Hacker News new | ask | show | jobs
by jabo 1889 days ago
Let's say I use Minio in a SaaS app and allow my end users to upload directly to it. With this AGPL license change, is this now considered to be a form of distribution, that would then require me to open source the rest of my SaaS app?
4 comments
jcadam 1889 days ago
If my layman's reading of the affero license is accurate (ha!), I think it only affects you if you run minio with (your) custom modifications, in which case you would have to make the source of your custom minio fork available. It shouldn't affect the source of other services on your system.
link
chii 1889 days ago
it's unclear what counts as derivative work (which would "infect" your closed source program). I'd say only clarifiable by having case laws or precedents, which currently dont exist yet.
link
tapirl 1889 days ago
available to public? Or the end users?
link
rad_gruchalski 1889 days ago
You only have a problem if you modify anything in the source code of minio that you host.
link
enriquto 1889 days ago
> You only have a problem if you modify anything in the source code of minio that you host.

And even in that case, you only need to share your modifications of minio, not anything about the rest of your system. Doesn't seem too much of a problem, to begin with.

link
eloff 1889 days ago
A lot of companies I've worked for had a blanket ban on AGPL. This is not a problem with the license, it's a problem with those companies. But it's still going to be a pain for the people who work there.
link
jasonhansel 1889 days ago
If more high-value projects adopt the AGPL, legal departments may be motivated to revisit those bans.
link
wegs2 1889 days ago
I drove a revisiting like this in more than one organization.

Fitting decisions like this around the status quo makes no sense. It's exactly actions like this which change the status quo. I'm happy to say there are dozens of organizations without AGPL bans thanks to one useful piece of code I wrote. Most are small, but one is in the tens of billions of dollars in valuation.

link
atq2119 1889 days ago
Yes, this is the main reason to welcome these recent adoptions of AGPL.

Blanket bans of licenses are bad for free software. More pressure to revisit them is a good thing.

link
thecatwhisperer 1888 days ago
I don't agree it is a problem with the companies. The issue most companies (and their lawyers) have is that this has not (afaik) really been tested in court. So, sure _you_ may state that we should be fine if are are not modifying the code or directly linking, etc, etc, but the interpretation of the license is still _very_ open. Until legal precedent is set, most companies are not willing to take the risk. And why should they?

Many companies (our included) consider AGPL to be a poison pill. and until someone gets sued and the courts set precedent...

link
enriquto 1889 days ago
> This is not a problem with the license, it's a problem with those companies. But it's still going to be a pain for the people who work there.

This sounds like a general problem, unrelated to licensing. If you work in companies with shitty policies, you are in for a world of pain.

link
eloff 1889 days ago
These are big companies you would recognize. Shitty policies seem to go with the territory in large companies.
link
chithanh 1889 days ago
Most companies who publish AGPL software also offer a paid commercial license, so it is accept AGPL (and contribute in kind) or pay (and contribute in money).

I don't think this is bad forcing companies to choose between these two (or abandon the software), and they are fully responsible to making lives of people who work there easier.

link
marcinzm 1889 days ago
Or for people who work at companies that have those companies as close clients.
link
jnwatson 1889 days ago
Or put a proxy in front of it.
link
rad_gruchalski 1889 days ago
Indeed. I predict that year 2022 will be the year of a sidecar protocol proxy service.
link
rad_gruchalski 1889 days ago
That’s right.
link
jabo 1889 days ago
Based on [1] it sounds like even if you "link" to AGPL licensed code over a network, unmodified or not, it would require you to also license your own code as AGPL? That sounds pretty far reaching, if I'm reading it correctly.

