that the computer that runs the software must load, and therefore copy, the software. You only have permission to do that if the copyright holder gives you permission to do that.

This is where the license comes in. I give you a license to load the software into running memory (and hence run it), on the provision that you follow the rules I state. You don't have to agree to the license, but if you don't agree, then you don't have a license, and you are forbidden by copyright law from running the software.

With the AGPL, the license is given provided that you agree to give the users a compatible license to the software. Again, the contract consideration is: ability to run the software in exchange for agreeing to the terms.

You are right that the GPLv3 does reference propagation. I should have looked. It mentions it specifically to state that the GPL does not come into effect on propagation, only conveyance (which is the main difference between it and the AGPL).

Edit: spelling

link
kemitchell 2839 days ago
Here's a recent post of mine on use restrictions in copyright licenses:

https://blog.licensezero.com/2018/09/14/free-to-take-freedom...

Especially this section:

https://blog.licensezero.com/2018/09/14/free-to-take-freedom...

I know some lawyers who would prefer and argue for your reading of copyright law's limitations, as a matter of policy. But that is not the reading that I see in court decisions or professionally drafted copyright licenses, which impose blanket use and purpose restrictions all the time.

To your point, copyright law is "default deny". (See also: https://oss.kemitchell.com/#defaults-and-overrides) Take as given that the uncertainty you describe is as serious as you present it. Who does that uncertainty benefit, in context? Consider: https://opensource.google.com/docs/using/agpl-policy/

link
jmillikin 2839 days ago
I read both those blog posts, which manage to be both over-long and free of concrete content. Which particular part of them do you feel is relevant to this thread?

  > But that is not the reading that I see in court decisions
  > or professionally drafted copyright licenses, which impose
  > blanket use and purpose restrictions all the time.
Please link to an American, Canadian, or EU court decision holding that restrictions on use are enforceable via copyright law. I'll also accept a recent ruling that execution of a copyrighted program does not automatically qualify as fair use.
link
kemitchell 2839 days ago
You can see a response I've just posted on Vernor and Deutschlandradio. You may also wish to peruse common proprietary license forms, as I mention in Free to Take Freedom Post.

I won't be providing you any further comments. If you have need of specific guidance in this legal area, please seek your own legal counsel.

link
zekevermillion 2839 days ago
This is a better summary of the key issue than any I've read from a lawyer.

The root of it is that the copyleft licensing scheme was from the beginning merely a clever hack. Ideally (from a free software perspective) copyright law would not protect functional software, and we would have another law that requires all published software to be free software.

The GPL was a speculative attempt to bend problematic copyright laws to the purposes of free software. Over time the GPL has proven to work, sort of. But it was not clear at the beginning that it would. Years, decades, have gone by and we now see that there are ways for companies to restrict user freedoms with software that technically complies with the GPL. The GPL was pretty successful for the 1990s concerns, why not make an updated license that addresses 21st Century business models. It is still not clear whether the AGPL will work as well vs SaaS as GPL did against the "selling copies" model.

link
mikekchar 2839 days ago
I can only give you my opinion as I'm not involved with MongoDB, I'm not a lawyer and I'm not an expert on AGPL. However, I spend a fair bit of my spare time reading licenses and thinking about them.

There are really 2 issues you need to keep in mind: 1) there is a difference of opinion about whether linking to an unmodified, GPL or AGPL licensed library is considered to be a "modification" of that library; 2) GPL and AGPL are different in terms of software that is only accessed via a network (i.e., the user does not receive a copy of the executable code).

In the first point, the FSF (who maintains these licenses) believes that linking to a GPL or AGPL license creates a "combined work" that requires a license that is compatible with the GPL or AGPL. In other words, you can't "convey" (distribute) the combined program unless the overall license has compatible terms. Other people disagree. To my knowledge, this point has not been tested in court. While the GPL itself is well tested in court now, that is for applications that are clearly based on a GPL licensed piece of code. Whether or not a library that is providing a utility function has that same legal protection is still untested (as far as I know).

However, there are a couple of things that I think are important about this. First, the intent of the licenses is clear. It's a completely jerk move to use a GPL or AGPL licensed library without considering the intent of the authors that chose that license. You might get away with it legally, but why be a jerk just to save a few bucks? (Not that it stops people...) Secondly, the intent of the license is clear, if you want people to use the software in a different way, please pick a different license! There are many appropriate licenses (and probably the LGPL is what a project like MongoDB should be licensed as). I'll talk a bit about that at the end.

With the second point, it's important to understand the difference in use cases for the GPL and AGPL. The GPL is intended for applications that are meant to be "conveyed" (distributed) to the user. The user then runs the program themselves. With a GPL or similar license, they enjoy the 4 freedoms of being able to run the software for any purpose, inspect the source code, modify the source code, and to distribute their modifications if they wish (as long as they grant the 4 freedoms to their users).

The AGPL is designed to give similar freedoms to people who do not receive an executable -- their only interact with the software is through the network. The only reason for choosing the AGPL is to ensure that users can receive the source code to: run the code for any purpose (rather than just the purpose the service provider allows), inspect the source code, modify the source code, and distribute their changes.

I don't know the history of MongoDB, so I don't know why they chose the AGPL. It is frankly a bizarre choice, IMHO. My only guess is that they intended that users of an online service be given access to the MongoDB source code. Why they thought that was important, I really don't know. The MongoDB developers are pretty adamant that the license does not restrict people from building services that are not AGPL.

In practical terms, for the moment anyway, it's not a big deal. Even if the AGPL applies to the combined software (and FWIW, I believe that it does), the only people who have standing to sue are the copyright holders of MongoDB. They have clearly said that they are happy with people not offering the 4 freedoms when making services using MongoDB. In other words, you can be relatively sure they aren't going to sue you -- and nobody else has standing to do so.

On the other hand, it's still a legal liability. If MongoDB changes hands some day and the new copyright holder has a different opinion, will you end up getting sued? Although I think it is incredibly unlikely, it could definitely happen. Crazier things have happened.

To sum up, AGPL is not problematic at all, if you are using it as intended (as an aside, I actually don't like some of the wording, which I think is a bit hand-wavy at times, but it's the best license that I know of for the niche that it occupies). The only problem is that MongoDB developers are using it in a way that differs from its intended purpose and are thereby muddying the waters in terms of communicating what they want. I suspect they simply made a mistake originally and now it's just too difficult to make the license change.

link
ameliaquining 2839 days ago
One obvious possibility is that MongoDB's choice of license is a strategic attempt at price discrimination. Since it's available under an accepted open source license, individual developers and small startups won't shy away from it, but large enterprises that are afraid of AGPL have to pay for a commercial license.
link