That's probably not correct. While the AGPL is a little ambiguous, it probably does not infect other apps. That's why I created the Candid Public License (CPL): https://github.com/candiddev/cpl
Every lawyer I’ve talked to takes my interpretation. It may be overly cautious of them, but in practice, if something becomes the prevailing legal view, it de facto is the correct interpretation, at least until it is tested in court.
Recall that the GPL (non-affero) categorizes runtime linking to GPL’d binaries as a derived work. (This is why the LGPL exists, to allow for what the regular GPL restricts.)
The logic of the lawyers I’ve talked to (2 different companies on multiple occasions with different lawyers) is that the same wording that causes network access to count as “distribution” in the AGPL, also causes networked API access to count as a derived work.
It’s not all that crazy of an interpretation, IMO. My lawyers may suck and be overly cautious, but I’d wager this uncertainty is exactly why any sane company stays as far away as possible.
> Recall that the GPL (non-affero) categorizes runtime linking to GPL’d binaries as a derived work
If its not a derived work under copyright law requiring a license, a license offer can’t transform it into a derived work requiring a copyright license.
So, thought experiment: say I do want to take AGPL MongoDB, alter its source code, and host my modifications as a SAAS without releasing my modifications, and get away with it.
One way I could do this is by completely implementing its wire-format API of MongoDB as a proxy server to my derived MongoDB, and offer that up as my SAAS.
I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself. It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count.
For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work. I think this is at least how the lawyers I’ve talked to described it.
GPL has already established that runtime linking counts as a derived work. If what you’re saying is true about “not a derived work under copyright law requiring a license”, then I don’t understand why the LGPL exists.
GPL's source disclosure requirements trigger on distribution.
AGPL's trigger on distribution or on allowing remote user interaction over a computer network.
> I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself
You aren't distributing either of them. When you run code on your server and people interact with it over the network that's not a distribution. If it was a distribution there would be no need for AGPL. GPL would be sufficient.
> It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count.
It's not a derivative work because it doesn't incorporate copyrighted elements of MongoDB (assuming you didn't actually copy code from MongoDB).
> For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work.
AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant.
> GPL has already established that runtime linking counts as a derived work
No, whether runtime/dynamic linking (or even static linking) creates a derivative work under copyright (as is when, to the extent it does, such a use would nonetheless be fair use and still not require a license) is still a contentious topic, and AFAIK there are no cases strongly suggesting a general answer.
A license offering permission cannot itself resolve when the law requires such permission. Arguing that it can is like saying my offering terms of permission to use my home and claiming that they apply to use of the public street out front establishes that I own the street.
> One way I could do this is by completely implementing its wire-format API of MongoDB as a proxy server to my derived MongoDB, and offer that up as my SAAS
This is what Cosmos DB for Mongo DB is (wire format endpoint that talks to Msft’s own DB backend.)
The AGPL says "including scripts to control those activities" but if I understand what you are saying properly it means that the text of the AGPL is overreaching and some parts of it wouldn't be applicable?
Would the details depend on the country? Like it might be one thing under US law, and another in another country?
If the AGPL defines network access as distribution, it stands to reason that network access also counts as linking. See my other comments about a hypothetical proxy that thinly wraps mongoDB as an AGPL workaround, for why this gets hairy very quickly.