[1] https://softwareengineering.stackexchange.com/a/107931/28221

link
rad_gruchalski 1889 days ago
I didn’t downvote you. No, that’s not the case. Here’s a better explanation: https://writing.kemitchell.com/2021/01/24/Reading-AGPL.html

Basically, if you ever need to use agpl stuff, do not embed or add your proprietary ip to a modified version. Use a sidecar. Only embed features you don’t care about.

link
d110af5ccf 1889 days ago
I don't think that essay supports what you said. (It's incredibly well written by the way, thanks for linking it.) Near the end it asks:

> If you build a larger web service by combining network services that call each other over HTTP, rather than libraries or snippets of code linked or pasted together, does “Corresponding Source” include the source for those other services? What if each service is containerized, encapsulated in its own operating system? Do those operating systems count as “System Libraries” or “generally available programs” shield the application code they run?

Note that the author is asking a question here. It's not entirely clear (AFAIK, IANAL, etc) what precisely constitutes "linking" when it comes to the (A)GPL.

A thought experiment. Evil Corp takes a GPL licensed program and modifies it to communicate via file descriptors instead of linking with it at compile time and directly calling its functions. They proceed to distribute a separate proprietary product that makes use of the GPL program for many of its core functions. They claim that this isn't a violation of the GPL because they haven't "linked" with any GPL'd code. This is clearly a violation of the spirit of the GPL, but is it a violation of the letter?

link
rad_gruchalski 1888 days ago
To comply with the license, the Evil Corp would be required to share their modifications giving anybody who sees this as their market advantage the ability to do exactly the same thus diminishing the advantage. The Evil Corp would not be required to share the code which talks to the modified GPL'd library.

That's the spirit of this license and everything is working as intended.

But it's a good line of thought. Here's another thought experiment. When compiling say golang or Rust program, all dependencies end up being compiled into a single standalone binary. If a dependency of a dependency pulls in an unmodified GPL module, what impact does it have on our resulting binary? The common understanding is: if we're asked to share the code of the GPL dependency, we can share the original unmodified dependency and we're not required to share our code using the dependency.

Until we're proven otherwise, we should stick to that common understanding.

link
throwaway888abc 1889 days ago
Same question for same situation
link
temp667 1889 days ago
Correct - you would need to open source your entire app (or at least a strong arguement can be made that you must do so).

"The primary risk presented by AGPL is that any product or service that depends on AGPL-licensed code, or includes anything copied or derived from AGPL-licensed code, may be subject to the virality of the AGPL license. "

Almost all larger places have very strict bans on evening touching AGPL -

https://opensource.google/docs/using/agpl-policy/

The contributors can of course license commercially, so this has made it a popular sort of "shared source" type license - you can look at the code, but can't use it in your own projects unless they are open source too or pay for the commercial license.

link
enriquto 1889 days ago
> you can look at the code, but can't use it in your own projects unless they are open source too or pay for the commercial license.

Please, stop spreading ridiculous FUD.

You can use copylefted code in your own projects without any restriction. It is only when you distribute this copylefted code (e.g., by letting users run it in your computer) that you need to publish your modifications to it. And then, this is only relevant when you have modified the copylefted code; otherwise you just need to distribute code that is public elsewhere, which is a non-issue.

link
MaxBarraclough 1889 days ago
> It is only when you distribute this copylefted code (e.g., by letting users run it in your computer) that you need to publish your modifications to it.

I don't know if that was a typo, but letting users run the software on your computer, isn't 'distribution' in the usual sense. What you said sounds true of the GPL, but doesn't give a complete account of the AGPL.

From the FSF: [0]

> The GNU Affero General Public License is a modified version of the ordinary GNU GPL version 3. It has one added requirement: if you run a modified program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the modified version running there.

[0] https://www.gnu.org/licenses/why-affero-gpl.html

link
enriquto 1889 days ago
by "your computer" i meant your server. It's the same thing, isn't it?
link
MaxBarraclough 1889 days ago
Yes, but that isn't distributing copylefted code. If it were, the GPL and the AGPL would be the same licence.
link
d110af5ccf 1889 days ago
> this is only relevant when you have modified the copylefted code

If I write a program that uses a GPL licensed library but never modify that library, it still infects my entire program. I have created a derivative work under copyright law. It doesn't matter that I never modified the original code that I received.

So if my proprietary SaaS web app makes use of an unmodified AGPL licensed library in order to perform a single computation ...

link